Restructure identity and access management content for enterprise accounts (#15079)

* Add back changes from prior to purge

* Fix versioning

* Fix index.md

* Fix links

* Move file

* Revert changes to translated content

* Revert changes to translated content

* Update liquid syntax

* Fix syntax again

* Fix links, again

* Add missing articles

* Update syntax again

* Add new article content

* Change article order

* Add 💅

* Add more 💅

* Add 💅

* Reorder articles again

* Add 💅

* Mention that revoking identity also removes member from teams

* Address @stacycarter's ✨ feedback

* Change map topic order

* Mention AAD earlier

* Remove colons

* Incorporate @mattpollard's ✨ ⚡  feedback

Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>

* Add intro to map topic

Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>

Author: lecoursen

content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md

@@ -14,7 +14,7 @@ versions:
 
 After you configure SAML SSO, members of your {% data variables.product.prodname_dotcom %} organization will continue to log into their user accounts on {% data variables.product.prodname_dotcom %}. When a member accesses resources within your organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to {% data variables.product.prodname_dotcom %}, where the member can access your organization's resources.
 
-Enterprise owners can also enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
+Organization owners can enforce SAML SSO for an individual organization, or enterprise owners can enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
 
 {% data reusables.saml.outside-collaborators-exemption %}
 
@@ -32,6 +32,8 @@ If members are signed in with a SAML SSO session when they create a new reposito
 
 Organization members must also have an active SAML session to authorize an {% data variables.product.prodname_oauth_app %}. You can opt out of this requirement by contacting {% data variables.contact.contact_support %}. {% data variables.product.product_name %} does not recommend opting out of this requirement, which will expose your organization to a higher risk of account takeovers and potential data loss.
 
+{% data reusables.saml.saml-single-logout-not-supported %}
+
 ### Supported SAML services
 
 {% data reusables.saml.saml-supported-idps %}
@@ -42,12 +44,12 @@ Some IdPs support provisioning access to a  {% data variables.product.prodname_d
 
 After you enable SAML SSO, there are multiple ways you can add new members to your organization. Organization owners can invite new members manually on {% data variables.product.product_name %} or using the API. For more information, see "[Inviting users to join your organization](/articles/inviting-users-to-join-your-organization)" and "[Members](/rest/reference/orgs#add-or-update-organization-membership)."
 
-{% data reusables.organizations.team-synchronization %}
-
 To provision new users without an invitation from an organization owner, you can use the URL `https://github.com/orgs/ORGANIZATION/sso/sign_up`, replacing _ORGANIZATION_ with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your {% data variables.product.prodname_dotcom %} organization.
 
 If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM](/github/setting-up-and-managing-organizations-and-teams/about-scim)."
 
+{% data reusables.organizations.team-synchronization %}
+
 {% data reusables.saml.saml-single-logout-not-supported %}
 
 ### Further reading

content/github/setting-up-and-managing-organizations-and-teams/about-scim.md

@@ -17,7 +17,7 @@ These identity providers are compatible with the {% data variables.product.produ
 - Okta
 - OneLogin
 
-{% data reusables.scim.enterprise-account-scim %} For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-user-provisioning-for-organizations-in-your-enterprise-account)."
+{% data reusables.scim.enterprise-account-scim %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
 
 ### Further reading
 

content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md

@@ -15,6 +15,8 @@ versions:
 
 You can connect up to five IdP groups to a {% data variables.product.prodname_dotcom %} team. An IdP group can be assigned to multiple {% data variables.product.prodname_dotcom %} teams without restriction.
 
+Team synchronization does not support IdP groups with more than 5000 members. 
+
 Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.product_name %} or using the API.
 
 All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Your IdP will send team membership data to {% data variables.product.prodname_dotcom %} once every hour.
@@ -28,19 +30,22 @@ You can also manage team synchronization with the API. For more information, see
 
 ### Requirements for members of synchronized teams
 
-After you connect a team to an IdP group, membership data for each team member will synchronize if the person continues to authenticate using SAML SSO with the same SSO identity on {% data variables.product.prodname_dotcom %}, and if the person remains a member of the connected IdP group.
+After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.prodname_dotcom %} only if:
+- The person is a member of the organization on {% data variables.product.prodname_dotcom %}.
+- The person has already logged in with their user account on {% data variables.product.prodname_dotcom %} and authenticated to the organization or enterprise account via SAML single sign-on at least once.
+- The person's SSO identity is a member of the IdP group.  
 
-Existing teams or group members can be automatically removed from the team on {% data variables.product.prodname_dotcom %}. Any existing teams or group members not authenticating to the organization or enterprise account using SSO may lose access to repositories. Any existing teams or group members not in the connected IdP group may potentially lose access to repositories.
+Existing teams or group members who do not meet these criteria will be automatically removed from the team on {% data variables.product.prodname_dotcom %} and lose access to repositories. Revoking a user's linked identity will also remove the user from from any teams mapped to IdP groups. For more information, see "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity)" and "[Viewing and managing a user's SAML access to your enterprise](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-and-revoking-a-linked-identity)."
 
 A removed team member can be added back to a team automatically once they have authenticated to the organization or enterprise account using SSO and are moved to the connected IdP group.
 
-To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)."
+To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)" and "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
 
-If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)."
+If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
 
 ### Prerequisites
 
-Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)."
+Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
 
 To avoid unintentionally removing team members, visit the administrative portal for your IdP and confirm that each current team member is also in the IdP groups that you want to connect to this team. If you don't have this access to your identity provider, you can reach out to your IdP administrator.
 

content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md

@@ -20,6 +20,8 @@ You can view and revoke each member's linked identity, active sessions, and auth
 
 {% data reusables.saml.about-linked-identities %}
 
+{% data reusables.identity-and-permissions.revoking-identity-team-sync %}
+
 {% data reusables.profile.access_profile %}
 {% data reusables.profile.access_org %}
 {% data reusables.organizations.people %}

content/github/setting-up-and-managing-your-enterprise/about-identity-and-access-management-for-your-enterprise-account.md

@@ -0,0 +1,31 @@
+---
+title: About identity and access management for your enterprise account
+intro: You can centrally manage access to your enterprise's resources, organization membership, and team membership using your identity provider (IdP).
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+versions:
+  free-pro-team: '*'
+---
+
+### About identity and access management for your enterprise account
+
+{% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %} For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
+
+After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
+
+{% data reusables.saml.about-user-provisioning-enterprise-account %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
+
+If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
+
+### Supported IdPs
+
+We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
+
+IdP | SAML | User provisioning | Team synchronization | 
+--- | :--: | :---------------: | :-------: |
+Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" aria-label= "The check icon" %} | | |
+Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %} | | {% octicon "check-circle-fill" aria-label="The check icon" %} |
+Okta | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label= "The check icon" %} | |
+OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
+PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
+Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
+

content/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account.md

@@ -0,0 +1,28 @@
+---
+title: About user provisioning for organizations in your enterprise account
+intro: You can manage organization membership in an enterprise account directly from an identity provider (IdP).
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+versions:
+  free-pro-team: '*'
+---
+
+{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
+
+{% data reusables.saml.about-user-provisioning-enterprise-account %}
+
+{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning.
+
+If you configure SCIM for the {% data variables.product.product_name %} application in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning.
+
+For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations:
+
+- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call).
+- Cancel any existing invitations for the user to join an organization owned by your enterprise account.
+
+For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation:
+
+- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization.
+
+If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)."
+
+To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."

content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account.md

@@ -0,0 +1,9 @@
+---
+title: Configuring identity and access management for your enterprise account
+intro: You can manage SAML single sign-on, user provisioning, and team synchronization for your enterprise. 
+product: '{% data reusables.gated-features.enterprise-accounts %}'
+mapTopic: true
+versions:
+  free-pro-team: '*'
+---
+

content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md

@@ -56,7 +56,7 @@ After you enable SCIM, the following provisioning features are available for any
 1. To the right of the drop-down menu, type `.*.*`.
 1. Click **Save**.
 {% data reusables.saml.okta-view-setup-instructions %}
-1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
+1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
 
 ### Creating groups in Okta