Merge pull request #12499 from github/repo-sync

repo sync

Author: Octomerger

.github/actions-scripts/content-changes-table-comment.js

@@ -22,6 +22,7 @@ children:
   - /downloading-your-organizations-saml-single-sign-on-recovery-codes
   - /managing-team-synchronization-for-your-organization
   - /accessing-your-organization-if-your-identity-provider-is-unavailable
+  - /troubleshooting-identity-and-access-management
 shortTitle: Manage SAML single sign-on
 ---
 

content/organizations/managing-saml-single-sign-on-for-your-organization/index.md

@@ -20,8 +20,6 @@ shortTitle: Manage team synchronization
 
 {% data reusables.enterprise-accounts.emu-scim-note %}
 
-{% data reusables.gated-features.okta-team-sync %}
-
 ## About team synchronization
 
 You can enable team synchronization between your IdP and {% data variables.product.product_name %} to allow organization owners and team maintainers to connect teams in your organization with IdP groups.
@@ -65,12 +63,22 @@ You must have a linked SAML identity. To create a linked identity, you must auth
 
 ### Enabling team synchronization for Okta
 
+Okta team synchronization requires that SAML and SCIM with Okta have already been set up for your organization.
+
+To avoid potential team synchronization errors with Okta, we recommend that you confirm that SCIM linked identities are correctly set up for all organization members who are members of your chosen Okta groups, before enabling team synchronization on {% data variables.product.prodname_dotcom %}. 
+
+If an organization member does not have a linked SCIM identity, then team synchronization will not work as expected and the user may not be added or removed from teams as expected. If any of these users are missing a SCIM linked identity, you will need to reprovision them.
+
+For help on provisioning users that have missing a missing SCIM linked identity, see "[Troubleshooting identity and access management](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management)."
+
 {% data reusables.identity-and-permissions.team-sync-okta-requirements %}
 
 {% data reusables.profile.access_org %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
 {% data reusables.identity-and-permissions.team-sync-confirm-saml %}
+{% data reusables.identity-and-permissions.team-sync-confirm-scim %}
+1. Consider enforcing SAML in your organization to ensure that organization members link their SAML and SCIM identities. For more information, see "[Enforcing SAML single sign-on for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization)."
 {% data reusables.identity-and-permissions.enable-team-sync-okta %}
 7. Under your organization's name, type a valid SSWS token and the URL to your Okta instance.
   ![Enable team synchronization Okta organization form](/assets/images/help/teams/confirm-team-synchronization-okta-organization.png)

content/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization.md

@@ -0,0 +1,87 @@
+---
+title: Troubleshooting identity and access management
+intro: 'Review and resolve common troubleshooting errors for managing your organization''s SAML SSO, team synchronization, or identity provider (IdP) connection.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  fpt: '*'
+  ghec: '*'
+topics:
+  - Organizations
+  - Teams
+shortTitle: Troubleshooting access
+---
+
+## Some users are not provisioned or deprovisioned by SCIM
+
+When you encounter provisioning issues with users, we recommend that you check if the users are missing SCIM metadata. If an organization member has missing SCIM metadata, then you can re-provision SCIM for the user manually through your IdP.
+
+### Auditing users for missing SCIM metadata
+
+If you suspect or notice that any users are not provisioned or deprovisioned as expected, we recommend that you audit all users in your organization.
+
+To check whether users have a SCIM identity (SCIM metadata) in their external identity, you can review SCIM metadata for one organization member at a time on {% data variables.product.prodname_dotcom %} or you can programatically check all organization members using the {% data variables.product.prodname_dotcom %} API.
+
+#### Auditing organization members on {% data variables.product.prodname_dotcom %}
+
+As an organization owner, to confirm that SCIM metadata exists for a single organization member, visit this URL, replacing `<organization>` and `<username>`: 
+
+> `https://github.com/orgs/<organization>/people/<username>/sso`
+
+If the user's external identity includes SCIM metadata, the organization owner should see a SCIM identity section on that page. If their external identity does not include any SCIM metadata, the SCIM Identity section will not exist.
+
+#### Auditing organization members through the {% data variables.product.prodname_dotcom %} API
+
+As an organization owner, you can also query the SCIM REST API or GraphQL to list all SCIM provisioned identities in an organization. 
+
+#### Using the REST API
+
+The SCIM REST API will only return data for users that have SCIM metadata populated under their external identities. We recommend you compare a list of SCIM provisioned identities with a list of all your organization members.
+
+For more information, see:
+  - "[List SCIM provisioned identities](/rest/reference/scim#list-scim-provisioned-identities)"
+  - "[List organization members](/rest/reference/orgs#list-organization-members)"
+
+#### Using GraphQL
+
+This GraphQL query shows you the SAML `NameId`, the SCIM `UserName` and the {% data variables.product.prodname_dotcom %} username (`login`) for each user in the organization. To use this query, replace `ORG` with your organization name. 
+
+```graphql
+{
+  organization(login: "ORG") {
+    samlIdentityProvider {
+      ssoUrl
+      externalIdentities(first: 100) {
+        edges {
+          node {
+            samlIdentity {
+              nameId
+            }
+            scimIdentity {
+              username
+            }
+            user {
+              login
+            }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+```shell
+curl -X POST -H "Authorization: Bearer <personal access token>" -H "Content-Type: application/json" -d '{ "query": "{ organization(login: \"ORG\") { samlIdentityProvider { externalIdentities(first: 100) { pageInfo { endCursor startCursor hasNextPage } edges { cursor node { samlIdentity { nameId } scimIdentity {username}  user { login } } } } } } }" }'  https://api.github.com/graphql
+```
+
+For more information on using the GraphQL API, see: 
+   - "[GraphQL guides](/graphql/guides)"
+   - "[GraphQL explorer](/graphql/overview/explorer)"
+
+### Re-provisioning SCIM for users through your identity provider
+
+You can re-provision SCIM for users manually through your IdP. For example, to resolve provisioning errors, in the Okta admin portal, you can unassign and reassign users to the {% data variables.product.prodname_dotcom %} app. This should trigger Okta to make an API call to populate the SCIM metadata for these users on {% data variables.product.prodname_dotcom %}. For more information, see "[Unassign users from applications](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-unassign-apps.htm)" or "[Assign users to applications](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-assign-apps.htm)" in the Okta documentation.
+
+To confirm that a user's SCIM identity is created, we recommend testing this process with a single organization member whom you have confirmed doesn't have a SCIM external identity. After manually updating the users in your IdP, you can check if the user's SCIM identity was created using the SCIM API or on {% data variables.product.prodname_dotcom %}. For more information, see "[Auditing users for missing SCIM metadata](#auditing-users-for-missing-scim-metadata)" or the REST API endpoint "[Get SCIM provisioning information for a user](/rest/reference/scim#get-scim-provisioning-information-for-a-user)."
+
+If re-provisioning SCIM for users doesn't help, please contact {% data variables.product.prodname_dotcom %} Support.

content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management.md

@@ -15,8 +15,6 @@ topics:
 shortTitle: Synchronize with an IdP
 ---
 
-{% data reusables.gated-features.okta-team-sync %}
-
 {% data reusables.enterprise-accounts.emu-scim-note %}
 
 ## About team synchronization

content/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group.md

@@ -1 +1 @@
-3. Confirm that SAML SSO is enabled. For more information, see "[Managing SAML single sign-on for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/)."
+3. Confirm that SAML SSO is enabled for your organization. For more information, see "[Managing SAML single sign-on for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/)."

data/reusables/gated-features/okta-team-sync.md

@@ -0,0 +1 @@
+1. We recommend you confirm that your users have SAML enabled and have a linked SCIM identity to avoid potential provisioning errors. For help auditing your users, see "[Auditing users for missing SCIM metadata](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management#auditing-users-for-missing-scim-metadata)." For help resolving unlinked SCIM identities, see "[Troubleshooting identity and access management](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management)."

data/reusables/identity-and-permissions/team-sync-confirm-saml.md

@@ -1,5 +1,5 @@
-To enable team synchronization for Okta, you or your IdP administrator must:
+Before you enable team synchronization for Okta, you or your IdP administrator must:
 
-- Enable SAML SSO and SCIM for your organization using Okta. For more information, see "[Configuring SAML single sign-on and SCIM using Okta](/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta)."
+- Configure the SAML, SSO, and SCIM integration for your organization using Okta. For more information, see "[Configuring SAML single sign-on and SCIM using Okta](/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta)."
 - Provide the tenant URL for your Okta instance.
 - Generate a valid SSWS token with read-only admin permissions for your Okta installation as a service user. For more information, see [Create the token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/) and [Service users](https://help.okta.com/en/prod/Content/Topics/Adv_Server_Access/docs/service-users.htm) in Okta's documentation.

data/reusables/identity-and-permissions/team-sync-confirm-scim.md

@@ -1,3 +1,4 @@
+9. To avoid syncing errors and confirm that your users have SAML enabled and SCIM linked identities, we recommend you audit your organization's users. For more information, see "[Auditing users for missing SCIM metadata](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management#auditing-users-for-missing-scim-metadata)."
 10. To the right of "Provisioning to App", click **Edit**.
   !["Edit" button for Okta application's provisioning options](/assets/images/help/saml/okta-provisioning-to-app-edit-button.png)
 11. To the right of "Create Users", select **Enable**.