From 0917c859108e13d1877dbaa7a31ba9e120cc1834 Mon Sep 17 00:00:00 2001 From: Adam Ross Russell Date: Thu, 29 Dec 2022 09:00:50 -0800 Subject: [PATCH 1/6] Update the SCIM troubleshooting documentation to include important linked identities information. Add information about the importance of SCIM & GH nameid & username values matching. This is important when setting up OKTA SCIM integration. --- ...ting-identity-and-access-management-for-your-organization.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index 551454687a14..19a262b0e2a5 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -41,6 +41,8 @@ If the user's external identity includes SCIM metadata, the organization owner s As an organization owner, you can also query the SCIM REST API or GraphQL to list all SCIM provisioned identities in an organization. +Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check these values match, use the {% data variables.product.prodname_dotcom %} API. + #### Using the REST API The SCIM REST API will only return data for users that have SCIM metadata populated under their external identities. We recommend you compare a list of SCIM provisioned identities with a list of all your organization members. From 8012c2ed0cc003e7df2756cbebfe59bf4ef79bc5 Mon Sep 17 00:00:00 2001 From: Adam Ross Russell Date: Thu, 29 Dec 2022 09:03:26 -0800 Subject: [PATCH 2/6] Fix wording. --- ...ting-identity-and-access-management-for-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index 19a262b0e2a5..7959b32bdb70 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -41,7 +41,7 @@ If the user's external identity includes SCIM metadata, the organization owner s As an organization owner, you can also query the SCIM REST API or GraphQL to list all SCIM provisioned identities in an organization. -Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check these values match, use the {% data variables.product.prodname_dotcom %} API. +Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. #### Using the REST API From 9aa7785205a7ef2d0d124347444dcb06eca7632f Mon Sep 17 00:00:00 2001 From: Adam Ross Russell Date: Thu, 29 Dec 2022 09:10:33 -0800 Subject: [PATCH 3/6] Update positioning of information within article. --- ...ng-identity-and-access-management-for-your-organization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index 7959b32bdb70..56039c19c794 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -29,6 +29,8 @@ If you suspect or notice that any users are not provisioned or deprovisioned as To check whether users have a SCIM identity (SCIM metadata) in their external identity, you can review SCIM metadata for one organization member at a time on {% data variables.product.prodname_dotcom %} or you can programatically check all organization members using the {% data variables.product.prodname_dotcom %} API. +Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. + #### Auditing organization members on {% data variables.product.prodname_dotcom %} As an organization owner, to confirm that SCIM metadata exists for a single organization member, visit this URL, replacing `` and ``: @@ -41,8 +43,6 @@ If the user's external identity includes SCIM metadata, the organization owner s As an organization owner, you can also query the SCIM REST API or GraphQL to list all SCIM provisioned identities in an organization. -Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. - #### Using the REST API The SCIM REST API will only return data for users that have SCIM metadata populated under their external identities. We recommend you compare a list of SCIM provisioned identities with a list of all your organization members. From c88834884d3f2c452e68cad2de89b8946f367c83 Mon Sep 17 00:00:00 2001 From: Adam Ross Russell Date: Tue, 3 Jan 2023 09:43:51 -0800 Subject: [PATCH 4/6] Remove wording about this occuring only during provisioning. --- ...ting-identity-and-access-management-for-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index 56039c19c794..add1d13f9654 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -29,7 +29,7 @@ If you suspect or notice that any users are not provisioned or deprovisioned as To check whether users have a SCIM identity (SCIM metadata) in their external identity, you can review SCIM metadata for one organization member at a time on {% data variables.product.prodname_dotcom %} or you can programatically check all organization members using the {% data variables.product.prodname_dotcom %} API. -Keep in mind, when Okta sends the original provisioning call to the GitHub SCIM API during setup, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. +Keep in mind, when Okta sends a provisioning call to the GitHub SCIM API, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. #### Auditing organization members on {% data variables.product.prodname_dotcom %} From 02ff9a68e14865c1a648e7cbcf19dacb87a76bcf Mon Sep 17 00:00:00 2001 From: Adam Ross Russell Date: Tue, 3 Jan 2023 16:25:12 -0800 Subject: [PATCH 5/6] Update troubleshooting-identity-and-access-management-for-your-organization.md --- ...ting-identity-and-access-management-for-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index add1d13f9654..d1ad5021c6ed 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -29,7 +29,7 @@ If you suspect or notice that any users are not provisioned or deprovisioned as To check whether users have a SCIM identity (SCIM metadata) in their external identity, you can review SCIM metadata for one organization member at a time on {% data variables.product.prodname_dotcom %} or you can programatically check all organization members using the {% data variables.product.prodname_dotcom %} API. -Keep in mind, when Okta sends a provisioning call to the GitHub SCIM API, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. +Keep in mind, when the IDP sends a provisioning call to the GitHub SCIM API, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. #### Auditing organization members on {% data variables.product.prodname_dotcom %} From 2fb62b2d890eb5828de0f9dc46555a727cd5f042 Mon Sep 17 00:00:00 2001 From: Laura Coursen Date: Thu, 12 Jan 2023 14:27:34 -0600 Subject: [PATCH 6/6] Add :nail_care: --- ...ting-identity-and-access-management-for-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md index d1ad5021c6ed..c0afa7daf821 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization.md @@ -29,7 +29,7 @@ If you suspect or notice that any users are not provisioned or deprovisioned as To check whether users have a SCIM identity (SCIM metadata) in their external identity, you can review SCIM metadata for one organization member at a time on {% data variables.product.prodname_dotcom %} or you can programatically check all organization members using the {% data variables.product.prodname_dotcom %} API. -Keep in mind, when the IDP sends a provisioning call to the GitHub SCIM API, in order for the SCIM identity to get properly linked to an organization member that has an existing SAML identity, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two attributes/values do not match, the SCIM metadata will not get populated and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. +When the IdP sends a provisioning call to the {% data variables.product.prodname_dotcom %} SCIM API, the SCIM `userName` in that API call needs to match the stored SAML `nameID` in the user's linked SAML identity in the organization. If these two values do not match, the SCIM metadata will not get populated, and the SCIM identity will not get successfully linked. To check whether these values match, use the {% data variables.product.prodname_dotcom %} API. #### Auditing organization members on {% data variables.product.prodname_dotcom %}