GHES SCIM Documentation Updates (Batch 1/3) (#55164)

taylorreis · jc-clark · web-flow · commit 985410fff8d7 · 2025-04-10T16:40:31.000Z
Co-authored-by: Joe Clark &lt;31087804+jc-clark@users.noreply.github.com&gt;
diff --git a/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md b/content/admin/configuring-settings/configuring-github-connect/enabling-automatic-user-license-sync-for-your-enterprise.md
@@ -43,3 +43,8 @@ Before enabling license synchronization on {% data variables.location.product_lo
 1. To the right of "License sync", click **Enable**.
 
    ![Screenshot of the "License sync" option on the GitHub Connect page. The "Enable" button is highlighted with an orange outline.](/assets/images/enterprise/site-admin-settings/enable-user-license-drop-down.png)
+
+{% ifversion scim-for-ghes-ga %}
+> [!NOTE]
+> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
+{% endif %}
diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise.md
@@ -198,8 +198,13 @@ If you use SAML authentication and SCIM provisioning, you can filter members bas
 1. Select **Account Type**, then choose from the following options.
 
    * **Built-in:** Users with local accounts on {% data variables.location.product_location %} who authenticate with a username and password.
+{% ifversion scim-for-ghes-ga %}
+   * **SAML JIT provisioned:** Users who authenticate with SAML via an identity provider and were created through just-in-time (JIT) provisioning when they first signed in. These users are not linked to SCIM identities.
+   * **SCIM provisioned:** Users who were created and managed through SCIM provisioning from your identity provider. These users are linked to SCIM identities.
+{% else %}
    * **SAML linked:** Users who authenticate with SAML via an identity provider, but were not provisioned by SCIM.
    * **SAML and SCIM linked:** Users who authenticate with SAML via an identity provider, and were provisioned by SCIM.
+{% endif %}
 
 {% endif %}
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-authentication-and-provisioning-with-entra-id.md
@@ -86,6 +86,8 @@ Before starting this section, ensure you have followed steps **1 to 4** in [AUTO
    * "Secret Token": the {% data variables.product.pat_v1 %} created for the setup user
 1. Click **Test Connection**.
 1. When the test is complete, click **Save**.
+1. Navigate back to the "Overview" page.
+1. To provision your EntraID users to your {% data variables.product.prodname_ghe_server %} appliance, Click **Start provisioning**.
 
 When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#6-disable-optional-settings).
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md
@@ -57,6 +57,7 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl
 
 {% else %}
 
+* SCIM is a server-to-server protocol. Your instance's REST API endpoints must be accessible to your SCIM provider.
 * For authentication, your instance must use SAML SSO, or a mix of SAML and built-in authentication.
   * You cannot mix SCIM with other external authentication methods. If you use CAS or LDAP, you will need to migrate to SAML before using SCIM.
   * After you have configured SCIM, you must keep SAML authentication enabled to continue using SCIM.
@@ -73,16 +74,16 @@ If you're configuring SCIM provisioning for a new enterprise, make sure to compl
 To ensure you can continue to sign in and configure settings when SCIM is enabled, you'll create an enterprise owner using built-in authentication.
 
 1. Sign in to {% data variables.product.prodname_ghe_server %} as a user with access to the Management Console.
-1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in setup user. Go to the "Authentication" section of the Management Console and enable the following settings:
+1. If you have **already enabled SAML authentication**, ensure your settings allow you to create and promote a built-in authentication user. Go to the "Authentication" section of the Management Console and enable the following settings:
 
    * Select **Allow creation of accounts with built-in authentication**, so you can create the user.
    * Select **Disable administrator demotion/promotion**, so admin permissions can be granted outside of your SAML provider.
 
    For help finding these settings, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
 
-1. Create a built-in user account to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
+1. Create a built-in user account{% ifversion scim-for-ghes-ga %} with the username `scim-admin`{% endif %} to perform provisioning actions on your instance. See [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
 
-   >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`.
+   >[!NOTE] Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding `+admin`, for example `johndoe+admin@example.com`.{% ifversion scim-for-ghes-ga %} You can use any username you would like for your setup user, but the `scim-admin` user will not be included in your [{% data variables.product.prodname_github_connect %}](/enterprise-cloud@latest/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise#viewing-license-usage-on-github-enterprise-cloud) license counts, while other users will.{% endif %}
 
 1. Promote the user to an enterprise owner. See [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator#promoting-a-user-from-the-enterprise-settings).
 
diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
@@ -65,7 +65,7 @@ During the {% data variables.release-phases.private_preview %}, your account tea
 
 {% data reusables.enterprise_user_management.scim-manages-user-lifecycle %}
 
-When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP.
+When SCIM is enabled, you will no longer be able to delete, suspend, or promote SCIM-provisioned users directly on {% data variables.product.prodname_ghe_server %}. You must manage these processes from your IdP.{% ifversion scim-for-ghes-ga %} If an issue arises with your IdP and you need to manage a user directly, you will need to use the SCIM REST API to manage the user identities on your appliance (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)).{% endif %}
 
 To view suspended members, navigate to the "Suspended Members" tab of your enterprise settings.  This page will be present when SCIM is enabled on {% data variables.product.prodname_ghe_server %}.
 
@@ -78,6 +78,7 @@ To view suspended members, navigate to the "Suspended Members" tab of your enter
 If you currently use SAML SSO, and you are enabling SCIM, you should be aware of what happens to existing user accounts on {% data variables.product.prodname_ghe_server %} once SCIM is enabled.
 
 * Existing users with SAML mappings will **not be able to sign in** until their identities have been provisioned by SCIM.
+* Existing users created with **Built in authentication** will only be able to sign in if **Built in authentication** is still enabled.
 {%- ifversion scim-for-ghes-ga %}
 * {% data variables.product.prodname_ghe_server %} will no longer store SAML mappings for users. Instead, SCIM identities will be stored for users when a user is provisioned.
 * You will no longer see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. It will not be possible to view or update SAML NameID mappings that were previously visible in this section, since these stored SAML mappings are no longer evaluated during SAML authentication when SCIM is enabled.
diff --git a/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md b/content/billing/managing-the-plan-for-your-github-account/about-per-user-pricing.md
@@ -108,6 +108,7 @@ If your enterprise does not use {% data variables.product.prodname_emus %}, you
 * Guest collaborators who are not organization members or repository collaborators (see [AUTOTITLE](/enterprise-cloud@latest/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#guest-collaborators))
 * Users of {% data variables.visual_studio.prodname_vss_ghe %} whose accounts on {% data variables.product.prodname_dotcom %} are not linked, and who do not meet any of the other criteria for per-user pricing
 * Users who have been provisioned with a {% data variables.enterprise.prodname_managed_user %}, but are not members of any organizations in the enterprise
+* The `scim-admin` setup user, when SCIM is enabled on your {% data variables.product.prodname_ghe_server %} appliance. For more information, see the SCIM configuration guide [AUTOTITLE](/enterprise-server@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
 
 ### Accounts that consume a license on {% data variables.product.prodname_ghe_server %}
 
diff --git a/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md b/content/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise.md
@@ -41,6 +41,11 @@ First, we check the primary email address of each user on {% data variables.prod
 
 If there is no match, or if SAML authentication or SCIM provisioning is not in use, we attempt to match the primary email address on {% data variables.product.prodname_ghe_server %} with a verified email address for a user account on {% data variables.product.prodname_ghe_cloud %}. For more information about verification of email addresses on {% data variables.product.prodname_ghe_cloud %}, see [AUTOTITLE](/enterprise-cloud@latest/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/verifying-your-email-address){% ifversion not ghec %} in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}.{% endif %}
 
+{% ifversion scim-for-ghes-ga %}
+> [!NOTE]
+> If SAML with SCIM is enabled, the `scim-admin` setup user will not consume a license. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#1-create-a-built-in-setup-user).
+{% endif %}
+
 ## Fields in the consumed license files
 
 The {% data variables.product.prodname_ghe_cloud %} license usage report and {% data variables.product.prodname_ghe_server %} exported license usage file include a variety of fields to help you troubleshoot license usage for your enterprise.
diff --git a/data/reusables/saml/saml-supported-idps.md b/data/reusables/saml/saml-supported-idps.md
@@ -1,6 +1,6 @@
 {% data variables.product.github %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
 
-{% data variables.product.company_short %} officially supports and internally tests the following IdPs.
+{% data variables.product.company_short %} officially supports and internally tests the following IdPs for SAML.{% ifversion ghes %} For more information about the IdPs that are supported for SCIM on {% data variables.product.prodname_ghe_server %}, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers).{% endif %}
 
 * Microsoft Active Directory Federation Services (AD FS)
 * Microsoft Entra ID (previously known as Azure AD)
