From 07f2da65532dadc398fd942dbddf3f290028658a Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Wed, 14 May 2025 09:15:11 +0100 Subject: [PATCH] Document that Okta plus Entra is not supported for IAM (#55565) --- .../configuring-scim-provisioning-for-users.md | 2 ++ ...sioning-users-and-groups-with-scim-using-the-rest-api.md | 6 +++--- .../about-enterprise-managed-users.md | 2 +- data/reusables/emus/mixed-systems-note.md | 3 +++ 4 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 data/reusables/emus/mixed-systems-note.md diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md index 5e5d2b296bed..37cea17074f6 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md @@ -176,6 +176,8 @@ To use a partner IdP's application for both authentication and provisioning, rev If you don't use a partner IdP, or if you only use a partner IdP for authentication, you can manage the lifecycle of user accounts using {% data variables.product.company_short %}'s REST API endpoints for SCIM provisioning. See [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-and-groups-with-scim-using-the-rest-api). +{% data reusables.emus.mixed-systems-note %} + {% ifversion emu-public-scim-schema %} {% data reusables.emus.sign-in-as-setup-user %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md index f8a92d128424..38cac2b43e34 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md @@ -57,15 +57,15 @@ When you configure authentication and provisioning for your enterprise, you can ### Using a partner identity provider -Each partner IdP provides a "paved-path" application, which implements both SSO and user lifecycle management. To simplify configuration, {% data variables.product.company_short %} recommends that you use a partner IdP's application for both authentication and provisioning. For more information and a list of partner IdPs, see {% ifversion ghec %}[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems).{% else %}[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers).{% endif %} +Each partner IdP provides a "paved-path" application, which implements both SSO and user lifecycle management. To simplify configuration, {% data variables.product.company_short %} recommends that you use a single partner IdP application for both authentication and provisioning. For more information and a list of partner IdPs, see {% ifversion ghec %}[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems).{% else %}[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers).{% endif %} For more information about configuring SCIM provisioning using a partner IdP, see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users). ### Using other identity management systems -If you cannot use a partner IdP for both authentication and provisioning due to migration overhead, licensing costs, or organizational inertia, you can use another identity management system or combination of systems. The systems must provide authentication using SAML and user lifecycle management using SCIM, and must adhere to {% data variables.product.company_short %}'s integration guidelines. +If you cannot use a single partner IdP for both authentication and provisioning due to migration overhead, licensing costs, or organizational inertia, you can use another identity management system or combination of systems. The systems must provide authentication using SAML and user lifecycle management using SCIM, and must adhere to {% data variables.product.company_short %}'s integration guidelines. -{% data variables.product.company_short %} has not tested integration with every identity management system. While integration with {% ifversion ghec %}{% data variables.product.prodname_emus %}{% else %}{% data variables.product.prodname_ghe_server %}{% endif %} may be possible, {% data variables.product.company_short %}'s support team may not be able to assist you with issues related to these systems. If you need help with an identity management system that's not a partner IdP, or if you use a partner IdP only for SAML authentication, you must consult the system's documentation, support team, or other resources. +{% data reusables.emus.mixed-systems-note %} ## Prerequisites diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md b/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md index efef4294e5ff..5e3bf6394db3 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md @@ -65,7 +65,7 @@ If you cannot use a single partner IdP for both authentication and provisioning, * Provide **authentication using SAML**, adhering to SAML 2.0 specification * Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)) -{% data variables.product.company_short %} does not expressly support mixing and matching partner IdPs for authentication and provisioning and does not test all identity management systems. **{% data variables.product.company_short %}'s support team may not be able to assist you with issues related to mixed or untested systems.** If you need help, you must consult the system's documentation, support team, or other resources. +{% data reusables.emus.mixed-systems-note %} ## Usernames and profile information diff --git a/data/reusables/emus/mixed-systems-note.md b/data/reusables/emus/mixed-systems-note.md new file mode 100644 index 000000000000..ecc16b578098 --- /dev/null +++ b/data/reusables/emus/mixed-systems-note.md @@ -0,0 +1,3 @@ +{% data variables.product.company_short %} does not expressly support mixing partner IdPs for authentication and provisioning and does not test all identity management systems. **{% data variables.product.company_short %}'s support team may not be able to assist you with issues related to mixed or untested systems.** If you need help, you must consult the system's documentation, support team, or other resources. + +>[!IMPORTANT] The combination of **Okta and Entra ID** for SSO and SCIM (in either order) is explicitly **not supported**. {% data variables.product.github %}'s SCIM API will return an error to the identity provider on provisioning attempts if this combination is configured.