Merge branch 'main' into content/normalize-github-variables

Author: wd006

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md

@@ -77,7 +77,6 @@ The [`azure/login`](https://github.com/Azure/login) action receives a JWT from t
 
 The following example exchanges an OIDC ID token with Azure to receive an access token, which can then be used to access cloud resources.
 
-
 ```yaml copy
 {% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Run Azure Login with OIDC
@@ -93,9 +92,9 @@ jobs:
       - name: 'Az CLI login'
         uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: {% raw %}${{ secrets.AZURE_CLIENT_ID }}{% endraw %}
+          tenant-id: {% raw %}${{ secrets.AZURE_TENANT_ID }}{% endraw %}
+          subscription-id: {% raw %}${{ secrets.AZURE_SUBSCRIPTION_ID }}{% endraw %}
 
       - name: 'Run az commands'
         run: |

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md

@@ -103,7 +103,7 @@ jobs:
     - id: 'gcloud'
       name: 'gcloud'
       run: |-
-        gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+        gcloud auth login --brief --cred-file="{% raw %}${{ steps.auth.outputs.credentials_file_path }}{% endraw %}"
         gcloud services list
 ```
 

content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md

@@ -69,7 +69,7 @@ jobs:
         id: setup-jfrog-cli
         uses: jfrog/setup-jfrog-cli@29fa5190a4123350e81e2a2e8d803b2a27fed15e
         with:
-          JF_URL: ${{ env.JF_URL }}
+          JF_URL: {% raw %}${{ env.JF_URL }}{% endraw %}
           oidc-provider-name: 'YOUR_PROVIDER_NAME'
           oidc-audience: 'YOUR_AUDIENCE' # This is optional
 
@@ -85,20 +85,16 @@ jobs:
 
 ### Using OIDC Credentials in other steps
 
-{% raw %}
-
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}
       - name: Sign in to Artifactory Docker registry
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.JF_URL }}
-          username: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}
-          password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
+          registry: {% raw %}${{ env.JF_URL }}{% endraw %}
+          username: {% raw %}${{ steps.setup-jfrog-cli.outputs.oidc-user }}{% endraw %}
+          password: {% raw %}${{ steps.setup-jfrog-cli.outputs.oidc-token }}{% endraw %}
 ```
 
-{% endraw %}
-
 ## Further reading
 
 * [OpenID Connect Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/openid-connect-integration) in the JFrog documentation

content/actions/tutorials/build-and-test-code/ruby.md

@@ -187,8 +187,6 @@ The `setup-ruby` actions provides a method to automatically handle the caching o
 
 To enable caching, set the following.
 
-{% raw %}
-
 ```yaml
 {% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
@@ -197,8 +195,6 @@ steps:
     bundler-cache: true
 ```
 
-{% endraw %}
-
 This will configure bundler to install your gems to `vendor/cache`. For each successful run of your workflow, this folder will be cached by {% data variables.product.prodname_actions %} and re-downloaded for subsequent workflow runs. A hash of your `gemfile.lock` and the Ruby version are used as the cache key. If you install any new gems, or change a version, the cache will be invalidated and bundler will do a fresh install.
 
 **Caching without setup-ruby**

content/actions/tutorials/build-and-test-code/swift.md

@@ -124,8 +124,6 @@ jobs:
 
 You can configure your job to use a single specific version of Swift, such as `5.3.3`.
 
-{% raw %}
-
 ```yaml copy
 {% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
@@ -136,8 +134,6 @@ steps:
     run: swift --version # Swift 5.3.3
 ```
 
-{% endraw %}
-
 ## Building and testing your code
 
 You can use the same commands that you use locally to build and test your code using Swift. This example demonstrates how to use `swift build` and `swift test` in a job:

content/admin/data-residency/network-details-for-ghecom.md

@@ -33,6 +33,7 @@ For more information, see [AUTOTITLE](/rest/meta/meta).
 * `*.githubassets.com`
 * `*.githubusercontent.com`
 * `*.blob.core.windows.net`
+* `auth.ghe.com`
 
 ## {% data variables.product.github %}'s IP addresses
 

content/admin/guides.md

@@ -30,6 +30,7 @@ includeGuides:
   - /admin/concepts/identity-and-access-management/enterprise-managed-users
   - /admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users
   - /admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users
+  - /admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim
   - /admin/identity-and-access-management/provisioning-user-accounts-with-scim/configuring-scim-provisioning-using-okta
   - /admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups
   - /admin/managing-iam/using-cas-for-enterprise-iam/using-cas

content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md

@@ -13,6 +13,7 @@ topics:
 children:
   - /user-provisioning-with-scim-on-ghes
   - /configuring-scim-provisioning-for-users
+  - /migrating-from-ldap-to-saml-with-scim
   - /configuring-authentication-and-provisioning-with-entra-id
   - /configuring-authentication-and-provisioning-with-pingfederate
   - /configuring-scim-provisioning-with-okta

content/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim.md

@@ -0,0 +1,164 @@
+---
+title: 'Migrating from LDAP to SAML with SCIM'
+shortTitle: 'Migrate from LDAP'
+intro: 'Learn how to migrate your {% data variables.product.prodname_ghe_server %} instance from LDAP authentication to SAML single sign-on with SCIM provisioning for centralized user management.'
+permissions: 'Site administrators can migrate authentication methods on {% data variables.product.prodname_ghe_server %}.'
+versions:
+  ghes: '>=3.17'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+---
+
+## About migrating from LDAP to SAML and SCIM
+
+If your {% data variables.product.prodname_ghe_server %} instance currently uses LDAP authentication, you can migrate to SAML single sign-on (SSO) with SCIM provisioning for enhanced user lifecycle management capabilities. This migration allows you to automatically provision, update, and deprovision user accounts from your identity provider (IdP).
+
+{% data reusables.enterprise.saml-or-ldap %}
+
+**Prerequisites:**
+
+* You must be a site administrator on {% data variables.product.prodname_ghe_server %}.
+* You must have administrative access to your SAML identity provider.
+* Your IdP must support SAML 2.0 and SCIM 2.0 protocols.
+* You should complete a backup of your instance before beginning the migration.
+
+SCIM provisioning requires SAML authentication as a prerequisite, so this migration involves four distinct phases:
+
+1. **Migrate to SAML authentication**: Replace LDAP with SAML SSO.
+1. **Test and verify SAML**: Confirm authentication works and users link correctly.
+1. **Enable SCIM provisioning**: Add automated user management capabilities.
+1. **Test and verify SCIM**: Confirm provisioning links identities to existing accounts.
+
+This document assumes familiarity with SAML authentication and SCIM provisioning. For more information on these topics, please see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise) and [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes).
+
+## 1. Understand LDAP vs SCIM user creation patterns
+
+Before you begin the migration, it's important to understand the key differences between how LDAP and SCIM handle user management on {% data variables.product.prodname_ghe_server %}.
+
+| Attribute | LDAP | SCIM |
+| --- | --- | --- |
+| **Appliance configuration** | You configure the user ID attribute (default `uid`) and other LDAP settings in the management console. This configuration determines how to map between LDAP users and GitHub users. For more information about configuring LDAP, see [AUTOTITLE](/admin/managing-iam/using-ldap-for-enterprise-iam/using-ldap#ldap-attributes). | Enable SAML authentication first, then configure SCIM provisioning with an authentication token. |
+| **User creation timing** | Just-in-time: Users are created on first sign-in after successful LDAP authentication. | Pre-authentication: Users must be provisioned via SCIM before they can authenticate. |
+| **Initial username source** | GitHub username is based on the normalized LDAP identifier configured during setup. | GitHub username is based on the normalized SCIM `userName` value from your IdP. |
+| **Username management** | Flexible: Administrators can change GitHub usernames independently of LDAP. Usernames can drift from LDAP identifiers over time while maintaining authentication through LDAP mappings. See [AUTOTITLE](/account-and-profile/reference/username-reference#changing-your-username). | Strict: GitHub usernames always correspond to the normalized SCIM `userName` from your IdP. Username changes on the GitHub side are not allowed. |
+| **User attribute control** | Hybrid: Some attributes managed by LDAP, others can be managed on the appliance. | Full IdP control: All user attributes are managed through SCIM updates from your IdP. |
+| **Authentication flow** | {% data variables.product.prodname_ghe_server %} authenticates with your LDAP server and looks up the existing LDAP mapping to locate  the user. | During SAML SSO, an external identity lookup is performed to locate the provisioned user for authentication. |
+| **Key characteristic** | Hybrid system where GitHub user data (especially usernames) can be partially managed on the appliance independently of the LDAP server. | Full identity provider control: The state of GitHub users depends entirely on what the IdP sends through SCIM, and usernames cannot drift from the source system. |
+
+### Username normalization and compatibility
+
+{% data variables.product.prodname_ghe_server %} normalizes usernames according to specific rules that apply consistently across LDAP, SAML, and SCIM. Understanding these rules is critical for successful migration.
+
+For more information about username normalization, see [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication#about-username-normalization).
+
+## 2. Plan your migration
+
+Before beginning the migration, you need to understand your current setup, prepare your identity provider, and establish backup access methods. The planning phase is critical to ensure a smooth transition.
+
+### Preparing to map from LDAP to SCIM
+
+The critical migration challenge is bridging between the LDAP and SCIM user management approaches:
+
+**LDAP users (existing state)**:
+
+* Have GitHub usernames that may have changed since initial creation
+* Retain authentication ability through LDAP mappings regardless of username changes  
+
+**SCIM users (target state)**:
+
+* Must be provisioned before authentication
+* Must have GitHub usernames that match their normalized SCIM `userName` values
+* Can be linked to an external identity with their existing GitHub account during SCIM user provisioning, but only if the normalized SCIM `userName` matches their existing GitHub username
+
+### Migration mapping requirements
+
+To successfully link SCIM identities to existing LDAP users, you'll need to capture the current state of the users on your instance:
+
+1. **Export existing GitHub usernames**: Use the site admin interface, API, or CLI to get a complete list of current GitHub usernames on your instance. For more information about the users API, see [AUTOTITLE](/rest/users/users?apiVersion=2022-11-28#list-users). For more information about the command-line utility to export users, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-user-csv).
+1. **Map GitHub usernames to real users in your IdP**: Determine which identities correspond to each GitHub username in your enterprise.
+1. **Configure the SCIM `userName` attribute**: Ensure your IdP provisions SCIM users with `userName` values that match the existing GitHub usernames you would like to link.
+
+**Important**: The target for mapping is always the **current GitHub username** on your instance, not the original LDAP User ID or any other identifier.
+
+### Key planning considerations
+
+**Important considerations:**
+
+* **Downtime required**: This migration requires downtime during a maintenance window to change authentication settings.
+* **User impact**: After the migration, users will need to authenticate through your SAML IdP instead of LDAP credentials.
+* **Team membership**: LDAP team synchronization will be replaced by SCIM group provisioning if supported by your IdP. LDAP-mapped teams will need to be updated with an appropriate SCIM group where applicable.
+
+### Capture the state of your LDAP configuration
+
+Record your current LDAP setup to plan equivalent SAML/SCIM mappings:
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.authentication %}
+1. Document the following LDAP settings:
+   * **Domain base** and restricted user groups
+   * **User ID attribute** (this was used to create GitHub usernames)
+   * **Profile name, email, and other attribute mappings**
+   * **Administrators group configuration**
+   * **Team synchronization settings**
+1. Ensure you have saved a list of existing users on your instance that you will be linking to a SCIM identity.
+
+## 3. Migrate to SAML and SCIM
+
+Once you've completed planning, you can begin migrating from LDAP to SAML authentication. This involves configuring SAML on both your identity provider and {% data variables.product.prodname_ghe_server %}, then carefully testing the configuration before proceeding to SCIM.
+
+**Important**: When configuring SAML, enable "Allow creation of accounts with built-in authentication" to reduce the number of steps required when enabling SCIM.
+
+### Enabling SAML authentication
+
+For detailed SAML configuration steps, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise).
+
+After enabling SAML, test the authentication system before proceeding to SCIM. With any IdP account assigned to the SAML application configured against your instance, verify that you are able to successfully perform an SSO login.
+
+**Do not proceed to SCIM until SAML authentication is working correctly.**
+
+### Enable SCIM provisioning
+
+After confirming SAML authentication works correctly, you can enable SCIM for automated user management. SCIM must be configured on both {% data variables.product.prodname_ghe_server %} and your identity provider.
+
+For detailed steps to enable SCIM, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users).
+
+#### Test SCIM provisioning
+
+Test SCIM provisioning to ensure the SCIM provisioned users are linked to existing user accounts correctly.
+
+For users who already have accounts from the LDAP/SAML migration:
+
+1. **Assign user to SCIM application** in your IdP.
+1. **Verify automatic linking**: Check that SCIM automatically links to the existing account:
+   * Users retain same username and account data
+   * No duplicate accounts are created
+   * SCIM identity shows as linked in the enterprise settings, and site admin interfaces. For more information, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-a-linked-identity).
+1. **Review audit logs**: Look for `external_identity.scim_api_success` and `external_identity.provision` events showing successful linking to existing users.
+
+For new users not previously in your instance:
+
+1. **Verify user creation**: Check that the user appears in {% data variables.product.prodname_ghe_server %} with correct attributes.
+1. **Test authentication**: Confirm the new user can authenticate via SAML.
+1. **Test attribute updates**: Update user information in IdP and confirm changes sync.
+1. **Test deprovisioning**: Remove user access and confirm they are suspended.
+
+### Roll out SCIM to all users
+
+For all remaining users who aren't yet provisioned via SCIM:
+
+1. **Gradually assign users** to the {% data variables.product.prodname_ghe_server %} application in your IdP.
+1. **Monitor linking process**: Watch for successful automatic linking based on username matching.
+1. **Track progress**: Use audit logs to monitor `external_identity` events for linking progress.
+1. **Address any conflicts**: Resolve username conflicts or mapping issues as they arise.
+
+## 4. Update team and organization membership
+
+After your migration, if you previously used LDAP group synchronization to control team memberships, you can replace those team mappings with SCIM groups. If reusing existing an team, you will need to remove all team members prior to linking an IdP group.
+
+For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/managing-team-memberships-with-identity-provider-groups).

content/admin/managing-iam/understanding-iam-for-enterprises/changing-authentication-methods.md

@@ -42,3 +42,13 @@ Other issues you should take into consideration include:
 * **Two-factor authentication:** {% data reusables.enterprise_user_management.external_auth_disables_2fa %}
 
 * **Fallback authentication for users with no account on your external authentication provider:** You can invite users to authenticate to {% data variables.location.product_location %} without adding them to your identity provider. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider).
+
+{% ifversion scim-for-ghes-ga %}
+
+## Migrating from LDAP to SAML and SCIM
+
+If you're currently using LDAP and want to enable automated user provisioning and deprovisioning capabilities, you can migrate to SAML authentication with SCIM provisioning. This provides enhanced user lifecycle management while maintaining centralized authentication.
+
+For detailed migration steps, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/migrating-from-ldap-to-saml-with-scim).
+
+{% endif %}