From c70711a18c4033eb3b226e3a7d08ea46daa35ecb Mon Sep 17 00:00:00 2001
From: Steve Guntrip <12534592+stevecat@users.noreply.github.com>
Date: Tue, 31 May 2022 21:00:03 +0100
Subject: [PATCH] [2022-05-31]: EMUs - AAD Conditional Access Policy Support &
 AAD OIDC (#27787)

---
 .../images/help/enterprises/require-oidc.png  | Bin 0 -> 26246 bytes
 .../help/enterprises/saml-to-oidc-button.png  | Bin 0 -> 17002 bytes
 .../identity-and-access-management/index.md   |   2 +-
 ...f-your-identity-provider-is-unavailable.md |   6 +-
 ...unts-saml-single-sign-on-recovery-codes.md |  28 --------
 ...-accounts-single-sign-on-recovery-codes.md |  37 ++++++++++
 .../index.md                                  |   2 +-
 .../about-enterprise-managed-users.md         |  66 +++++++++++++-----
 ...for-your-idps-conditional-access-policy.md |  47 +++++++++++++
 ...uring-oidc-for-enterprise-managed-users.md |  47 +++++++++++++
 ...le-sign-on-for-enterprise-managed-users.md |   3 +-
 ...-for-enterprise-managed-users-with-okta.md |   7 +-
 ...ovisioning-for-enterprise-managed-users.md |  21 ++++--
 .../index.md                                  |   6 +-
 ...mberships-with-identity-provider-groups.md |   1 +
 .../migrating-from-saml-to-oidc.md            |  58 +++++++++++++++
 data/features/oidc-for-emu.yml                |   5 ++
 .../download-recovery-codes.md                |   2 +-
 .../emu-azure-admin-consent.md                |   6 ++
 .../enterprise-accounts/emu-cap-validates.md  |   1 +
 .../enterprise-accounts/oidc-beta-notice.md   |   5 ++
 .../enterprise-accounts/oidc-gei-warning.md   |   5 ++
 data/variables/product.yml                    |  10 ++-
 lib/redirects/static/redirect-exceptions.txt  |  18 +++--
 24 files changed, 310 insertions(+), 73 deletions(-)
 create mode 100644 assets/images/help/enterprises/require-oidc.png
 create mode 100644 assets/images/help/enterprises/saml-to-oidc-button.png
 delete mode 100644 content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes.md
 create mode 100644 content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes.md
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/about-enterprise-managed-users.md (60%)
 create mode 100644 content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md
 create mode 100644 content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/configuring-saml-single-sign-on-for-enterprise-managed-users.md (96%)
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md (90%)
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/configuring-scim-provisioning-for-enterprise-managed-users.md (62%)
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/index.md (76%)
 rename content/admin/identity-and-access-management/{using-enterprise-managed-users-and-saml-for-iam => using-enterprise-managed-users-for-iam}/managing-team-memberships-with-identity-provider-groups.md (97%)
 create mode 100644 content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md
 create mode 100644 data/features/oidc-for-emu.yml
 create mode 100644 data/reusables/enterprise-accounts/emu-azure-admin-consent.md
 create mode 100644 data/reusables/enterprise-accounts/emu-cap-validates.md
 create mode 100644 data/reusables/enterprise-accounts/oidc-beta-notice.md
 create mode 100644 data/reusables/enterprise-accounts/oidc-gei-warning.md

diff --git a/assets/images/help/enterprises/require-oidc.png b/assets/images/help/enterprises/require-oidc.png
new file mode 100644
index 0000000000000000000000000000000000000000..a0a19b5f4f48763616eb560d97056e1b7efb5ec4
GIT binary patch
literal 26246
zcmb@t1yo$kvoA_QkOU6|0t62b2!!A;xI-8uOmLTh;O;WG1`8f6*bv+;xCPh2-5mxA
zF7qb&zVkn4-S^g8cinYo&7R$}ySlro+J04CJ4{(o2Im>sGZYjQ964D@6%>@mP-MCQ
z6CL?`U5PM8L3uW7E+L^TCm}(t>|kqZZUsg`kqt{o!uSN5B@P~G-i;*w89yp8{*;>j
z_h??gkHFV4%HlxG$JyB&eE!B_QctXQzK8nf&`}$Uv1q&`Vwu4(QC7|fK>PU7o%a}%
z^K8n~w%L2S?|N!j`1ZhiO33n_1my#@{F}kR7bv~YH$rJqo6Jw1hH))8`ifBsj-qI>
z)N1sGhGISn9U6wz;9a7;PPf&TbG*MrASUDablAyJ-aK6;ib_rovJ>Eto)!Oyi}E8U
zblJc?O1ZxdUyYasjrOiF9%g!#6AyxtDr7{3Mg0~_Mn}mQGzuF>q1LAL(RwF<(<hO5
zVL-QXjD|@<d(ggB!H1bCHpB7ut#*GWW-9H8ILe#eT@;W0Ob6&aJtUk(BqD)fJ*5ST
z10Nv4;?%rGY>(a94)n(l9vObY=1?Mf$#h7?-+D_r+s;9p8yGagk;zFRG9)NxFvwEX
zEgV)gXn2i2Fl8DXH0Z#*oXIp0*ZCy_Tsp&Mktj7ATiL84CHzIxG;Hf4!KADAPVgNl
zvDKG^f_I?dZl+w5*h~^_r2DG(j#e(W*r$}b&C^C7q6ybr6FDC+>z~>>&PD|{S8eTW
zKYQuO-+fX!$ETy;+K~KGv*~@0c5TvoPI2OqA?%pz?uL(*HT=B;{B=CyF2TFS-$OOg
zTiWmfsqt{SPy|*`to)2|dD&#<LX~RY>vt)wZ;rm~wO$`jeq38aKQ#Pn7#C%CG2NYF
zX)&`UE{54>IO!f8W!vUS>EQL(x<{jTWV0?t!)9M5@^`S>G-<SH`_oUd@<d*WJ~@>Q
zA```Ui2^bRn%H`>;7g)njgN^jM*WE8kyRV2rs$Kz0P%A4cwdfkv;!1X12#Ss+yLX1
zC!ZggwV~OeEuhr3=^kVL4xl-H_Qem+;JH8bD@nf}G3dEiq+-M|6p|r=)FN-5ga<zV
zZt@1_x#;sB_*xhVVw=h@s;LS?eEbz9NWNPt<NZb<^OgQyH){40EzS_ELCzDr-RYG4
z2%~fC*oY5D51pi~`<S8rd1+8|$Ivm_6}lJ6QHXx~`Ws)`tWO_3-n=EE*bI0kL!Yhk
zk#>Ul6I0=1)d&m8nk>M_x{voiK29)l5i3Z+M%6y^I#C1Ahospg%EWCY)wA$&Qpb`;
z>&8%b*njh4qvZruwAC9WC%Xa3O!=WtKz;?CX&pMh7P_$wg$*h+REwWZk&=fhv_Xy4
z4S0=QjZ@1HXDAP-U0#KBny;|f9o5^t!b%Ew+kV(V(VgCNz7}jpb@ICD-4ZT5TB!@`
z*z)AX72TENmEIlJ-D@#F14%pjKtjGiuMX1=F>&%$2E)+za-Uv*!(R*=>vCEnGor7E
zbxXNQzKW8h-Hp?c#gg+<At?Cjl;)JcC3+*NMw=Sv-79DE)Sd7ezajn3_by62>m{h^
zO<4S^eufW1o3xuun>nvkhqa=ZdSbO%)mf)mrr%y_Wl-C`9*NPX)u+~{fv7w{?|wWM
zYu9L(@yjd!kfpU+EuPs?Ppdkn#;(IIZ=bV9&}|vs`GJq#m|lcFN~L1_QC`G{fKNn|
zzIzg2(DX+<6*f>vd__M)KXB7&lVj7kf3e?~`2#a9a|N?I^CYvG>W%8h!e52JN#NvA
zA>$`_fsYzY&G?7?B+n1-!t+9fA0wbkmF>c$Lf(R9RYb8E>=@QNI#W27eIiL%VqV&y
z?AWkHIW+Js=PZ7^VaRyoZMv(`k_4;9fX-VL%b=-8CGSe?ttk#stg|lO9Y)OM015$m
zfL*}6^YHGM9TjIGr|X~d&LjIRxdo#ytASedhtI8nO7d*VO4)V#W!knX%aS6}kP@G`
z2SU{BM~l>x2907N?a5iChCd9m3<Fjr===#5L(QsTKVY9bX1e%>-J0zqPRhf6K85AB
z<+g8BFm+GBoKnn7b}2ZENf%i<t?Fi39cLEC(#-U%ePEAk?J8Ha4{CQRx-@=jJY%tB
zy)Eul!!FV(LN9t`sk)E9Uo*uzRklq&td!R3?6ZAm%M-<u!h>N=Im<kYK3iI2UFB_Q
zX46w!RNH8*RB>6SZ@p}R_|@Lww_o0~+Cn$UK4IT%9I~#?XvP=|%7KMeWjR(lMmkdI
zrcjD4%eL<M+n=~-9y<Kmj4O(>jM{%XEwWI&z_AcjkHhv}vrX5|uKjysi@<<)t7j|5
z5Z$bCrc7&o2ID~0)LBZBA4yNq@IG4Sm)K#xez!yGb=FhiO`+BGy{hs2MUqYO745zG
z!~6}Bb@k253H@b}q1JW?OB=g^l&B{)!+SnEO9LuUYM<#8XODkcfEv2)GX@M9G<7r)
zEOtDCpz5HGEU~P4ajFo~pr;*L9b$Z(UfNf2m~o+Cf>xHUcV9F#nvdOctxXI~%!s%x
z%qL=h;EgSfrRGp|C;yT)0vK%?#~JM#Gp>29_pjfqZ}*gaX^s7!(x&uTp^N?(!xViK
z+o^W7@tE>gV->ma=5B_FGh%)1?1tBleY1I|@|yBW48~vAzec}?7zR~YXs$C2#(#@v
zuf_9ZynWFVQI*cw;k=#bsGs{YKQSLSzaigRo_y8)l-VuEi^}H(Lczn}X6bj>m*X!I
zq@Wc06a~$z;*Db1V|uaR6_r{=7d@BgQE?601O2U^Ry~#MAIpCzVuz7LXgkIe#7@w&
zCwMWE_MZ2a4Byuax?J}Ob_<H>skgX41mBUMJ)nt{ik2Ca?Yx<Is{`UI|61XIVE(My
zUl=usUKF8@_X3TGLQg^`u3~GthR1SXx<#L)uCzp>vHpkKaicGs?8C+fNqX=7#VPnb
z<-HK%_6X;K+{OAzt)Hn`&lIHg@d8ZexqeP%1^IDjXaU-T9t|m`URt%=5Lh+TO*-zc
zI&`1<pSD|P&3~(d)h5|MT8($3EMMTh@N|9d`oZNwJ@`}Y5ywIecshw$Z*tKBz6T{M
z`G&(y*vQ}LdFgg&zEIR$X9eH(zVp7k#5k}m<t{DZ^A(EmT)A$a2}l<ihZL8=ir*I9
zddS-SK-g`p%AXIPpUYH7S=soKzs8}HiHlkSY<U*fj1}5L;w(V3_I5fBcbiImB8vh9
zUfJuf?@iW6q(!FFvNM>igTI}n_Gr1W-j_Tr5y}rxbggcvNx$j7Ns=)8J^U$CmA~=&
z)rrnYL%|u^cF%m!VGhaoJ8T!0LpLY(hqZKhEH-C-+!n9%a702x`j_D|^~JJ`hAof7
z-_AGZiR6mB-x^;vD&Fs1?HAbOA8n-$^J?2RELiMojyjf3S6y~kFVCwVy@xN<le^Sy
z>kT&Fddqp=U-DmuP?-q3oxQ(Y-N?!AN$$y0BFgwAIO(Bvn>uT&aIbi8hT(<rGeb(q
zldG4~>%8&ml1-v}glXih-cHL8s#<bk&NUH-{mtwoiL$^l1{wK>tgGm6)6g==L+5^U
zX~k7V7H>8$$d<PS=H|N7+<6;y5_*zPRVfTqjQ5$ia=RkD2W@ZHkFYT$LE60w?kp~9
z4z-W#dO(^Wka%J!H!GTQuP+Gn$juXT?AKEiWddDA9j=^`e4KCBl*tUonQqb$rBp(c
z^WN79x><TC2Z<Ijv?xUQQKHh-B)*4-;B|cl#hSX*J}C>aT)FOv2?0rgwLz4tIbLq=
zSq|>=8eFCe8k9pSQ?BL-q8NCXcfPehDNS=Wmeh(ZPtGM`Vtv_+x}@#Vo%aJ{ha=gS
zN%ImyB-T{}Ysi@@D4;MS)0ilaLd;Q~AXAT!7a8(GK|%c*jDmr@KSy4Y-yi>1?qle8
z)c;DO6#O9+14+oqA@3k#2Qb*i@w2UycCXzvvZ^WbPZ~}d3P6Cdt@S%Y6I&zjJ2z{)
zKSfXk-2lj>HQ33J+RfU^#u4BqMEjQlfK2~+%tlN7m&D0Zh*m>EnOefu0Zh&F?)|&>
zw8GD*si_4WOiTePlG6VcNB$F{{p{pq2Vi4!b#;B`%K6UL!HkWapP!%YJqH^H2P=|-
z)zRI?$<U3}#*yxyO8%=JNwA}_gSnlPxvdTLpLz|AY@MBiXleg6^q<c^e1hG~|GOm{
z$A85_3dr^+hmHN+d$#}7jVvno=P5wh+zo7{DQRwvR1dNZVRjyV!N2tXublsG@qd)m
z`0tWDynO$&<p0R|UrVYwf*mAmt&vSS3IBJ`{9E{cX8v1HknNA;|3ef1sQK?xq@IPJ
z39|jC&xD_a1ScRzi{@)NNwH6EbBE2lw&`+-OS6zcuN0*R0|VdoK@9SjsJ~{8+fYZo
zteSrzcj*+$NC{3dpRP`FX<VG#aZzPUn4C;VP)$f^R7v@&a@!(5p~(7LDpu=9`d8WT
zuW!QUIG5ca_V5M(?@PD?TbXRE2PL)Wl4}_6nq*fPqhea<RSgjTiP)d-(&M{tlGK>~
zf4-r~&;H&q{X+}>ePqP^PZlOE^ncCz5A}btsQ-&PG?|B8NGLrrQg?V58y75L7E<+A
zy$l>pDWX>??s;*b>B2h#``zqmJq=%m;FtConr<0hoNf+ecq4XUX0tW>yp>hk(v^NX
z(DgbSvl0C!Wotc2<xDC;xAHg38R_Xm@AMnK={CD~k8K{)mW9N{fo5Hoz4JfNAen8_
z?IL=7Gg-(z>nY+cLRxFJC>*lDik3!BYQ5RMzD?!xDOtUvC(|c`LSSr}n+bCB+q~8l
z(cW>@s@KdDV{B+>k9fFOBVDMscWiHkoQ!K!3curOxxbh{=!_P|+2!-N3uF#PYUlU@
zAGUtaI4=vkrMlyYnP6+Vvlw<RhQJ@QpSuTFyGr{|J~7%~zuu^NF&myxwACf#avg5r
z5_l-!8uZikW>9owy~W+Ji5{}|tMLP{Von?2axj<kf$@(B6kSfgJGyzYoy-p$%AwVO
z^6inT2T=Yz=41c{=Rk0BhM+gpIg&|1hjbV>I&gSy`})_FTM2v>9p!1wrOV;$w5hXH
zEpXGrNRZoEy=LBUbGj%%2bU7Ca8}P`+)tvOp!d^?h1=*^>2iGvg@`?e=kJ{g=5(Y`
z<yT!q2$|j=&hb|w#H(F>ppxw=BoRxP`Il8kx)Rrvi{f?i{@<<5RrY67;)v!ReogM#
z0iznbE~knU9s<yxA>~#STEM7xr;m;~RZG#RHBu$p8&}aO6OCa>hsB)izxdNyrq+C*
z*2?a4{X|Fj<le&0wdn9v>3s4z1>iYxaIP%%lx|BvcdV2`&NiEg=fx48q&uQr!th&d
zQWqD)hF9wcX<{}tQ1K9$F99;Y7Uiv3QM}Z^8GD{7m~K5&O+Q}+7j;=(%R4wZI7oA|
zS#BZR@P84*MV;BwDdVqGJ`=TZ8u`?L7w!ZyMJK+Gc@Vn2Fx%&~!S#u3S}!@P=Z;~Z
zJE#{vZj8cvZQebnL^)+WLo_bEL@DGkaj_6V!d6A+p4N3c)3-2fxOdUEGOHXys`E<N
zqqrJ({b&1`V59Txa3XhNkW`oZ=|qZFSG=H3s}EgoZ~v;7-nI%@FIf8;CGKwY;TR_$
zR|%*%>>lOxRd`SQ3!_p-;7!!4zUeVzMsdK)K}wtcXhbLV+ty**jc~7mI>sBNAdd*a
zWcvaOEN9XCj)a}j*qp2{*8_09-DgO>8^(q)J!yv??-vi|<<uyi|86tb|EZgUT8s9=
z-ayI&8^B%_)&0o-^4L(I;Cs#{WxDQ|Cs5(yYcef~?IYIC!zPJZvys=QskCk}k2|oY
z8)!+0WnNr2|MDsD8t8qWZo5YTFj0Ek=$@a-ffdNf_(jUyujysQn-4Mx&ID^>vqaaJ
zp1jzYNsDJDL#5{w!gD+kD-!*!-~1%@G&d|-=6myS*;%z&)XiRqIKOzVPt=p*cLBJb
zC3#D3&40Q{LDj1IMt*_%ppJDZHO-@h<W6)L<F~k=?9LOfq8~c-lx(jLq}Bf{MG-(?
zq@>Y#A!=wmle4VkLV;(cA6l5=65Hd`qVF_<sj2B9*G83j<9;m?CAgtz@0Z3a`-G^L
zW}A7*$%ILW2d?%tnmwd|?cZ#t>HyOm2H<Mj#X*5f8($s4zK%6+Hy1vQ!zPv<-8*Rx
zp{$L$b_tm|z*$v8@z$9lFF5#oIF69zn^y>cq%ruIrK@Le^IOe+r)_Z+7`ZOg+&<~T
zUY0{wlx~upFH$eFAOLw%zCCUmosB`y^noYsJ>``o!lFQZPk!v)p(h2Dvt95h_t2vB
zXFFYV&^Ku<kC=@_77GG|Iggcc*0az-t#ZKNKK<gl3BQ@`pP|XmLrGL{%`YFOatp`}
zVrza<jaR!uevsr2jrV)oY99ToAX#8DeT-uLJFC2wI!X^I$i~b`?KaJ0>Brs}-ovqc
zPy-<b28Q`i>B6coUA%ID$AC3k7*k6Wu}lhhmhE|!`LN>Z;#(su5_>I-L-4NL)^HQ*
zg?XT?<~EMuw-JHG_>?|U6&c;nbjJKN76eb~UTEeEL)92BsSYd~ec(&`C0SNxLCi)U
zT4=PSHp5jHWPkQyo(4@$1&C?t8a->TvIKJWfNeHxCco9x>@jtXqN>=O|EfDDVn4SY
zjMMPNE(&D=6AW|^p4(gi7h4=JUtN<Q0h==NRvNB%{*H5kFeXqX7<M4_-ZBIJ+B=^}
z>HZhRH%)G<IbxBPO2sKcx_zr16OiP*Y)swOg@3Zg^N@vb-)^fGEN$RB4Rg>jteD68
z2$uBi1Mji{Tb<3)ZuKCgu$Kk^M^U$Zue<K<-X@GG@mKxBDmg&NyA0f2LJMs<%Ec_b
zCcU++dme!<7edg_Y-Ax|Eb0V0#1N75WOQCeDX4)9x!+VDQVO^9wrjrtbxq8nflm8w
z8sMT#><ZV0#`f0ND!ln;=4CNQ*(<Ct>B0)?{I+;69rebs7szqlLHiuEOu9a=MlvP$
zzWY@Vp|)q!B-cg48LT)am+$J<-mKF}=b1G0?p_Zc1iw{Bw|#WrV(c@(izQcxPGqc5
zlotzB@>S`g27?bb(iH~=m7HB2=2Y{$h<GtXA_s{$)Ywy7*a{<<jQWY}pP5qB-1?-}
zWLxKd=~X8H>CiOUI=uQ~_xvakC<Lo*N|++f>n0wgHF{=VJV!aSEg%J?IRJMp9Z7s0
zxWKDTXZCV`ahNse&+hrF_;m4~Zix*mhz0V%%1{CIL@5f_bi~dFPX748fYf>I<aBGe
zRd^_ukBO~+GTFxun)=~@Lz}3y-@;8`0Thjf+4u(i-gy7(7HFvXqU%p4PVG?8W~zX`
zQTPi2$n-?^OXwxl;NS!U6u*aP5Iz~oR5Vev7kKznSqeB5(x4cs`^IR6B-I0NdF7-R
z&d&h7+G?q_f?}xo><LN%K?0c6h=wkwpIn(dtdRAsA(erLSK{7hrqe&gk-L?KiBW&}
zBmfi`Y+o1CeQRB#)^L%p-r%8PJdaQMF^EXw^Lm>RJ^=W@8!=&o4^kp7x*$JK%*rlM
z#)GoViia71${3PnS|?V#144#z*<P|ALI-8_d0T=OkBpy*WeMIJQ4Ivd!t@A0a4ek(
zm%9lMQg-k~JKm9spSjh8$5-7a3&h75Q12ebv{hndNnmrCr3Ds~U7u$Awgj*MubzYm
z&9V77adKvRa>W&E)&0*N8%X~F=*{R@ZuE#q5><Ts8;7H?l@FTxGuL$IE;V9ucfOhS
zj-nt2s8fc|3)}P@xqBy<7h%T{g&91X=E6-I^k^3|Rs=<1eQ0!0<aE}@@3w%`a^O`Q
z!-kq?45+3b^?EmPE0=|uhhuk_U#Lg{tp}JctPi=VhpgC4&(n3$!$Zw2MhQD_KaPYX
zyL|N#`N3LL<P-B3{gponV={r+ihZhOjb45iY!1S+jg`~ncHt3t)KR1!85J;jTQWH}
zCXTajr7>6uBdA8QxpawF`KhPyptUDEjRdVF!F3@c--o+_bwl=WXs5&uN3%ss*=Wu@
z<%Kny>B^faA{s8E{*E8a<@HZHfU?*6;uluietOSAB3Nxx>h_Dr#FNZMd)}|%l10Oj
zS2XG!R(+<o*x0cW{WyW`lCdM@`gbPt#wR)ljNX?=PMd{ydW4`%hCQi+kpbHxwhX6;
zKOmSz%;?$LQ1wZACv(Vo;4n${ZvNeF`C3WLT4eRfnZK_?Wz@3qcpRav6qwV!MPgg=
zxaFIV*kmd-G)AeGnKp(&agN5P6=K3j!R%nHub9b8Y+e32tcf7nx+$ZQVW}0;$_-W|
zOIFzw!VFs;TpTdS3N_~iZ;?cOB>6!&fpf9IHQvj6Cr)2Q)^i(7tT|E4Qlad@;S8I!
zrn79Og&N|o_Q!H@qPAz#oQagk14*0Q<OR-yyg*5BAli!~qWRdSi+I|4n_%N3LQXuY
z+O=cr_fo)ny&qn9mygCpy~FTEG~O767ezFWMB&%gytKcD?YJp+eL|v$FhWq<C;jvw
z5+@t{{Fg47thwP!LA_l?xn=zFADKtlg`E={c*TH4kJDZA)0rOZPZ;*4@>g@C!hffZ
z=Rbb^V}~f8R}R?7RCU$n3t-f|_LkT`Sl+Fps}#IWLFpgWLGzFU8mmY1&G;7s$PcQ@
z^NSV9W?4|LPeSPMGpP*hN46VwHuAG%GlZ}Feu)!+R-)kwL2g?Tf0=tq2&$U67J6nJ
zfj5<vt+4K$kDGNu!9oE@mlz{@?UM==`_+R}IXMLT{BwpljL2HPrcv(6o%H+?f<=le
zymu$jTHvuE$8><=BbxP3xihC0ZyPFf60AF-CrRaNlCVIDA*tK3p4eP+rcD(;{Tw@t
z{U?TyJDz4I?F?V0urS%z$sMN3pc;IHihgt<ieVIZk*{G#G_}c2Otv9iLoZydS=&2|
z*OIYBW6#c+ra7L~1Y_KEV;TNorEWC5{e$zKoepnojfn4eY>nmn0xja?H8X~;&I^bF
zYqfEZaMjZouhZ^ZowL^yYiI9BYXhVOc76Cl23=6mseO1l6miHu9H5U!mi{%{XpJn|
z3gxzgC!?4I)d1?(YQLr!Smd0f(=}wQzNMP?09w-I(Q0p!gG76)V1!w2nZr%<ak)#c
zk*n)zyMS{>-4#gfhE|k_#(wdLZeDIFrIs=G&RU3nPQ{K|jI{jwSNMcpu`^6YfWc`z
zgL;3X;By6;Odi=Te2XYwudTnne@Nob>WSV}P5wzC;8}+Qs>#R#S~>F##moAhDNWVX
zi`K~F+xE&g193_$P*cq*qWV83CDKB)CAh0@Y7knHKh%At!KCMOIzEqS3h=tQ&J=Xd
z)IH_bb$Fcc4=Iv30%d`7P@QvgdG7GjozY`nOl?6T3@^ZPb!y;W8US1Q^CUX#BqK%^
z%x099s+dnv+1(<J6?bf&Pl+Qd%EP*C?hajOzW>|yKQ`=t4A%dcx&Obm?EjHbEItyp
zJJC#v_Ftc%Qh%0zP3Vr(s{eb2_Wu!c|53pIu-N}MDmrEe-K|^pAs3&$S1)Tx*jQ%w
zx?FVCMD)RCCngp%x}+%9;3^$|taqff&pLCNA>^5uPWq}JX|8^2LTvQK9n6G19GJJ?
z2eI5<_Xhub&(HnhwDD!AGv#iDG8AiIO+qc2O2miJ33ai(ZW)a1EZgAZmdm(H3Ad9q
z@ae<cIeF*(_DH7u4Hh=wXM5J_!F2=))`N8~!KTmE&WU>uH#<A&+D~@jmfVe2<LL~m
zfvH2Ri)IWw$|w8^iwcAt1L~#0w=o^a=06D?Nb^LWy75@gPL1;imZ_DvuV05%7;P37
z!$)JM4BGNTj?edM+?S%kRaI4aC*L_;4`-8_5$$Z+aG%rJ@Ppy5uF5HPktKKDdAFM^
zqUyiA`rPeqi)Cey3yEwm-QVJAJyY*;T4ndycZs?042gg}9W{4077J(hco6UHK_Y!g
z;I<gBy)z`5xak0NUJjZS^!UxULl(NzEpJRi#cQ)PcyX{uwWcRK;1r&GkqJm&Z1HA{
z*@(*@4m6X6-``%w*()baThGLMUybF9xejksrlh6yyBsc&uXWNk={SG+Grn!(le2w4
z0^hdk32jsM3ot-qCeO)vG2T83zg@}dEWx$9T9B=ES^Q;XuwzyJ>h7*Hy0ZBeul9&j
z%5Cp=%0U&ITJWWMiDv3z1I$L(;Mqw8TkEq+B-$T{q7;ce9873lRV$UP_-U6JwYpcc
z-{)nRN9PT@JgO-b^1flo9RP@pH*Te#)09T0*41kMR>Z>|-gWE4N+imheu&E#-<AY`
z-pIo<yl<<J=J{DGhJUdveDt`%4&Ko%ze-lg_@JwZ?iAP?bvy5J@C<AuTAQ1GYx;Cs
zASCM5(7>Lo8^$%QS?A*J?(tz&C*3L~N5xNjq|>AbHRQ{&@Gi~JQol-~5{s>N?ct9X
z(J~UkGU7{NNdP3SXUkn&ir&;?NL5_tJniN_0=Y&}3XE-i^?iX~M0yzpA8b?J*DH)V
zJ~|;}l+elbtNp#w4kTw6N^K3996l1UP$ZD}`i7A%Uv+cu(e9e=oUbib4#~UP46%1I
zQ53dsZ?io@t$4OKt(O@}{o1p{g&cpoLEPSPx8<c>Wt2r|gv2s(e8+~K?K=;o@Vs|&
z;hT_HVzk*aBV~^aWABP{tL53Z{<6>ShZ7JQ*w{IBC@^nI*8dxrFkJjoUxqOQ>CEzm
z49%VUeNo#@zD7Et)J>}{FM(!|N_XblwcdNH)7AaidPcUEp{X>tn0tePPxT17<>rG`
zn6#dakX!7%-To(+-{V#nITWrEuU2H{;ie&M!=|kZ5VqSKg}Bw*r2KFkdckE^L!Mg$
zxRYCk?V#W_kGA`7pR1vJzx}dBLpy~Tj^j68aZV=-zt`2RPY$W9H+FBy8LPJ0T0QR-
zeWJO_1o#O{vHU~LqeGd}vHQ)994ehD!~<yOTO3^@lE(|OU+uo%8I8Kk#J*I_B>f!I
za95@<Vn`q06v(td&Z`|Bv+OjwkZ-(74mH`GsmGh8_i>~XW#<JPr6f9R3sZ>328Hpt
zUq~uG(@Jc-qsYkTtgIIGX=pKoB_7WML;*X=#W{Bh?%H}Zs7_>hE@i9+o4Yl(Hp>lf
z$@>K666YlqC(7GI4XzXzEh+Xj6p6_=0MD0bBICoHuXti+Ajir(O|b#q8184dr!{Vo
zU1zD);@QP<TfFIH26hI4eth*9eMNCf{i&CQYhi}FP|Ea?^-Uo<vO8$N)`OeEtP@#g
z4b~b>3myOL%4OJtbh^j&Dfq`e{>u$X;Rd{vH-&WZa@3jE)NQ><lbm$W+_3G6HBx@G
z-nd)A?K9A)Qp#RmPid`R@ARLxGQC~alm5oZsCFTBK5Bx>pT`QixQoL0hJJKr^~@{8
zH8#I2!iz+cR=>Z$zru#RjVg)D5s%ba97v8@XzW*>*M^eHrIz(!<kRk8;jOCmNQ=^<
zwAw_Ta)_zvvjG?3E~od5UNO8!nY~Z<^tVPHW@`%$b|ZqL5DbiYF`ab$*MjkJ3ZW}9
z805bKEMX&^jSI^{cYFe_MeLz#WQN<bGJfBmXU0wu9b9|oM5Bt;@U`-Ju?aXHno}3+
zc%BrBy`KIpg4uc*B{&?Vmw{tK`1Ph(j*C^emob+dF?XJCDxQWh%zN67cpJ4qB0(St
z^ppao{Pe$LFEM>TE-GW%6+etM5TU7C+{r$W%{10C%o~A=_LV69b18OnkYCiCHpPyw
z3w(C^r;<$ftu(Mge6(*S{{1e^y;CpKv2Ilt%D8!=0FhAOsJ3kAJfQezmy^qdT$WYQ
zxICj&#?a#s@E5+GZ)*J$T;#hK9Ba3N#$6+_=D_1O@~tz0UdPr-z#)LeaaX)qvs4i7
z7+_klKaV8?>8t=7phh$fZO4+gVxW&qeO1UmA-z65pJfTmqO;Z-GS#`J_6+^}kz!TY
zd5)N9ZA310ZJss49A;rtnfIzblNJizBttDCC0>>W+-MQY^<$CZ*J+x0&ypx?(qWK)
zB0CWR8E|iE-d?=2v{5v*zM0=MY9&`zk@31OhM`|j@bQJb(&C?>hi<2yckT;hLW<{9
ze~fdg0;=|WROi=km-Zss{n}S2O?^Ct5)g5^u2rf%`h;A?SusDWc*%&7qgKzvm8!W`
z`bYr57XwfNHgm&5SLYs5rUU$oa84}~r;sA<YI`?{1zWdIoqI;Yzbr!tdKnSMdE7uD
z57JVcXc6mf3?}XwfqQkmy8U+YNG>5CXix`ox{rhwXwm?m!ptdl1c;=^e3&y|v;%o_
zUY4xaM&Z+2q}Qsiq^9MWc-^U$v#{fYjc<4ZOo<o}urRmLF*0^;hz4dg8sa`17jMnr
z#F$Ck{R|<yp)T(Qbe^P#N=*?h`^D#x7*%k76PEDdp?Kv=mU#3jO(Ucj6m{0^$|E(!
zykFd$V8O7LCdg0YQ?+2g)anZNIrQ>~?~bE|X86uf_pwc^&&Nwq%sM^KoYb{7KQkfv
z8X(1aE_9Z!FiF6oyRa<~LpT?J1N@TgvEQi46UHV59O!o*CbE2I>j?856jgj<>_tb@
z+0wL!4?@qQ#6P7?B0h4j+%en~y|4Ny`%TcFT#C|lk!QtwYe;=*tymtYNi-32U)Lwb
zX3i`@Aq2|fEILZ65gOO6_W7O{?I{bS@iEm6#MXLmX-2)(@TNlR^kJIcuV!0_{T#L<
zja~7H%noN|F4A)ZE3AMq64-!ny4-Jv-wXO=ta_>+@wDvraTs_kjSt=vzH2EOa`maO
z{h83CPf<@&s{3tJ3tOzK+N_I+o=kRZMOk^}&0E<3Mre#0Kr18Q`|Je$>(2N$;T#N!
zdVQyY>2wqU3hClNg)q+UUB3iaXu-7vd!B_~K@sg+917vxRpBWjfHuHNJp2i4Rzq(O
zAI4Y4^!B5s2MzJk2b>sN0(NePA=h=j664L5OY&-XSBrzR+fH&MHWJwUh)Jd$*ykmS
zP-W3K)jY`6>0gs00I_9q&}z!?q<5J;LAiVuoys3u%~5d!Z|xD7uwG*+q|*pJ!3h#P
zZW-dsB^H_ea7SyTrB>>QZs9Jlo<YDp-g^s_kF!C~PREDMV36yoNCHWHyI(KcRr0ec
zE|&j%sXazhTkqurLpL?0bdds*cIA4(AH72dW8L)1BRfLIEOC*|((~e8gQ|(i=%&eB
zE^xw{+-u?)Fbgl5cQ1#aUg_q@OgmNh8#{Y*CN-3if;~`DjQ|$M9kv@3X10pJs5%V5
z8<)CKInk{@E0$_ujTVd$IXp}uF=9f_gfiqzs49Q_Jth*{!^lES6}o}rw7|D8{W1H5
ztJFFE4$VpDjTPtu-xzKjE*_mfvZJ8_vPLJ?6%D*DtxJq07MTRfbkxxdpe%oaBgpbw
zaoI~g*y<XQu^sR|w_XiAAMRBpV5ct;W?O=k;<9(E*uX);G0&@BI;*?`pA3d1PsJ+m
zc1@sjGCg-Ln5De)r_87^pZ-L#s)-Pi%~Hs6l|YVbZg4x@VKu5{6+Vl$?opp+c=C<M
z3=?~|+0?BxnH_j#K9RC0;=)>qa_Dr%oO~xZSu5kP;blF=jKzb-uL-l%rv>AjXY^22
zYqr`?XWqoqDJ&}Bc~*9Aag2{=2K^M{7O<P8n=rOrqvtT0kvUzQw)O2u%ltB7g<odZ
zFPra+hqMMCzqP(*4NbmCPW~31bLsfIYa;Y@I%j&0rs)22kSt3$S*FUxjf6Q;g~Itx
zpSDCozVaFYma5eZt&M7$6{IRFn=z$rB=X(Pob!A4!22lhrF2~T<J+yF6CQCCO-5X=
zrK`oKe^mE^z2<bqTRY4<I|UbD4j?R!H2f$Z)I9;cjcLAC(*hJC`wJF^0TJoX7@mYW
z>?g{r3jUF;ayK}6?lDbhD8a{w030~0$b{~Otj}P7Vj*3Z6zQ3uNq9F)Z@BriO{lqM
z1GK!MA^OK8`<|+WJf9Nq53V=*@bI~(E8;Ew`4bA`M!cEfCq5^HCItK`@7^P(73W1M
zjQag~)CNGmVw%hSg{VfMI<(jrsf~%>Mf&i}YrM6FC~`iG3??P3)d<1H>MfG<mIi25
zYc-$|#D%2n_Xnf*2WwqtwZ4!%0tI4W_D!3JXpP?Ar>dRVKeHQDs5nC5+eXhpZ59w>
zLou#~VAUiF)WHz$D7^QP(cqW+yIq3=E9wJ|(cgrjsvJa52w>m3xVYA=1?GskUy_3J
z_@<TTred?|-IvsG7!!6fyjkhPIk+<4>|;M>cYf<m<EIg;T<k?Y;7<T*>;KeS*zI?o
zUwrnyvZrdPGH}z^cIMMddk_8h8T5x26yu^Zlhr?`XrQXQK{51U1*wmDT`^KsaCe6V
zB<CkmTdnZGZ_@flp2iZ8J|?D!3&FwcXMsA+wHzGB=5)fVbqd!`LN|>i$9wj}OcJaB
zkt26+tn(a`T}JjBA(R~!E#pWZh)4mTBc92<cDunAm4Ob5{}Od$FqCO}8@QPiZ}}|1
zEM%V8%g=4nL+7Hv<7KG%hV&>k^gd|$S9r+2?{W;K=1kiJA;`pRggv?Wh@~XG_K}zR
z{Zh6n`2lR0W=53}#Qob)Up}O|A7+iAnrBw%WIA~du#QGkx$rgtH%b#Fu-X&qkI7l%
zgU)cyR}ZdWU)0N?WUCu&+N`9<lhvLv?Kt^nT3x?A6pR3iuM=5vzu~brFTI9VjkMxu
zf6x@xXmehST_R%NOpnHE@xl1&@i4r9qe3qshR=S;zVmtjI#Sf;WMd)r2n5t%C}Gdh
z`S|06*>Qhk?^VJFt&az_h|kz9s);1yqY*iT`_Q`HIifh6@yPDdsI{|1@l%e>$Rqbw
zD{5ulOx2S?jPzdUyO+rcd6!Z?2q}#G?cdpY=ao8*B_WHxd@p^WimAwe>kLm7hr7Mh
zH`_M*<er0xhoc|!%sl)mYp1UsU|QgTs<Q;9GGig26v)Mv{p55WuB9#Me2NP~Fu6y>
zKcj^XpqNq^g)j4b2~H-qX8eSvm|RiNQMitl#HsQQ)xZDTS~6BU4C$RYjv@q+pRhW$
zDTSN!LtB$SY<%vrS?|!tc71d=O8i#DR-#QQwqVp%6MZqTjzX<;;Hd_MJ$QHHz~#@`
zXBYt}78?yMR`bsRv<8<E^Vjd+slWb>U5NMq8~}Vsn}0z><Uu8=jE1BjfISo66Hrt;
zfcmEg=6?UK%tlm`$DI9_9R7rzl{S~@)O>zU!vJKBh8A=~V<W*duJun*Lrp>$v-sZA
zH=YzcQAM6}#4}jRVq#f<F6*ATc*bJYC#rwEbBXlGO7f&-Bfof@_W5L3wVU|eKSnaJ
zhq3JQSt+C1<EzCJ)eWS(RZQcet2#X1L)_v?{5rmwDVbTkqsr6OrDo4(&z?~{u@tDL
zn<G5z$1Gy}L7V^Qlt@4ZXslwPrb3tN^i5ilUu^eiu@UKf`NYG|pP~Q+nz$Y<m}Ax1
zE~_ak+tJw2Rg=%*9fn>=HgaTt@Z|Kjn1azd{1tP+Kl#_xI1y8~e*iZI7G63d1ylN7
ziFRFODzB|6ugyYlseUVEM~&sQ*6QA55t5mAR~LrX!50z&*+OHbpY^Lb=g1GEF4QFz
z!Q3zYkyt@tnVhNHBY-{xm#_#g{SC!_!dvyqii(PZweE=7AS{x~v+a?P_W(d4Qsd8y
zOGa%zi~JQY{6b0~r+Mt?GbAJJ7wqP*bE>0~8p>p89v*Mh-2RnQSeO!^2>1w?h>eZ4
za&zM&CnM`eM@O&ZG#fU_SIV>r0_7_*y?Il=GLLZ><RWpKMKPA~S-qNVj`T3nMdnsM
z7Nn_w?D#;i9B`e<i&$r6{udW5F*!h{m`}s0{3uPp^&R=ESJ>&65D3KO?&{=VXDnwn
zmQJR!GX&2p1ed}hsHH_1ITQr1T*L&jn*TpIua=mjJN$Z~$(6_U=ad>5qv2u6gvEAj
zZww$9z)62i@x$N0qXTV@;xO7p)-zW(@h?M93^kGK1S_{?fx_zg{;z6U;#YtVV)(@9
z)x3WxKZ9;exw-X03fowJDn;(i=3Zy4-~qB?E+GBd*{|Q(NDmJS3wz$;*u&?LYMHsb
z>u)!^UVq~-{!|Uu-^)K4sw1+*!QwdfCS-pR7(@@P7MP<t9Q9JTcWSu<{;QRt)_7wA
zO_TO&np@_z^<Nf-#HL7>Xh+9$(0@1{7dFp7<^0>%-0bHMd1;cyuq!LDaS<F%OoPwp
zLu1bUtdsB|#|7sL_J66k5h{wgh9_vZEOX3;NU@@lpMQoRHI;Ln68_f%3P-MU*tSvf
zU9FJ{ZPu+)e`&^%1L3baRsQ(=#Wbe6CTxpG!u2oYO|sA^XnGhN#Boyn)CpiC!nZ89
zD*<?waBsM0kl(E!Bc?d_f9rz&FwSL<caG#AZYbDmO0vHsS3Xb1jYWHz_6Z~nq)8>`
zwJAO~%qWsjB=;<8!OeAMKVDK=8hN-xtY?~5RVgjW-XUX_hS5WYw@x8i%ptT56OUd8
z+b%RhAbRGDHJ-K?mxv@td^$Plq2>dx)zY{7t9+`!$u0SkgC(wiIjQAX4lP*b`0!U4
zH^$K2ot@7+FZrb_z9btxJ$&MvfuMT0SRQyNLfn+qpvnGvXz9da{?U3Vg0NkkpSE2%
zU_Ifp=eX5JjEUF`EQ{QoFJnI8pbzP(s*-EC<3%hk_daaG?`&$p`xpGn^)81V7v!zi
zkXj)`9pY$tM0!Mjhj|FGsRSWf)2Q<Sjcgo`JY3s`@YzO1v!zsOzxms7W4Ka(M#A5{
zKi>RCQF+^)&Oqd5Ak!3bUZrn>fFmy9S{q1rpdT9H#Nc43=&?tbagS2<=_%X?j#n8i
ze9dypi@3P#fVW;uBj$M=EF9V@_aKNd$TbXk#Ng7@$;}dt9=ZfU@II*3Kg=WcmN%BK
z1aBXx5as8K$e0@EG#i%cm^r=Y-;sw$%aXHUe}_lMV?t1rXp_ge#SXqwI-ur9*90c%
z)xf0)<}|g5bo|3w4<z9}9kEOGWMCD3cLe!NN4tRxF1_Pe2+3_moZ+Enby~QsZ@KZL
zZzmuS>yVqyDFL&PkswQv+wQUs`11W_E0vFgLkuB8;<wM~!-zy$jH%t}#O^^IViW%4
zYbgEisuypu&P)@VkijC2B3`H0Nvk&^4~(s<a=>PtWG!9?i@>v6$Z7uSCFJITs?HmA
zfO*<GLnyhF@xDt&FO~|+s*U8WdXS||6s2t(+U`RtWFLYJ_VsF>M_ax<U%nc$!#j=C
zakIT#x|cK3QiW3HMsRFuj^E-vtd^MxxE`7>UV_cQ@}vZ8=5w{i>h&Wl7+yEsNvoH0
zIH{G8(~*ZVe8y5NWO$wBq$N7AH{gnCo$8@G8tH@63-ol}d_f38PW6}z*+!zjlVHi+
zXl{D?QVky@`(5+nqmA%oe5R@&<EzV%W9kLOWKU+TLfkFWVa0%YWmsR|u?TE2nD9Qo
zqekRzohop-9`BeO0lX9SeicI;I)!vm`*q=e!M3N$CJcxi8{!}fs4VxCRzuo^qLQgo
z%CaxY@4k*)k<;aDZ|h)ev*}>NMe9#SUPJC4th&`#g^4wNB=nkDs5Kb!gQYy*3*!0J
zSmKLSt$4WlCMT;U6ktfs_Fs%F-O9;gv<|7ZCoOJFeA*Yz9Ye<mgxpg3hzR1*T%31j
zgygC{nw?!)se6D!#+VsTQTBS@G9Z_@e?rl^ezVd-EvKw8)#|A3u02blS`iz&qFi6v
zVldjAY8Zv21BbD(gO*9&>FtrSpQ~{df7O|Xd}q50<`Nga^1&{4sZiwtD{#Lx)HV9K
zm+D-?<kLSnZeCdsP&QqR0~Z}d!TK5_G_}HE1Q7OlyMVZ=da-($**fh;wXE(#SQg7k
zcgSR<l@Ap9Qco%9_4=;G<6KLY4YFRT-C&_W{_#ou$K23e_<j2&GJ>d1ZTmC1>9vWS
zVLS16O^PdvbKX^6tl{F~7$pk#f2IR1)b{$5&nq>r8s-Hvf_UA41^mH|pmThcZbaAm
zDr?x{a~Pi@opy|Zd_<nL$Bo{6l~>X}P$1veIp!7wauuM3YM3=dMLc>hKG_%U#L}8*
z1MQ({Sjyy;0`@gNsyyn`e_NuULb7&Ml=<R0tdJwJ{d>2ziM>F*%f0k|3tQtdq7&VI
zp$=iN|1f6U6W8T*JG@w8#^SAhdLfz`wof<p(O?R!zf`MHT-s!0R9N8k2aF-RK>IGR
z2KQ|a0qcAr=BdF33Kq$#{@p$t?Q2-j(b3}WRCP&6iOOZygf?4r#!lI5sC}9=1L7WX
zH&Rk9`svE@3CveNH*fw94@VkGV_fm7Fm$)|L9f%J-b}yK^^6y?k9gX;uKJ*HdJH#F
z_a%y9gYEjvQ51m**v~89tE13qnckmsgsNY7{+VG+2Xj?roAcysQD@*wM#v4xD&!97
zxtKt@yEa~AD$_v|^{9?LF9HaaI_&vZ=YFxyTlBq^0@hr~{lRtY-Vvb%1m*fZ6UQV$
zc8^$$?;f^W@5{8{$1D#XbvBDORb+D$OeT}1V!%jDkIdnb*1Mm^M&bHQ(;*{~)tXdt
z5v;FHeKC<1V;`!&Nzsk~4fFubA{V>zQ0{f2WF~rC&gRJa#i2kuVxqWMdV!@i{W<82
zq<ik^Q<*IW1QB})2uj&y*7!s@I_3Fg#JbmP%9rv_RWHL0rp^>Y%?XNeXBu<+)>^q-
zH2>~4_*?S8eVcLw!zDZSV|2|*b6qc>cMsm9j=B*jXowm8y0V)yh7L|?5CIwF2vx-u
zQEOa&%HG{G*3uadz_PcR<EdFAqmrfjj4#t->G|zzh5#X9LKl%dt#H~><!*^z?*L2U
zU69jBln@qEcsnhlJfZ#l2_B+pXuA?*^lbKbB5**T;4jk}A3CcL*U=poURBSHv%U=A
z8ogrkt*ZX*pR7gkJ!-Ag04^3t`qD`PSkvC}#~2uX4!eFOcf+9Q6V986QJele5LM9a
zJ)zg#m(Qa9R&%5=Y}&rY55CfR$Q|8bp_dR6nf6U7Czf0-h%SeS9j!R{vWvuF`<}uW
z8yh#sOz@-stDf5kHS2P`h7K(=&=n=V4jUESz*6PD*u%q0^h55Udv9j?OYpoiyLZM{
zsqoJg4MO0KHELppd*pf8ybE6W?-bR>LZC4g+uN=Csu+1~zRdw#1Nv^Zglgp^t7#Ns
zu}7&M@Ze<s^VHhv1iak&7F~6{jO0C8733UPO{aruIO;XI5dePnL{phvIzH!!B_soM
zV3E8tK}AKK9m|oCM@CP9Sh9dH611afn!I%Xgt6kCcYxaXNtmfUSN3Y1yf|^wa^JHH
zTG2Itrd=RCj{oC6H;|~X7wWh=#>7*d$9t6ST2G)OvyBt7oTY@O-3ppk0!$!0lb$MY
z7dD5Ymd{C%Qio%gEmpSO@(w+9&RGJ*UvQj5F-~coRIN0}beP~GuldhXGw>~0aVvM@
zS0wptcLYgQR#w)i9MbQV=a1Y-may-ZGPZ)n+QOShzx&KTribgb9id)Pwpy3-$lU%@
z-9H!}88(It*^W_APyqAVE)D+r^{aAqb+x#)6*7wtQp>GE`B8eVoJ>{T<be5z@uU3*
zLTzzY;_|fh`I`Wd+m9M=f-D~q@7EFh3x@x|=5gV_KqU~Y1l+AQGc&77Nl7{QV*>p#
zUEZpfn$XeF89w^uKm+wJCld9{`7d1j2Mf;4Ea?A(D1*C*mOlUhYBy^bd_qEtS}D<x
z`IVLLf3WoXzo^YhN*D>|<plDY$8G*?Py+Z=8hD@ham&mCcD+5E{s&B>{n=?!fAJ#5
z-HP7KmDPa%0p5Ltpm`4F3r_G{3>|*ORQZ)SvRUH9<bQ#!@qs>>?F)Kja04>V2+L^i
z9%v27ynkLX{v|pZgNj$1zWDq1^7np7yXB8A@3~s;<o}{{1>n8(tp-@b#IOYlq#u_v
zYB%&CSmq@*ow4w~&^F<;Q!HG4DTU?j?QP3twNOp3UFEV!ju=+KZghe7A)~lQVSJYd
zi>Zgpt*!a?NAq=T^Np^{{=Fuh&>^vR5j3vL?>;kDlgv{kyGVLw>yEX2Hv6l1+s|&V
zUnLq$sfa|jPW(OpPtt95f9t7g44Dh+h|_^i+k7!Y1{tXedm`F_n6}U2cM~jmpIyS!
zn*<hJUR8_=%)TR8c-cy^_uFf9z@tTHL-=;X+~sU4ojzwee0;V~c;8ucx$}`|^G<-z
zkP;%V7<yGX8!wzrmq-qMapG<)hF%mj+aK&rJo_Y#&|*i2H4Wfg$haDyf5&{=p4rU1
zeS?g_t)hCkj;<O}FUCf?`)5<F7n*9!mUZ_G4{st@KTqg&b))!#V&7nN=s)}pu!6VT
zm)z=?Jusy0bRil~9m=;c;rAQ&2e1+KC$wAZ8x5BaduAoup%5iSWltv5J=F6KpR;BK
zZ4YgkH4k+L*Ja_)Z2z&Wv%QgV>tAtj({T=?ShIz19aMSVbLm*H>N0o5=NPJ&EONo4
zs*+5=L&2=GQ9>9Fry|@*n2HK!No9Jr_eUZ^F%$y!H<5W59KK$ZgMz@N<%UZG9*<QO
z8T()EJH!&((h}PX^1qp_n_~{=gKbO#D8CEqziQ+tv%Rd$VB>BeS-tBXnB^s}W0>!p
zhfZ(pEF#|(XvV+=7foB^?&e0N@o|q%+1lMNHQy=-Ia1#-91kCPdpqvY!c}Bg6g$G=
z%(l2uuDK)lYQI5ynG!)z!V~Ata8$AGYzfA2=MdZkW5TC7IXOaDr~v`|71x@WjEWgn
zjXg`r`#e?__rb5c?smg7d>{oFy~AGXGf42%3)#O&=MMv<rVDf850@iOlpq;#C9u^L
z9De)FP^AYEuZ_=c8I|j^-Wa&S-p0!#7%u|?Bvw=6{9gOSlsuT~x*Z+NR?YJ6^8{W}
zTQv8Jocnngwn8ojq8(@(%JMlBCmWd?w6(JqM}0oaR5Q-KIJBJP-LFFRmJvsqpxvM=
zd3WxId1zY+OfrKhO~_UF&1MiS6q*z<io+gxHp&_U`xK3rv!goaK{H>6v)B(MaX)Yt
z(tlSf%^q8Iam+&qx(PdMyfo8xIe2;#wOq%@fSM)fZ2E&$1g2orFY3K=&~RYBw7t-X
zpeCnmz(3NjcWNk!618K59-%iZq_-rMELO7$2-(&0c5!j%!TXqCH&^wBLP6h+`V94@
z03Q`|SL-DoQxpXu13-oa4i+KQw_cltR_Aj#vr`lT+S9xBkef68O_S}MgY`6g`&xd4
zBl3(vq)*@;Yn6ZL`npVbC~VAZc6jkt3vN62Q%JkjUjCv;sTH#wa^{BUv%|@5vwiUS
zJsaK>d%?T5uoM~xN3I4n=L>!<oiyphN)W|4;cKJKG{MNI3_SQ(o^h{@or>}5jFG;9
zepSnks?3rrfLEsDR#A)l@0l<pRxiRji;%*dea<$LF2MVh1@-8pwAJPMGy#7kO4qXk
zj(ndbgzFSh05cO$d$^8BdKc7mIO|G%w^ZS%l=?+scmwTvBvw;#4T#<)(Y$gqyXq*W
zR|a$D?{#^dbh776uI>D!!9LU0W}%Yx_Bd{&^Bl*$#fvPwe+9<Y(qDTxli+=Ivc1}}
zC_gE{=1R3aB7DcE-D)l$;fuTR`aW(%eaqx}UD;Hk;rVx6>$#tFO4~`-HD#4G?l+$y
z<Y$)ZrMk99X(wFsnQ>F9mb_cjuIN&R{SNb`-eM_MGnI62FyrMYj+au}SC4VSw{C_`
z-k(a@6OcUXu{*yRvVzs>t~PY`+-QT;8Aq^#U6p;BLLA5%9asfr-UpdJyIa`lwxhu6
z8a@83?J<naJznW^c2O%Bqe#SbshDQ*Wia}jSNfof`@Pe<6p^S9A-5|Hx2Wn=?l7+t
z%3T@?Ag@P^X%)KNpLd?bNU8XoxZc<t8EU$1MG?OH;EBCa?|yrP-?J1DqD?_Y@o3p&
zOpubaXm%>yQ-TcnqR2>VW2+R<eQRZPod&lhM2b<G84tXh>mwHImf;Chdi=mEKTzNw
zm0!G|a$X6m{@6n;A5Y^~eY$iVVN9dj#Od&$vU*lw6-xq-LEj6ZpgY+7;Qj7fONsWj
zJpm0H>sxO<Te%R;d6nHaUn3dGrJOSX4*SEB^1}E!88qp@Gh|S{V#7~oTCddK`Jv|N
z9=h>RjU({#p>&8?+UF22lE*wLg!DxN;A>t%&kI4p9{u-%9yHh}I2vSSi}j>SHGbj?
zl)y3^<m*fIm`p|IXWMMzElsIUI3!xY9*?d^ALjdQrk9RIY-AfRFS&1n6iU2aQjh3l
zdXEbSjd<$RJ<u^gcRu6I5$|#w^`1egu&Wa!WNx>S-q9j+0{-qgoFbel^4j9|uc&h1
zZv@%>q)SeP!UnqOwi+kr-_q(SMijRq0~HtkpGwa9E6TTR_W}x%(kVG~H!^hBNH}ym
zlp`_H!T^d$hjd7Zz|b{>f|N9afV8x9cMkc^_j%s^?!DJu>sf36bpHY8b)DyV9rtm3
zDsAW)1|m^2E^yr#LF?vZ-_xmDS7~YUge01{pHG?FQW%Hu7sGP{68NHj-rR~!3wgfy
zX|u4HY;t9@x*Fo7?kT#|hCjV-run3eRa$o74C7(yYymsrV%J<w6!9VF8_EAl?+3Ox
z2J+>Ip?wvub_b;Wmbnd=SEhrro+h3n>nexv`)H&`g1<indWbjwaJ)sJU`z)JREYOr
zG>4GvH^14TH(|0L`*UJ(wvcs~)dE~;JCbfB_Xqv>GoP~_AHQRX_QT}KwQz#(r`8tp
zo3|%JDx`S|nulX!*0sx7Lohp07;^pIcslk|_@bS(5{EwXB}rHM^=g8s%D%>@i*Tm|
z=?fI<ftkTQ?l8%Q!<+K6Si_bRkD_M!Bcj!#^)n9Uzq>NOX=d<3KJ3Z(gdhJw2AbT#
zy<eHEzVx<k&5HMiL)hxtBzC0mx>bM7W%98Arz0&z@-A75y_DO5B+1m-j8Qm?xx9x=
z>@@dkKns8pH&3#t_9F1XzS2WZ&Vw*7Mbe*3c3dH&%6=+`Z%H0SzbFV1ee{YTD=ysN
zdQH~mMqP{EOldm*FH2unzl{zTmP14?2Uy4J0fyOexSI?Z!KIYUCTE;195Cs;c+2EB
zN_LnTw~Rj7@C5Q7YvBE^77w5Sy5tne_P`eLw?xWR%x2```P^f&+Gtl*xHQ9`0>_#G
z%S;|0zK}9U<!r>|JfqsD6Pcg#74N&$Eff4z{|a%epE?BS)e9TC7|HLQZaj(oiF4a=
zn-R_$WS;{Rs3`qkH|*DIl?;WPK=L5)lNKVk#SD=AfrInG3mdegdlrLhJWB*Q6r%s2
zgq8RcMUbEOPP5q>vCxV9q`iJ}T(XNSYFpklS`y-}@`f|>EF4)~Vzv590{2y~r^o6}
zDi^|g$J^j@^ITc$Yzav|@d-(Y{W4%aAPttfrhqFdHmYqwv^6+(RcdBjhlff(#upPX
zfD5;TRjyhfxME`9idQVv>g!rUP1PWw7;9Q*zyJdNVJ;Jx41=`9>=3LuZN+IJeQS!@
z5S)5<@~_qvCNoaXF<vxiRMt$LJfUFB7s$`x0*IQ#SMBz%GXrmKdt$Rl%YV78G0Hx?
zTp4ad;cu-?-V$eiTTeMs-MPqX23Tq2zq+$-aRYys#P=KOtjtn$8<gSNcOB4hK7YsS
zG8oyhkfnHdAFL9N6TI^7aR=GObIo6AHt#6z6jDvDV8^&l7h#^{XJ)$c%im$E#GeBa
z+Dhw`@BAh=;5s>}#1;)kK_?*HELP8w8|%J)*(1^7zwmF^X!DGsJx2@k#$N9}udGi1
z>6#GA6NQHv$JO6?$}atKSaWZN;jO#dxDm5^S>p+a1WP}gMt_ML=Ax-%r9j0>A7;PH
z<Lj$TVrf=612da==(`22KX9USmdq0WjkTc%9m`ynjs5~A!Za3buJOK0qo(KmG&bSq
zs@F4Fd<l18oIK2vgWHahW$&m=g5kp`Qj#!1u`%<-MZQ<EfND93NXuNEsckoY)c3~r
zFp|D<xezA}Y-pYxhpn1$E*}v3A=vj9!3Q;wm_MGF0W)WjS55nen;{y{zP;6bZXS?L
z?WAI6L$E02U~b=iL@?Et*1v0AD^@I%9d*1|d#}GEHA!AhWdyxYjFXR>Ms)NdS7qD-
ztT72Er)ZLJ-RuC1)@BI?<<#Sq=o9@^T}@d=+o*_?=W8Y@76vW5?5^WNLV7#gtns+G
zhC$V<xfe(YWZ(O~>n>Kifuh1-rOYbdob<_(6Nj!kZbl<8+QD0a6Cw7AseX+)@lj2l
zU`BmRTQWE*eX?Ro4SMWRb>(Je_0ksqW&QiL3@juJ(4`^$B@=bb93nfCx+J#_jwC9v
zP=6pNBJdgYtyx90^R`Pd<3{8?zN;ix0p};t7EHh=`ti3dZssaHKM5;KOx#C1%6j?Q
z!QXSCtByokVyA@65WAO6*-+qj-npovWwoq`tM=dfJ@n?tK5V*G%tW!sqOHU<)8i4O
z%}<^L<4PvH@L78lgUxq!j?S{2t~D*7{dss#V^e{DvD@f81^f7xb-PISNtn9*1q*}C
z`a_PmYh7zHzm1@zkI9AJH^!YPCx$W#OpnNLovz`#u{j^a<djurz-T$Kx02|=Xlbmt
zu^(()3!MOr>bV%sAt01y{JBBO{t3F{ibkPLjLRQ>ej#x;yx2)@@=Y-25#LmgG&FSe
zq)jdygdQaD2?8@0)A-~*i;uotX!X?7gc}7aA^Ij4RMv|;y0c4tt@p=iDBXDVOgT+f
zkAm*jwppr%O)ByCA{rjC_7G@b7T^k3U9qvqz}vx|H-j^LW4hdA;BD?0-CMF-IQLIs
z#_^~4@JA6ZB)NQ<f75vV4vI<}nk(n6l3AYWIz3u3o63u=M-;v|Vi1Wt2|w<A{R;dV
zgw@mP0?PNeFRZnEo8hejx~1frw2Lm|-(xae<-Sip9qGT)o%6NL`EGzH378mEF$2~-
zd}$@A!%n>h?5a!hI5|Tm)pdLSiU|KU^OqWO)IAKJo;ej~6w4E0R)iFaH}))@{+(vW
z=tLU>5l{n+3j=C4|0!}yXG6iY7H7QTPn4rKU**QX`rk6p>U<vA1lcE{rd2JPd5oi`
zX>E3Ar|(u^cXO`F;$FA2!lj32^;5AyP~=P=(bqmlFykoV@;h<IAJ>3ixpb7!s4H30
z;$eiGw^-PgKVaXei_$K1&3%0&pBfru*Hssj<^N$@tCY-$Ii~KMt^Cs8^?X8#0hv^U
zr(*gI>bx-Wj^eS%MTWM#gz&h3j*}!_TYe8LCtSa9c>(_SO|gsGVi?O|Ag|mzW(oYx
ztHIfhNxAc<oF1cn_aTiQOPM}Tu$?ag+B=lwnI!cNd35+bra2vebQ>yPj{HgWT{c?$
z2(p9ftoiPuChTWkU?r-mTuiYTo6@rC>3xokKK^^ZgVv<VKyMtZbzKc)tuDp2!xmNo
z0T6217|Q{fj%UQAEv<lFj}Lb&$qGj{L-@k^&sW99ET4AyUIzO5Hzk}~zBCZxXIc%m
z+?BG=s56<Mu@C*VD|JTX`~IJ)Z`0;rVXeL~gQ7T=4XiT2>v+$Vh804UM7QS*AKMtC
zmaZ6}B7GPPCk2;7Ch_ye(|gPxL$tXpR~5#2M6%xyWL}W0YSVqO1y7b3-rYojGrxYi
zRke{6pb6sR7ODkyjr%^vv=08gnnx?PVr@a%#9x<X-1+Ie+?YtQQRByJ0tLxdueXJV
zRI<GisYj<b6>}SamHpU|8Lh_dt~$3FOz<qT&DvTLG>!3)tRHC2uy{5*c~sPLn7Be_
zvd-&}HInN^#VcL~_DPnY^x|vp2%eAq*8nz(KI{LpDHQ>K@mDj&YmCm~iv%vPN3X&Q
zq!06DFPLOU6P=^db$ygTgD|RjrJ&fk)U8K3XR8#^Z>%7%1+kBO-WscW2ZG!cgv~O~
z#H~x7M8@@>HAg@}y3vnI9|1~ps?T{rtBhx9Ws{FOUQW?ky@|zMx)_qX?$8|DUrDRw
z<&q(l4-%96F8GX2s*mU+3Hi^KTXb>UwFA^P7-w-s?njSIJjr8ns0tP-%|)ek8(B{8
zV(NkGU?lxk<VyE_*oI>!djW5Smn!_6k%*d;p7lVvxU>}?$~j~hq;-v&*a=y-Qw+xZ
zL=u7#O7*}(VZv7q1P_n#MsEED9+oVnX{Z&*UNZAlr7)uNjsaZ9O7woX-4CYo$;k0O
z5`~g3WM*XI<`kCG5g7~_KZ*EsU-JU_>_K8bZ1mNvovlF7=-hRZEE`QUO=IGDsi-2N
zZ)QPdh)Dm%+0a1tX}S5-pAVhegg75dvYsXB-c-jctf~0@xhn{O>j~N=GwxN1NJucv
zuoG-5dImrA#xHamJ9N-yTr*MS-6jX$ZNNdW1Zqke(S3~D>MJYIby@Z3vxho*Og{e6
zL-HLB-go>l@43fHX1{(&PsgS<r|d6}N*8^`VV$HwCnBH&hdTjBkRK198vE8NqII)?
zjMPzUIJBoii^q3wFLOuSkIUEi>c0bqFb!%19`NZ{A{PQcfW~H8D5one+*+-D5*yec
zQBPP!zkrDyW_S4qB6vc~`Ry$M3U$(ekK;7_X{1`3N}Y*5Mb41d_G!nRMh~nUKj!l@
z*8H=(1z}8F@J(|2*Z@~7lmF|mby0p8xSmw!hPR#xACv)E5$f%c1GsR<y!ucl5s|aK
zJTT<-)+zYV!T%>>XvAbrMbJBvXRGsAcg8PQ)b_W|!cE6mhY=brarX)D&T*@^q9dS0
ztEzGIG$tL<SHe}CQ_%A>X%dagPw#bi<V{Hm9=&OEhII!2*;o3^5^J-@c+(k9oY;PH
z!)d#}aW$|WrPFGV8kQ;jb6Jl5yA@z4P*B%cL79J-35taOxL`&ZS1rnNS@X(W@VsG$
z8JL%FlQLGS;G%mfv-FJuDU>xicu+zF<Ex>IY!AycscAfs6aJD<xNUEO_T<Mb3qtN;
z8}<V^fcSHj#>8IirIjvi&8uDM$4}Xxodr@R$$b-p3HSZX>3;2YalV!<{w~3tyR$h-
zov9#uG2lsK-8NXa^p~iaF>Y6I^RC=uEbV7T2hDQ^Ltf(4T&Zrjw8or$*$<R9s`m7N
zIef&)Oi1{i*aQor8OCRBK)^Nc!wfBypENIt_Q-f5LJTg%`0I@cJsCM>h((ACTBHRu
zogD4)7;z%&;C(aHvt8)?lcW7deIgR|u~o(ize+Jdg~W<>4o1&N%r?7RjjSswPj3J`
z@T(pYZrB!iP`mNQmxX!KK!sMorXk!mO1#I9Tc^kj>e`g-<xlgtlFmIU&~GO-vnnmS
zpdunY5e8of2*>2vy+;w*u4gT1CS}^e?BI4=(RwMndEk?BJJ|TxN|lzg77#N1HW}k1
z>l$BGLMwN$J{@1d{Oqx)iXNq$+Cm<rPNYD}wp4X=gM4FkBY7OQE_e#(<j7(pOJGmb
zy1c%=PoJ^nSXlb1DWs2kYQkx;4Z?IQYO8zs#V;{-->~#RKc;&rt*m=nitQlg>iS^S
zGgm^P&l};_i}7)~E5Wwq(+~RL5*s;YG2nwoZSCB|*##}!6{NPBI)`~Pi&M2Q^Jedy
zz~m&hWCx*vXoF`3_1n^@yv^CwTQe=Xwp~TZ`N=d<bQ^!f7=QKMXP8s6&Is;R*L45F
zd+x8+drJMjxo5T#>jUdwBtuP}H%<iiw;sb8QT)1kT*H%EGEhH*6KPy&2XvIl@?<~e
zcJeGHmzSOo?iI{6J+}aXY$S;RYThNYNCNlsL-t&g=W-)ZAZk?q+y1cMLH9tlQIc!1
zTWfto{?7nZ1OM~+fNu?iKci`;mGfr<3kGe(>P>4vLchN0z7Qm0@o%i+cQ=TeuWO5o
zgff0;vcw_AvyoTVgjvkc8tnCJ$R9u&o6BCdz8$fIHd#tGQh#KNPS<B%SBXi9Z!>+r
zL-Zzf+jo&#c;JJ)qkGD44v|0_E#7=u1n)vm-OCb(CZmtf?dy_!uD|zg00=uEA^!6_
zfESArf11KW8zcoMeHU@{oxm2x_*UfL1hYq>-5ePhU(df%k^lPsXUa}A(RnAN4Dq$)
z_cKhVNN~@7AM4->tN%t<zG+9X%l77&5Z--;y%<Kp<~HTuu<x5tqrhcl`nDQhoZ-Az
zW1LEEU`zY}J2i@AQ{vT+AiG1UihOEqz0|$iCc_ce#i<?nS{m0-ijbyhqhQY&=@|=B
z5i9*SqADZnwO{t>{uUB@zi!%N$BA2BG2{Wi&U$kq`9bdY%@(ByO1EK?(q$c1)O@JG
z1(-lrD&TkMmW!x$sH3t<4I9iEr=1znrKC3PY6Er8zl(_&O$$C#3QMx5CL}bYX(rjk
z?L*}z)>A6V6v)51aj5cwro{Ot*|NBDZ9JT>^@Po4oWgM8sYG{h)dHEhi1K`Qn!^Pz
zt}-afp6NTX&Jz5!&mSl2z_31Hy5l?4Sr9{?nM@Xld8x3BYgV?g8*lM_PGAy+$HID)
z1!pEEhc6>Kh>Q31{`JOJlfbmv+-cPe&zR}5xcm+M&pwbxQKZpUW|l3$LQTylS5dlK
z5wqP8im}jg!jt)h=zK~VurW+I*DGHKPUd71Qfb-t(Q`~gs7`l)&FX|z1cqJE&wMsR
z2mwxGiKwO7@hd9Wsja<wJ~M5Pw^vSMu_S;iQV&Q|Sv)_?17h4ZL%dG_ZZfISBZb-c
zgWR#6Z50VEuX1GEHi)iy*oRKnVjw_5e!46eiJ)cE9CG`JF|J8Ao1)}rEg)EPIwBM9
z^~-W&&Jst%pUftJA7Jl1e5X=zVpl`7&?H8-U-MGoD4UL+<YE`(F!Y*BaDUots#zt!
zK5W<~$TJ%%wTN%K^*8J9m-t~D7eIs>l1E#|#qV%3H$6Qykj8ngaU|L^IoJ&USy`5t
zH@I5t6AzAzM!M*dtV8Rgt!(~h@6xw4NBcYrZg0A4B$XZA^#$*UR?4PeVa`6B)e3m@
zbYwJJ$SXT)0vQ^5jz!>(?7J!T)n=7jEi6LO#X7Ns=aS>Baan5e1$caCx3X?Pv(Y6y
z#@;Kv@YBNhQj>tOslD%D&3ZxrA|M)GFrk;vDpN^zuw-`|+Pmh51~AXsHgUJ9dFOHG
z7-q}+ISOatxo*gxG&73F`!9GY8c9>HWt3>WOZ72ej9l7bMt_5z8PYd~$1O>@v(aQu
zaF^YyHC2yTU*OFvGcLj9<9*xvW&09kDK0suUU+j(8k97d8l8V9Gs|9q<EU)#UK7i#
zkNhZ(XJYsh?<hp^n8dpvFR65g;2@FuSk&WALb@w7(sQXI@a>M6heFDZ%!0K0Hi))h
z7QM2GER`=WKi~r(91aR&hzb~VO3j+JgpLxblA}{$e0_1v2__49_a_V+nIvjH$t8`O
zeh}3C*pS5gCfgput0!es0U?)iA{AvJ^nMJ4S2!7O=e6EZO$BcI7|kpn?}^KGkh3AU
zP3b99GS!u^@|*RAxoP&z0QpN_zCa_m>3OSoC;^mSwBnKrcIM#;Y$*{Jo16O8hCY-O
zy|W?{5Y=dL5NN@*R#b#ds&LsIjjB&&W2ty5t?vKI)F*%mU=nby*|`~7^M+YXx0e){
zXBpY%!o&&%nAZOF$PRPKW_}pF1CSOepeRUq`@xhw)6g99o9wa#UiGWAm4N~rQOKOf
zW>b#P!cOu9$qtBlJzmZ5C<s2WLPZ1=1T4o(t#x<;{BBv8nDMf)MGJQ$Lv}8;j-EP1
zd2sFZbw|*9e~QC?@mEXsjG()RB^2QDT$0E(Mp)^OpTZj7b2_Hs6mcjA1~Xj?RGk}_
zu^&hX<TOG31iFnT9pCepnQ#vp&&S~!m-t}f{(h^vW&j4Do=qh;d{jFJB;7mdyQ()^
zC<qp+AW2*MRxDVstTh2$UZQ7@kyP9O-KY&`l5q3&B4zU})Sp5zc|E4F!7B|5Hobx(
z{@8J>eK7U7-o6EwmErw>7b~Vg9wFug4zqC@V;I<v9pkaiBF`0Xm1zpMW2Ow$ylYB#
zc|3E}7MeAlf+cPUM)+2fj{Rt}D?_rHqp1sW8t}Hqsg6J1u;knY_%0Vd|DupizL7)6
z9xsE1R?bS0Mk+gAYNu{(m9|zzq#L);P=HY}8zp+FCaCCR_TkMQ+SZEnU2fk6fFNoz
z!d3;gKyVf&S}%IoC7xVW`-g3~#_=gp*X46YR(YF^ooyBz`|M+YoaCnHvGZAuI2o6_
zNuhw?qV5=g-vAQD{FJH_=<BR1E_(N^ME)@cR`)7jEOX1(_k(GiIYGz70y!utoeu&J
zm0wQ3;^jmHp=K8HN6kYnNH&SFFPcW+9k`7Wd}R4x_3?JTz&-$Vc>1^*p20sSW1TxE
zOPuUQSKaOp#G6;mUXCCNR$mwv0>sk^9Q!8jW^>mStjxNPgmRWoPx}4N=yEqLilXYD
z!r|wSm-5v5l9PVJlIXa_A+L_Ak-!SYPbh{z<c6{Z7Np#ls4OUas`~@m7EP6SV4xIM
zvQ>xlcTjEKujBVlYo75<uWY!eNk1&_4;R%!Q;$Mt+M_mpebD8yN?rUeh)IT(j(Me<
zY7mhIe=#|3O7LIUdH>a;JaYpHB=6PebxwCh3_NiZh+Vf{saPj!ScVRMzcblV)&mi5
z;x9ygig9@weIx31ScEssxq~UUgLh5&?#RK7!u%38!%YG!#Ic(r+c6Y_5i;`bz7GAG
z%lfp=Y#;3<S}eUVp56ERDu3KCC?iL3=Nc6Ooq%t8v}(;4>guZ#i^|S=oc(0Gbd4+&
z!eCMsli@^NzvvGtPP#s|mg#_=w+5x+-W!*lWY=lb7LPRuiyjTWC8KgBLSJJ!Qi+_c
z&1(67<N$#Jom}1v|L#ji9_h|egI>OXZfb&qB(q7unU#u5rcQl}81oa@FBZo1n0PFC
zR%c^&s=8<1EpuUwE?HsfdGJYE!mILAI_RunvN!#tdrCiNN-C|_TX{D<&_Js*T9h!v
z43{;)U4Dmj%n+>-<x1a=6Y2skqOP_qSQd^?yBiA$-HHf_MH<X;XN9TlC_0B?P;*fO
z$1rxO9?ja7Gj|3NiRgj}wVgLHF2Cgc$bsDyMYxIXX%l5`5hWLybxIN5{5*8s7{pWh
zvf^~|nv@Yu)IV1h2!d5q`$x&X7=|<I8^(E`SQ=|AUv11LVzfrHEOqCxoJ~>9I^CvX
zOszW7(~lVy?Cd@cTQcw~HkDx{CM$kEIO5yI8KY~Xhw%H|uA-42su@iGF4C~D@ZR&B
z3XpYcfE6cE4=bFfvA3%Zq?dLUh|w>$<p2mou899z=eou?(oMV<Vy{I+Bmmm+&jszu
zl9IE}tV+!Cc_E(@g|=!hWuTv$oy0yry!%Fng%d)rpkJ;63Pk%PGQGsWOn%+hcoTal
z0>lWF6V|Gt(r1!gG0(_|KgLx(ad$P{<2Z$SD>~jEB`f}Fy+?b`7z%7%<l9u8Zqbr7
zg*i-8KZazuU^0lwb?8crJhJ<vq~wOyi`Ix5yhGXl?uH-zse;s4NK+~*Iqp&8QN{R$
zrkH3q{ovy{3t`rv8f@O}8x{uAwYMXLlX%JAA)4~B<v=}i@Hl4Z^I$Z%Ll|n{J(O)*
zYvk(}q`y&k`jwA?I;h_!p{g3s!L-i2g+%1+pYh8E*{+BrigWS*5tUAzVmB{4RRZ8t
zSxi0Th^uH%Rj;k|%T~9jm8G7z*TuYqgfAJ?e<TWXhtK_;QJf1nIc=Y|&prZ{mJ1rE
z1gbC%Ta2w35jq?$#ro2`r=%l8WaqjhZvDNAf0B-wfu($|ck_N$N(!HI&Vnk4XayE{
zA?AppfvZ+gi20fIgtBpad9J|v$*m#=dqwleQiF)-*{|Z2$dX2oUmB4YOuKblExIk~
z{8j5zUyd!#@Ra;8@s1;?D|$4QcTx8&q*^tygy->1vv6DHr$`A=O6GhZuPo~68kDLK
zM3>)wgUz}4+l8JhM;+Nst7hLFfG9pKn4siE$xe{Hh=g9ov(xhtcL$Waoc2iFcJNi5
zKHq{^vEHwn!U*a#CA}k{`L)vV><FVp%pvQOZ{UZ2dCGkt%#p!|Z()0eLf`k?*&!6e
zGWk3Po78(jbQIw!(J2(7PNicAjDhXDP<nmvF>5xd*8a$}ZAoEmLAi@I!M$Q_!6@2n
zW^j=kgT0!;)%knc63;}5A+5be3(ck$ms=Z=jeWODCId5wi*#!R@thcjYtX-qBZ-n-
z4tsCeXq{qXLxWo8!4S?|pc=-yMqPEqPj}WE%j4>j&LfR2*ka=gk>bd=5&mw*fYId&
zaLE<MAsA{n5@ff-zDk$txf(~6a6m5-y91j2+gKo&nj%*Vsv~@yC~zZ29&#pL|6vaC
z8VV@5UmNK8%6=VIzo96}JRH_Ub)B9%L3ON`tJ<arbdBae-3?x6W8K#NZlY-Ui}-<a
zbz=b4|BO2mbr2LBkSqTOm*s>N(Qt_GXMvt2O5s9q;@HDnJFd)5Yx;eWP;untPJ@PX
zXAmOEXX3Ma|Cq^YtxYN>{y8wJLf@SAPbYL`w;St>X)orU?0eNGdCdAn|5sDGagSX^
zkFzR;8kL2P@J4UGS0(}XF`WvX$mb8grzw+-{u*+r01dKIead-*P#;Pfzwlex9ceEn
zSD?WoC4T=bJ-{w6<g}J49u;3L^1zr3JW6JPklnP5oTX$#wWE0JKg&uufY8&B*e`ER
zNP3qK8S&cjhPG*j|Ga-_#`tC}1Xd%!S<~_$GFseBPRu#<c_@`Dp&cV@@K8-ex~{tF
zApc_rg3A9cWmnf}FaR-$ZzlJpMX5Tf9ASOe0BquI^W0GeV(y}LcKt?w`12x6JOcU8
z1p5k1q<`ptL1WR9J4r`8iVqEGMneaYS2hU3*z}oG@24&V3v=Z0T&vv?P)n!gINq{o
z2Z!PIF}-MVyo2f1GPP@v9ns-6cmAgqdG;zq=E#_O;?6h~?j!00_l<W?wi>7o17<B8
zz+IG9_R%AySJlXWuPB(Bl{l{}zx?q~R+|<Jg-JjRMP9ugTVEfAP;2RdVt*eIsZydd
z<9f`sr9a<Y$RoUG0b8Am61Z24ein=SA@yivT_Nflw;WNi>qrHLDh3@%Hl5aDqV$oP
z6-{pGl!Hls!DfyLcoBu*&~moQ<xc)xMxJQ8af?JP#JXt8#Fp-k=awEI7NK7JMsP6V
zyg!--LfLI&tQWN(dSyg<U-ltDa(ne;RmSvFDN2EVc}qXYk&1W5zu4rgH0cTw?YjNf
zkGOHXlu%;%h;jYo^H!O~e~*|A>+xd3)n0yYqWG;j*A#g6m4Z$3#10ZT=4z$NS@X`?
zsL_*IG{qcG-_RGe9mUM@(8@gi31BFDa}Vg>RC=(}FkJrnzJ*=i`zoqb(rB{C=W9sQ
z8gq7+&FKwf_ka)51X9X}bm8Xl&L&GWJmB}P{@bayae-~>z0g2hl}6ywHQ1o2ECJCO
z@_0a4>H^d2BfmnV^+uLf{!+`P<5VJ51<_EhI~hwX*9y3#QskUoKGQ5GdvQ3A#oRky
z_gUX?$~xI?qR#Lo;kuX0LB}}NX`8*ke^ws;El&Jzo#KCRN&g8H{Qt)m`hQVOFonB!
YKci&!ei1<C|KVP1sp+a#D%*beFBKO&Bme*a

literal 0
HcmV?d00001

diff --git a/assets/images/help/enterprises/saml-to-oidc-button.png b/assets/images/help/enterprises/saml-to-oidc-button.png
new file mode 100644
index 0000000000000000000000000000000000000000..eb1e68c480f2849517fb235ff0466c27b59b7147
GIT binary patch
literal 17002
zcmbWe1yoznvo{(XikB296e&f5TXBb$mSQQiXt7|$wMg;eQlPjLE7}$d?j9)a?!i5{
zlb6c>-uu40)?4d+StJ>9_RQ=(vt`cA?}UO?UJ%}+x(5IN2o+vFQv(3dVJJEn7aR3?
z*TJX(0Nk6lkdp%|$jQ-z9qr64tW5!cm!a{AIB(Ra$%6(Pw?32C#SMv#;L$Uk4CVS4
z1TaQ}WtDKzzkTBq{$wok9MgI;GvrhD6MADA4lPO`#}tkU7@Y2p_4>8D5CWI~c*4W3
z(QC5%a$-R8de>`0!s?a+@QPj$)EDpo@az6+2m?lg#UWnk(>W(!8CvlnfDT8M)~}Ed
zT(pq>0iR0Za{yzSovwn@?KKiP9w+>cml^=VTLwlZr3KoH@ySoiz9s?`WQQyox<`V0
zs!24+A7e4x)W?mQU1Z0p=RH(Tj|`1Gkx9Y^r1wEWM*#G?4Bk3iVuamt31@~+mJnFD
z6b!qq>ri3b44ElDc6QyKcHC5kLs<am*B0PoPljXOEt5|ehg5hx^Gb449^pYR1wOy_
zC30i<#;&&~u5aHcf`CsINXfcKC(?ZVaJrR`JSQM<kS~LuMyg+2!LW~`93~lB-e+`)
z-8*3x6xip;wwS@%8`~a{ZdyFWZJF?V`b$}(+H=VWZL`qzvv`w^UpL}h>Iu!h6f{D;
zwKr3x+T`ZXum)ilzit>5atghR>03N(4Sci@wBb^xz2-d=>xgd{rj6z6+Z*>NokU=V
zWi!I>44P|`D771Sx^$}&dH7|?2m1-4FJZN>%PK{F^@>yr%DMz?6=sHLV>h)B2hbA}
zb^yed0M>rSL_*vzW<pe}cnmsJSJs9of7z^zB%xPTGW8F14iEvh=F{A17UnaWVx!r-
z2NG|w0UNfM#eJ7C)o4RERMRey0rQBl{7w88?Z>(dJ!ywoxl)wUm`5)Isibiz0qTZ<
zW9yi6z7%RUB)B-k^k^Jt)-4#?(wGVUvZdH@zI>%vyMVWb+`<4Nf8!<0_h{xVSoT<R
zfa(@K1n!CdW5m4(KVrlCpXeVw^DBtP&cS~uLmo}@ELfag3WOOJa6i)oM0j8NegTON
zPQ1(-_(28Tk6`alDsmK=R$$^20F|$NX7!LcC04AFsTQ?h&_=s+5*kkXFajb>sE<w2
z0z)v@+%FD{YU@W}U0{1s><1gPu7G?QvfjM@2x14)toh%2!Sqe-HNzO&8`dA_Z^JF0
zRc494u6})6@Oq5pDY^3V(IJiZLeBJ}*!}X{awW2M&or}$vr~r?hpLA$HhE8k2(YpP
zp)EC#q$D>bDl?HhOm)BS?O)s8b<V*Ej3f=AT5k*SCLU6UD7WMpYZ?kcT#Zvp_oirf
z>0KTLw_7Z6*zecaKf+J+XK&qWqk*M$ox+3c=?)nixE6>GqEtKZ5mtu}E}mRCUFhH7
z-!RJf89uXT3Lp~>@N6?{laZxfW;P1pQFz0cLNXsZ+~EwTf-ph9xFugCT|_=(*ouAk
z5?{enjr4nr^H=Bir_xu?G#FB2y?!Z};JK4slGLW%_})ayW>Km)fI{OQ^)SDZSYudY
zUCVy-c0ebRwd;#6rzYnl$0Yl?PCC6E<6yJ_g8{w4V;{A<yqf}anO3dV7k;^=ud;NO
zD`Yd;Y8c)QYw*6~RdmRPlftaR+FuDX88b;SMXEtZ&~n3H`M&{<`)<pbs!zTqR^wI=
zj)V3v_b9D7uko!J_ssVgv%O*?VuP}|vyHQvzrA|<`bXyvrE#V4{vRxF4!(P9jA|Gc
zIE)Jx2>dwxp<FPiey+ChBk_mO_r<r!LYYy-=&zxvAH&}cpOF<=6xV{CYS(G|dsDKH
z<2GvhjR)D&Tp<f`oLar_*ww58C(w$xiX3cc_5e0nXIy*XGufg)MD<0tL}xz?Y(;FU
zeUNaztegEXxYLyLeTcF`Nr!3gzKxQqA~#s|TeU%nuASQAGbwqWBJbEcGK_C%^Yr6}
z^)kV&Nm<241x8s${>yStK9SCcm{*JzjJ|K1>JT1qYjg-dEDf#08_j9SX<db~!p26O
zlP!w2X!r{s&U3U|S5I>~P0bB|HP^TC9!0ORFI&>xt=fckXw_-m<FMkqF8rlI@bleI
z?4M{>Z+A#`DknH6N;aqmRKGTV@ZPww6O0s07R0fkoo1WHo-VGmDfhB6x9zI>SygYW
z3O%njuvxT3cDA<p?UZ&cH$55W9dl?j4qnk@F=zRro;?~;p5;{L^x26{FPT<m@n!S&
zCx=59?LEiNwb-ArR*^e+lTveqb9{4=HH6$e+AVta_N|%qO=7)X%^uA-{ZFQiGhQ_3
zr?d2yPaG#F`cZWK9N58XkN7em+~c-qv%+~KxhAo^vRyusKTokny`;N6yO+O8v7)(l
zK4!2e)!*Fe!_mTP_*~k9o|#A3-pY_pJ+<3xg1_t2SAPv`y?e|!FR(PRr0{u(Ndqea
z+p=V`W@YJu9|q#J>9olR^Ly%E#Nx(=n36VgbZ|vzX*D9;b8JkEOw54-mKI}Q3W$dn
zhEucYU`d@XA)=5q<5<X!F$>&trDx@8WuvPkqWMc^a*OJF<qoD!<_V@q?jzj_<6&@&
zv6{k2BaAuxnA|}3TP>qg_jK-&qPC(cvvJHyOcbM!QDC{H_6loXTuK~o6|o1)^@FbP
z@-+Uo4;u+i203;43He0%wfQ!R)XVNiY;M_}blwk;${!7{7EVGV5D{_@)sr2Pm9;Ml
zR|`kcnPh^N)T&fm^j)HcWVIM}4c6<dyUKW9mlmiHgi?g-I>nKG8Drv&_hfna>-1OA
zz-^7V%VoDXOk74^v&sD~=!OF84oj+7y2P+#6Ew#DPF=V(2I`1pd;hlQN8~v6&u~rR
z2UtKFeYtnB(DlhmL95=$CIgD<;v%j3ngTaOz3&0ltJPP}n7nr8Ck}3DZzYh|`-ErI
zE;bh$J*<uTX6hQR&rF|qtenzW`xM+5S*ma6?f0vso?Extl3LeRk2~!wJHn1W9ktqI
z&8Ae3Rwdf{G#hV4T0J0o;Ng1T^_9z+X3(3eeZIL$)5%0O{qcFrgY7)3q7*^_vU-tv
zk8`&@i@BeT)z$|aUN>In=Qz7|#RA1e!oCvG9!r<4Q~qgEBR+*CqlN50uRp%DFF@L_
zE-Ri6oSwd@h_tr#rDi02@**~JL3G`tuyXi^gHNob`m}@nJI9+f)o!VIF;dTOD~z`$
zD}(Y<lV883v)Kft9H(~axN+VV;T1{b`>VKC)K;cl!LAbJ%ufd1WV{urzkGD~?y&az
zG1f-cY~Wrt#RwOH3&)<DGw&TdO%b2_g8@;K=V=%+K0GaA;8=6MB)xY1<KD@KtJ4H(
z6`_>+NA)VV+ZQ|EZS(inQwM}}?P}*NceIC`iYLp@+iVtRHTQWA=4z;2syFoe8n3++
zyl&4$&V%VpB;AgA&X-rSzjY;b<*EYH--wTY)VWTbwo|@Uxi!b}#HmYvF5&U?7p>=M
z{lz)A9BhzvkX?VXserDET9O|w<+!u<Em5u{poIB_;$7B7RLW#tiO*g8PE;}U0-7cC
zO-S8NsA<&Ab+fVkI`S~&FrThWQb{Gwd+fsPg6vj(W20t}n>o>^)$99><yqyPE~2_i
zU0YpUHX%fS6AS#yS6v;=%>#G16Au6;)l+%*G`lFDFy)dqi5ZdMChwz~N(MOn#Tc)b
zr4QImu#9E^07)XH<tr$B_x4Oz4473at5dt5Tgv1pz{bYJo{7Qx02ebt0s_-~0;iQk
ztY?n_dvs<`8^?gr2ccg1HlH3oZv2M-e92BQ`y4s8vS?0U)Pi>7b;r`?L=`b^QACD{
zbu~=26wH*B0c<E57l0OQ0l-92Xs9<8>J0#3!~_9wP~Z1a?`N6l|GA0|%f$E(4G8|-
zP)1!&K>_uxZtQ4kYU}jg&iUE$?jlOmgvA>zXDwwVQDZwBE+Z2=h$)wwjs0&HfVi6|
zinK9xHlla4v9@&*b(3KD(?S$Q|Nfbqf&NbuXDbN?EoCshoSma7y&xA47Y~EvJ$ib2
zaYqv~QMG6C|JYIgNie*3cD5Jg=5}>;<#OfcvU4=&<`oeU;pXAv=Huf;wcvDew{<ph
z<Fs{p@>j@z<UBKVGIq4Eceb#zrT;D02x9laS%QJ#x1#@g{q3izo5g=?vUU15EYtwG
ze_!F|<>KM~FWD$o@!!9Sf-T%kt+k(7*r3dV(jm#qFChM>{r|f1-x~i1r`CUS3h{{i
zPtN~w<^SY->tyOEXJ>;_=`8u*p83c8KQI1c6zBdu^8aCpzh?gPE6UE2_r$sX%V(1J
z%-?p)0RRHH3eRNTxXtXPZP`82{g|<_*gXljj3z#2<>8S=r_?5JGo(~_L>-Fp#36>4
zAR?AB)&Z_y9d+QAu%lhF|E;!8Q&aQ0$>0k^<!d0T8Y9zwc+COuxuwYW4d>?E(ebx>
z^K;WTx4symdh>71-Br`_7mm}_4V+>a6@LFYx10*R_4`XRf)f4_GSGhnUKrD#W{e78
zj(@}_$UovfQ1PFTOs#(eChQ;a|1IiW(L!N^{mv-=_pMWSjK}p=rKQGS#vgVdee0%;
zPH%)a?CIqpY4yoc7S8*B3Pq#A))qG#!E-aek}P%pF&KcbKW-E+AS}-2n2@eik4jWk
zzE}P2bk0=(d}}4YH?ld!z`i`OBvJaXBRE6!d|i2stl6s`sy232|5@Lh<+x^aa;jT2
z?$4M-alyL}&=7rF$4rJdj`lUXR@~{QwbS965>Gt_kF(ls&u&bsk8*y-wdxnwZW*(z
zoUE@YR*wunG+4R3ZbrCkQ&X$<5A4*sSGyhfrHXzO4|47~JR4^hLXPiUH2l2vUvuAe
zU(ah6Un^PeedJ|#IN((+$*X-fU)w7LcPjcES(`f{D0I0+ap!8WaYjt4KFVa;`|5bI
ziLEGhvczj)y<{<LC(84x;dA1K&DLuVPp+fqX?=^<Cx?sVI8FA~ktMNDi=tF(rtvl5
z)4tv98P|2aY>9u}nMwIx*MQp(Ui(uBBhzEWs8~(>=pCkCRV)_%S(|aoyNQFC=*~z=
zZ6g}#GCw|x+Qw`k<3Z({zLlAwm)+-tJPH7l3q4xENQI!d+FMUSdm2e+l47;3>z|Fc
zOp|y!*6X{^k${-DEDEZK8N_>-6&n1nlRm)-lxZXmiK-;8`R*P`D+Or++}A&UmO0ug
ze*+?Nt$pdeE+-HM#z{)e7d&uP0O@b-viYmE$;R+J{1{O_fFD<KcA7u&<sA6pR4XAe
zjY9<IR2?)nTZV``H1Jx@Q~k<Xzu%j+{03C@%<Fh|b%VRk<JA#G75-vIqi27$xx#$q
zhk_S>ClN?R9T(CP$4XFScu#U7RmgVx7nJY7@qU<J-y}YMpfR_G*OaW=&FP3En`bQD
zv1GIUI}Qw4e~9=rQ~FR|y#x8;eJaQGHn9?`6C?+!quYlYGhm4qlLWn1v$I7~blm;A
zW3*=^(psT`YFZ(3<iM`x@cUV`OsBvAOQj6)>*B^{@wa8fr)r8;c!ul~e;1C7Ls(Dd
zcM$nXk!t@%oac0x<Lrv-!WwS$XeQ+pL11+iW1-QBySBd9g$x9`sDsW!7<L$$(Bg@H
zw!p!i2(Y384l+S}tw{CPDvmBhy~gy_@~T7mNL3%*o$bx&Tw?TOwVO^7$Vk~v7R+TO
zPSHM-4J5g<bWv%1^~XOl4r;ze3R-gXhWq0u5ya|%siYWHu7Psl8Af1pN-B3F7=3|b
z!gYPD{+M&ll5Nls?urfLfa8}Wk}rVa$tVl?!{Z}as4aoyErIUvRt6wGnR?@{Ok)D-
zIDY>SIH+HzaR(r45j5hyTQ;;U&inXMvhd{})p%ik9rWpml+%<q37S0+Gj>icMOofv
zRkn9Z=HN#kdHtFi#HoOqI=?h6TJ>;Y<ivX6o&+b$gNkze_w~0CRLQ2VE>*PhE~yDk
zo6+F0;I9Ny-HMWoa)0L?_(rAUG^nM+#UPJFgD~lEm21HZjQ%|}5YEGxNv`TZd1kaQ
zV}j1NhupP?J^)8lixW7|%L{)WN~P@-4ZhcFQtx1m85WyG>3$kr$&~(Q5sml-Kn%G~
z+=A>XJp}kuYd!pNMy`pg3Bsn?3e}VjKguidmgK4E7AEBPOFK|1rfG0H++xml^nVrA
zz2hmXNz&1z_Jf>p5DlK1o#uZ0{72>|xHt&ACCQPv8gh(qx$?Y8TV*ICsSsDfF|5@F
zspyAO&bijBa>Uz|kRM1wt2FAKYpb#@1vxa|ScOju-h*k|r!!Y+_s$_N_GV**x9z*4
zK1=i7bHzw**1r<l<`Yk!tJeNwku7Oys2@A)jwy-vbp-$t>#MklsXvm7L)_cOCWsGn
z3u@<twLSN7zXk?}W7?$hkz?J5lLoOM7zjq?Gn2}g47g-zSjbLSWSqSkF`wPG)rM<&
zfu1`aEae7A2@=9M(iJ6_F3vupCZK*#^qj)8ze-!A9dbKnhph*fz{^DU;(b4if_Hn)
z_c_syaFgUpTtb5rZbP0d6}^$9JJ+3)a?1w4+k;fuD~g?&4San4QlsHeK8upcxKN#f
z8hf_$?=q%&55k@cX*F%7G)$S36T(y>ZwjQ<ylWntS(kgzbH*A;U&^@302qD)qNU{&
zIXhcR307@r{2HstQzE`~bcydLQu~>Tw=z!1^MP}XeUxY5y_JG;{hfE%u*TcBG7dF#
zd~hR-A>}q+yDG)m_)kM$5KPRb;71Lu+;gmq0qZ<ZpPa;zv2gwAjB{qD+t26L2Rnf<
z8+U3d?q&J_U(6Gx5<k~+6XeQ0`xjH_8^`Gf5@+jzwD%|S%>{4H8fLi8Iw#3Io*(==
z{kt_2p#$ymW5o29TJ>otkHo}E!{s)ah$wRZ9etnRbt5;Yx^H1SGu};qCwEL{4cGIp
zj*h{>_Pk3!r$w~=|84RYh9P?F6Y^bimUhii#1rI@zwJjR-(dZR^Z)00{eN@xZ~1QT
z%~rp9RUfmB9;R9Mac-3*qZUec+xNNYyovhSFXqo{#5R9;>?GE8OM)p^B3;%)8M?uj
z8Z7sOHc(NsE@PhqwRbeYJBevrj)kb_QOCYVeN|qU^&g|;YbscDN%Y%;#P20W`XEA6
z8$E5zGu`%QG;Ob@6wb}o0{3NqkGJB5(M5l%(5qJ;;(y?^yOlTW=1EHJqmI!TeGsz=
z<f`MLd(iKA!6K^F9+$Yppjkz^M88o@ZH9uiH|Ust`aCMp%J%BQqIyIfHP`#WeOL)P
zIv<37i_Vci?@%BiYK3@tH8K|Q_7~<<5UY*2jQWb;M-GoPk_&kq?ViaTUJMe~o^Cyy
z|MJ^G7Kwhsgh6r_UYAF?sy~1JWZHs-Q@ncRA<ASkVJ#A{CN8X>k>tG6d|`i`ne@Q>
zkH_|C=mjYSQHoqmO<|ne++7wH777X$2025v&=ry-IcY&*6^s>~nzw(0v=4xe#{|?j
zTwGjrfq_^;Qc?%&>+7B=X=!g!gX*>>zlKFZ&HdL%BH8_*e?zxzU|6iQ^@5SVQA;bm
zo0(asvZ`wR_wTGiA|hMN%*=Ba7j6n4?`~>iM$%s@%y#HQb$2PmI@1YbpichA$5i=#
zhXwxxO)7rH?r<AI<SiRv(EH-GK&-9%K1W2<EH4`gJ$<@5y0m2Y6&o8nF7E8vy}c3Z
z2lX&-sPXQ@`pzb((=JW@Ai6Oz?BF(MyL$a^=xIUc9vb_Y3?*|Ak%LC)HV?pC`qtdM
zczSkLm#>;pm!3{LIX}OruBn-b>YS2U_7uBI_${Psir?k4m+{7wm<!z}2fjGjf0o&0
zQo(>Un7fV0zjz@b4!AE3i)B%L_u@scm7Sey6s?3~QBl$Ua(l3YrG>?7wHY$j3dLQZ
z2h0{~uuJLDSq!z?edN)#KiVRU2OIbOXS}oI#3Ty{`9o6mZXh2mKLCxJidLY(DlILo
zxTvTfqx1Iqe15*(RnN((+{)6@vD$9Y<@4vy4wmoVgVkonfiq9eLen56Q=DhvG{%Ed
z0%xDoj1Q(H&Qzr`rG~iMc*02kM&siwz+im{IW?(n_Zz-+erdE2u$m|?9;!P~pDVQ6
z$6K7_e*$tf8Z@X36m~x~ajK0u1Zwi?Au&}cy}~KipRPlF@UwaBpfK`a@K>D9zp?xb
z4){@!iWUd&tokyOF;%jbVqO9kY(&Nng7Qe$-4@OXPB>>3N!XWjZ;n5=2st19;5_NV
z1ZkyOkOor@S%!5rFb53~)VTol*j<E#x0Bqv>P0Nx)vTJ*{#Ee<161V((Rc4{W5|n`
zZjPUNrLj>?iMpxy4_Ah_v`?nNkQ7I;)<0L>gBgkQ+Fg|m;Z+rt=`k~I(M$85Mb7Ku
zV%<J|sQIrWqQQ`Gmi5mD9KsMOP2G5I1st?6g+InCt%3Zt8x0RAJt+xM(#BLALqRju
zR2<_>l1cd=v&sC^Mg&_{6w@*qY%1j7LdSMv;<5v*1mcX#9?so-qNbw#Ft6${zrrGc
z+Rsu-<#tKy3(3QvuDi6?`E)~cn-nL+9-&=LzVJ5ngVa6(<|v`X+Kosr_YrlZOatq{
zz`%1=spI+-oEd)?JY<zg#w3F+Vr5u;KKz$G@sFzZ;)4aBB^|m-J9mAHjoAFby3}f_
zXKXPQ;b7}o=tE%n5iQ7YnA8rv*B@TF>CMk048IDNpSu|e^Eh<myxOgd87XGoCGqIs
zf(}-Gbs!b%`r`(dOde2`&GZ=-5V@O3S3`HR={4zju0PESSia4;Yoj~Z-apK^z54YU
zd4AK@R<+<;@GH0|>RW#N7d?p=XtMhC)CTimJ7FD2YN}L0%&gScgQMnmSD%&pnS6q`
zj=3YR8+dJAD`2+LNx9dpR@2c*!t?U-&*y!gOAJj=2hQx3S`D1{5=+h;l^r3<^fnS0
zEu6q}<Kt_~zM8A+G7bjFXlj}ad+tg7+VR94(g+ai-sb=bNaB?FVhflH_-6?;mt<YE
zNBPiTyuOb}cmB}Tg^IFtFp_3$Q9H`jj()SdmF6HCNrs4PYX*+JWs}FE#{<6?lJ#zv
z+mWB3GWP9zY9Ps@OA6Y!68-vRBA=^d<nGXmjAu6SMDF<E;j}+47HaVm#lZ^=<CN7x
z9t8U=%WF)FiXz15+A~D;3o7=Nw{%PjGZ|oUF`)w^V*zwxnWT~Qz?EN;*EqqAjkLm`
zeLBiMaWk;z<@N{S0O<htqGG+~EgT=ojYj|~+LtFcmo><nfyV3o8(8ncF+m}G`1(iI
zuz~+zB&`^&hclW4hG68O2fj8Xwa5NITJxq<*ORM)A_+3u@&TE2fJ{T9FBcEqO<w4c
zJ&|;*ya4GF3}?p(@vQK~lDILnjb`Vy6r3d2=-W;KfyL8}6=ARqk38*#guC%f+VL^X
zb~gbCKWxvg-hEWX(_2zhGljr6mYBdra^|V0@HdI?T`Mdq^<6ZoaN~)lbJ~iF#b|@0
ze!Cx>>H>RpH8rcn&rIRx6+5VNc&_Ia+P%xBY1Xrj+SqST7U~z_J84#)E+<Jldwbzg
z!7gc<%s-8-Q;xsT4Jhj!iD4Ww0*^(AIVUuKvG`l1u&pH;-`rWBl$xa^eLXpSp&vyf
zwUsWpbGm3z=TzMxh`Rl6v~g6SJ^O*R(?8|QNP`JlKdr*Rz@WXSqod=PMLCp|Yyfm)
z-Mb7xZIkZch<Rh=3C2}>Qy>JJ7rWj*IxRW*bN;9tNHFRVkJ2(Fy$!;gM^KoTlJXH1
zSL%#8i7BF@8BIuxNSNSxGjxZi27UAmhdV<Cqd#TSXbO6#_C`{AdZ?VNN`?fTztm7P
zb4&2bUX)l*<a`u8eS<fyxo@zH2vTU1sJCB$(<g8|x#U$FKL?U=yHE#oM$G<&RO9H)
z5lNc^Bqx?fP(Xmj$F>}6ELn!#M{0kQ!^&WLq+u+l?cUxE-&!Smre(&VN3Ymqw(;wH
zqf|-HF%6A{sxu;=uZs(|O=Q7sS_LoPPr94l+iR19kdp6-;p2y!f|ZmK0^ft9$gA3r
zqqaoxN4@^>5(Qan@$nbJlchV+Zqc|lqnQ(ti+1i>4@m4fu~9pvtb?4K+;h<Ww)eV*
zegn`MWxR@tqqbQqCe$9igB|v;hT2x>Ql<|M4pmsQ13bYGGdD9|@f(7O*Z`Ded3}QM
zYtv89YKznJ9X9>+4z!1<6UeVxkeAk(o5OiAetsN?pUy<oL$$RJDT8VC$f9A;;cr61
zZw!#WQb9t(n8a=DeTtU8pICryy!2I$WK}KZW4gG}2^2q(v;D4CpCBfg6?Io-yX)x>
z_+kZOdGrYK0STis6z>H9W%gu|Z`Jb}Tq^l=B(8(QsRO6+08J?fJP*KQ)evor0jqKx
z3-H&s%qE7yu?2}7piZY$YnF1(YwyZSWmyLgliqHediF`%99aj~v5leC)i@+Iam6&I
z*JC9!>eNa!g&!333$H+C@y))97R`*iAAV-l+^0Mc1<pzbZ-n^uH^^c$T7Ykeex<;V
z9m-!)^Tdvxyu%<dL8De*#s&(mrC?XAb9Rh=*zOa_*mboSZL!#Bu}ZyZLK9K%)wbv3
z(V~4%WN0737qCRSuX4C#^b=XQ=MXFvyf%4cxAaQbAB}M>A|J-WtmvDs1L~Y2m>X&M
z;8Hl!_B28`na(7W4&9`N?33T!$^gsTc-9g<_R1($;xMrcXV`{`ynou`Hn*LppaC|r
z$<l|uPY*n(fMnldtv#-<wMjZ(D|^R+t%)BPU5p}ry<`LG{tA_#H1Z*Dig{P6kX+q{
z{X2&T(zp*iU<Xynq<#0q;1qX_&zus^#SRo4Ps4`!DpN_@dtnTUgQ_U?;e3a{7y#Mb
z+U?A^G!#vXl1^#Pbn`jBssHsY&e~|-x*m?9EQ0=S{28vV`<x#gd;VI+5NY0soG+%Z
zQh*2Qwt4R{i?}AJ>I5#V3k`&usn$nEM7sOF5(|!Zvak@T^rEYj;_`>TGVQU_4ELdZ
z+0ihG4#O=V%15@7ME)6Lx@-CTQ?Qah#CO=+*ffXMZ=ymw<Q2-xhedEXjD<~MeJCY<
zMgT+?-;h`y8x~MXS*Q!Y(lx?}VFZx_+3~{8X@I($7#K{UeVU&jOM?)?hi?vFrf8Pj
z2VxK|kJ+G6QK@GMf4yG?Ggi7yso~0uCdUSEJz9U8{hDA14~O;V#y6bLd_l_(lv1e+
zrYg$(J_VWuAQU8)wpNhlpQdaG0&mn4b+KSyN5$b|Rw+}@+Z&>d=9A558@$)M1&On5
zaOAyAD(#BEUnh&xp4StYGYShW1G^D83z@OZwD&{0DrG(oedbxLly<;98k5?nK!k9B
zs`vt~$uSUdyqM#bN2vkuVt54BZK%_izPz7-@K-a1gfC+<wZMgppaoZO-<vwZ-6}f=
zCJ<3$?lR<uI7lDA7$X204ccPWXYE|%LpTz$jSpZ&FZoq2F5fEuoO`uFpAmQX&fyE4
z^p^()RxJZ|2n1<~#ex|5JElhSDi43<FUMkrjF|S37=zd)(&J{CHA@c7I%QK|ZtMr1
z7UAGGUnJ7-wqZrRn`}Q$^Eh;!B5Xaf@~wODdyFmF<L5=4vxoi^8QSkdDoNK=@n5v8
z=pcrC)?6J*gCC^Q6g&v)CrdTEwg4+V+!YpV@AJE*8Q^#myT}Ms$1&4fmYpp61n-~m
zWyA|}#SWuLKdqmR<T{6#e$Z`spXJ)}`DWW#=t9$HBf*?vZmeJad^ZX?#u=%yt2m^)
zOYNwN+|;#Qw^ckFz~{8Fy?D`VAO2*e(%^|@@ETSoA~(}bN`{vQQg-o-da55IApkzk
z092RG)1KB3YmL3NlcS{U!Obu%eLA#!RmB6E>tu~+e`?3k)m{Ym&Ahx<!k{FEV~RJ3
z)=;eBmP&2Ph{UE!FmEWbQ17v3F*C(r?Ce?$1o52O;ujL^;trP%1&aGtoRucJ2GI7D
zs=N;$|0*<wW@)5P@Jud>Q(keJaOoE}z_L?34&&K)-1ih0(_UVGsBngQZn`P{XOYA*
zLK>Rmj_>?Trvv`J61agb5^tDRm)COBp<Z`(OLe7MM6i&LYs>5vS%rb`<Bt^YWlgmu
z;I3pL;h$+~xjKO_ZrLjOd8`X`Kns7SjGIT6+r_OxZI#c_;GDk?A_|WAt5HjDw#<ry
zo2$Oc=Z5-jPH*wXtNN+P3ijR6_1(eNI?na|6J{=b_OWqdAAR4uR#Ks>Ru<c{!`KV4
z>|pP`X8!Af?DgaGn|i6EW}3^(;7{;dbXY1WtwCPt!;nK<HECade5DcFr_wKT!=R~P
zHSQa7vz@n#Ln8yNm4|iX48AP=<%uVq4vnkD#91|5^{-cL6wAmMxP2{iZ(>yQ2CK!I
z-S@)!0}T_;0P3t!Zf~o<Euf9bUdTUw=g&ig(b+&F0cy95FBvOlZf+5DcOM#|YCfB#
zwe=e<!t_roMN_yB)XczcLav|}+zrsxKnGQ74*4k>&JzX^o3;;tXo0l!PXN_}8VUL}
zm;2_|RA=k;8J+2;TR~z?5!o-A=AHt%iKL?Fz@m3sc6edL=)fn(2r81P<|^MUdRCh-
zogb=!b{+%<$i{dQog&K2enncYp7vO4hn5(|aXKKka=+W=_6<ezipG6zbYAYYk>l@e
zt~f9B4l=yEJmO}3Rx;|FkcU2V@DAtYYi|9zNV^+Fp^Hf=XRpP}^mE+f#^I>Qi<QBs
zbVnNlWRMhH*Tw!3{1s-D!3B~mXsLu(Waa8^m;1)G7TY&cGubNn#Vpdr<?(>|L3Q(v
z-$F3koZWHP3smN0zWMq<Z%69p<6~qm_uSCp&98Q*jl4(N%LL*i;4@dS$5ckFldc5f
zeCkEU$DuVO*#=krM*cuzJgI8E%;D4q%UtZ@okRx9K$K>!+U%0Uy6ft!+=p4QgX4>7
z#k-qs6XHi=uT?+6ZGeaI9UJ!#EOa$!o<WyFDJ>dHmkdJ?gbn2Z_esh~f}D1-DKWM?
zF3UhsTE~TMjtVi`7-9L;2WF~+FMKP+tC##JYPN6s?XC{cH5+}7q*i!vm&jGWy9;F8
zoHZZvV7)&)KN>3}j@rDP@HzLv2#{MuLZze-o#w|9jkNTH9regPpOZ<blQZ(p=g55<
zxo-g5sPH_}qptv`i#bS&BF7J|JUIsYJPOv!o9u3rsV^3N$Tni5Bl!m1d2`x*>7par
z6>yV<U13ON@sqx^1aySAOI!b()dyANPPJk$rCV6hegQwbac<SJOkl-RLGATQ97~aA
zrk?F%Qok#e@z}pPkeoU{2u4+RuMnHJ-O=1Qx;S!s<%0j%P-VV}LXLOAh`4+B5ULt=
zHJF~!1P0VHNC#zMJqB{0oLwW!?KzwFPj#t3L3|=1;!o{&{GOsW*UY_W0(J1cAjUFv
zXw$SK-)5{6B*tobhnf}V1&*EwkAnwCBsBP0!rYz=o`@F3UUO~y&2_PQeEPdl;#a*%
zWq_DE{)6%~JC^N#RXnwMX<j2j+IOmHC2ae`5lGW6EMnhaqAqYmFmL2zTMxB>R=Kw_
zP`~qI?!kt77fg3*KRAL)-C#bl@mqj=G%hh>@p>ut2+NQE7;A8s_)hYUbK`hYPwVJ0
zi5~KbSh42~A#g>3NbVs)A^W%x{^feM%l@?ivIGG*daK@jj_cm)uX=e1n%($4asHMQ
zx3R-)4riquel(k8P5!FE(ajrJiT-rA?3zVU6t&3tm0i|h(-d>v(hvTf`ZHF`&B^=j
z$Oou%WEbj%Bdy%FaBOVe;}WtYhFUz$l4!XSK8Or{iPZpMz?U(666?nV>$S9Z*9PMR
zuw~i$J1JzZHHb?RHz#*N>hd_|fa)EK>%r9bkN+x~Zz#Y@1sL=lCm!8xCAf~E=BG=7
z5*wXS8Jx$Ut}F^tkS!LlToW4QaNBR!iQlnXBXbBI_NS6Fbk>ulW^1LT&%pE%Z?aA$
zmo-ib^1k3VVCk48x<%wWL~t8!H8#PXyC#Dp&OQCX)(#84BI!no*qvw8$49y$&lT=m
z3)24;QOB`>9yOv~t?eZB5&*5;7{l;Zgz(Inq4$eW5HuTeh@y*x|9LYOc-LtEz?-T)
zLytQEk~v2n{6$r_K@;z+@7T&cxyE_k!%t$)tiieci0V@=42;oBK8uPfU|CQ%{7UGc
zsx5BVv{yFCkE4pGch@U}a7r8fQpg&ul+*Bmw@jNybL{EAO73^t%qa{_%sOcY;kQzV
zYAIIjDXg(+E}TF;Ja6uxY09wX+j$`9u9Ojb8o);wrhNjF6>1YeXmOnpe#8|3nRVTp
zU2b)82dpl%F3ca*tim<yB#_I^aR8z8i9XTLVq-A_1X8xoMtxegg%Nn|w$yyFb0NB%
zU|nvLcF=Mzws@SuRNZR4XjYtB#SKMs9i+Rfri_lo%Ul@#FSn_JA2kQL+vk)f6}MRh
z;@SMtp|6?-6IEfh>spI3OsSB_g(jI7(;a+yCx<S2+f=W6k=Il>$xp3xU^b(8>P(-N
z6rrlDY&R=e-|!>R%M%AX_@;7yuHN7@wNX$feXl9#4JFUMl-s6_dG#A*T~}wxX?xnO
zp<THKT@Uc=PFhiuyH#55=LVxli3oQx{oHDdSC{bT5=Az9cghhS+6_ca)z#d`7dJNz
z++8ks9>#Qg_2+aQc7-OTtENIWQDT^|4>5iIVZkHflL7BJ#P@#Im(f<BiVKu4B~VF>
z!_?B34bhnsn)I6YdD`54yjBaEMb1u%FPd?JgR1xBtH>s&6e0G|NumQ#w7j&m#PLYT
zyjodNVq&76u1By>Zds_%poHbmz0XeB#)I?2#$Ae6o!|L4=GxlekqJ@WqeD|~)Fu$h
zF{@ifJK1xZN`r&kHDvh%aW{7t-J`aqrlyNiBE*voD&E|<NjXIMs9cY8nvqlnjYNX`
zjW%XqoN>MWvezBl)W`d7P3BXu;?)Yb)Wt6WL4kwI>x|5rtBy8_Dmh~*L%5?5eCrMB
zHiQa@K{{9XJ7a?8i;gf8wAI+)em7H=dXJ}ViH2w<JX~>Bl5)30;4F;A-(`+d3m|*!
zYt1rCrJE;7PC+3=0DJNz`|c41x4{Rw*HT$_OEzLIH#rA%$N2d5_h2V_`uQs9DF<`M
zYZz|rIDR8n+9#LH$gloFsziiQ7n8Bam)`Cev<vb_?4aWQY&{DN!}_cw51-A@yr!B3
zjYcfT`U9U&5GI*JG(QM-NBIU<4m#SxN+81<9$)?1kMqRxzcXGqoAzwUgEQGIAFxer
zeF@;kq)C}OLUxyfH5N2in`8&W@X&N*Fnv4lW*L<MTx@jz+1f06<>;(@f_R-O=6VNF
zpcOgTTNk@SDt)Gtau5}L5kB~&Sy?|@jh2+hVXss3?woPJ{pe)6Z%cyea^`dDT|EHr
z^yNzSR`Nriz5Puz|BtI5zy2IyFYWG4-hAYlC=PEG(!NZxy+N!PT<^U0CLj=A(ODN*
zt@&R5bJj!j@(z{H`6iki74^k+<`BNde&-5^(ZjKm+*oxTQxMKni>e5A2m7&ZA89*$
zOhCIBiMN8X{6b0sDqpP;U?IK)kB=wb+1=$@i&rF<cISz?D$b;6K60`->O3t0+Jp?^
zLQAbyM5t+L`mLjk4bo3&r*bGsL=K7=a&&YtQYI#*wv|q5LtWZpRpt-%%pkJ3{pI~n
zL3!zl0M0TD$-y$s?NHH|ZQSYJ+YDdzyNEzi?jl}io(dA~^|kZ6v+>8T)6XIYenf3d
z=Stn>us2DPNa+;f>od_UD8_6E1fH{7=kXk$iei6F2rg<G5TUrFq{}F%;~dFMnw)jw
zR^HhVBs1UmX4}~10U1erd}8Z}q;H;JIof6&Q+f(mKCSiuoNH4%*JK>svsXv9WFBk?
z_O@8{$bkmRCoK>3%FCS&8$<b`OClp#m~KbEa=TCVS&kN7)0x(K9QYw;X9AP&%Rpmd
zGKJroL{clHpZ8@3r{W9wU;}OWG>hj$nvK<=(l{9R7T3)7mzk;T5mgRPOqPCUuOzSt
z*sxR`m-G5EaZc==&eiLOKhI)2V<&*;0tnqG0T+^BLSa5wN`ri^I4WFlbSUl`Htcn1
z@;UHUv~1+rJoakB53w)Drnhb>_w!wO7khxdqdhu<O&_<IN8OKMx`v^T2(q`iqm7g%
zUwW!ajPcygpc$!bcgVj)_$&7g6pO~?|G2A`8RK+h#L<(cM>hE))$>b+iLMhTw#{zH
z0e~+A=b`_z;$B|r=;NMb&&{PI!qT|jJi~r(5sFFN*%TZRY`MF<G{X1R^k#MBVpTY$
z6~ab4)Y=XS(o#d@RRSCEy0KisU5&}H`16G42${wsA6oezTT<h)yls-j*tdMZy)@5K
zB{Jd%foC=d8xt2uw4G0^&-TLA4~dIan!$3#dP!ohM>uAlv+@Wzz0tcdx($U?t_^RP
z$aiEHsqcI^ZQP|~xzY0FR`?0iw#Zjlk5%|n(E9nD>wdL(1X`aNcb{1;*E##$`kl$y
zb!M)BB;DHShX>=&^(C0HK1<?9AK8Zsr7fa2yV$jx?LCe(_Dnp>)i3Njpsy=y)bKcH
zllN%%P(MLV7xdffUj&D4E(r69CV2F}vPt=X+~JsDTCB#ISfwl@<yl|@?eBW8ldJ1r
z|IDeFyzdg$Xe$8J94VIO)yJ`=k`v*rmd0CL`7Y&tEXYlZY(5+>D)akbn!6-o>PI6~
zv3in>#!f;?v_9v2;avo_o>Z(yIXxz3)Gn_2K9K*EqBDU?Iw-RPJ(1)at9c3{nrG=@
zrjf8O2{E40WrF{d>T#ZlG95Eoch4_?5dxhusMBJyRWa4t>ZdNXXUu3eHY{#<28OMS
z@uR^p&)o`-kjF03eeNQSaNjLD#wP87q+d1XL(#aZ3$A@?Qo|g)=w-L534#-&<jaWG
zl)&fRRlF@FRme9etbm2Z=+oEUSFh7cQ%QW^v(NMuN6im)nhA|bUGl0rEgXv1uewpz
zVUZkW3V<;i8W4E(27&1xud=2Y?P;n+e5qz+^mTJShG9er2u6NZ^CtHmNhGNGu1Gut
z3+B9fO}W!6(NBAIwEewf7WvISqKRrTgE{}k-}Zi(#fyEKEQ*936fVTLq;jslQ04mz
zvUK;I`ar>A&;ABM<$C1n>bTK~&IV8wOkVDpWgxt>voj1lHz~E5S8YUr%amKBGR1nP
zgBJ!p_acV5JRxl5R1Oee#Cd$L$8L``1L=w_Wa59%w$B~h*DvBeTJil*CsR1N3ze1X
zd4eEY$Wi{vj~{07ZaY#2yQJ1#R~CFPe+NN7bC_d&MLZbHbSD^+=P9i`qU)YVc@^^r
z*f*N&q9SgH&8>M~|G7VW$dJ%7DBL&ck!LKp@3Q|VVM_q9y8D_^IGsRLVTMLzONiC5
znQzE#u?{HD(`d?<d-A2o#SFBt$*+2Pw|{2Fdj6UBp*$bS>?c9?a(DHgd#Gh}Sc}VC
zG|2c|FR)b8;tVw1w3^I=U7p(8Di<}*N!!%0;_iai!npHoA_+pP663}6eYjx3f|{10
zbQB@OQ-azdDN9w_zREBxSkrz(cpjH7(`D+=CbTZ=kP=udT3*>rW0;IdKH5n4%@>#>
zeG&lKMZEgvb<uQsZMj>S;Gro1{_6VM^8WB;xJ25`u<QHd{tl%LRO$PohWgQ?6EFg?
z-2M)fo}T={3#0uLSFS|H$LrvR#&sE9m#EuO;!WafqOf-1-ojJ>1cB=(h-sNRb0(BS
zKS4%pSqZkr0F1t4!tiu{Qi2s0>#pPvFBG3q7R40qA@((ufzDTSvq1X^&=o+P^f9!P
zg)U24>c{iK%e-Y<*A+*v&rnG<9769{@qFd)F+QnkD#tD?Xv5x#g<XumSPEJ`;p+Ha
zS?8mkWOB{Eb3!E$h5j>HH_Fv!%lCzNVeR0@nS7`!%C+_~mr|52=u_o~O_;2kH6Asz
zHTkNP&zRe-$UICarQuGU69rT1rwj5lIsJfrU4b(;l$~rQ^iC)MUWhWj#iZ(tCMS5#
z^W0n8K*0l%%~haoD1ZlxpJ5;jYe&#o(Pg?7z7L+GPTDHPk@tse&v(hc0Ee;6x4Hk=
zYPNvxpZL&55EO7~hz3ApWs)jib=p(^oBlui;0;#ml@=4SVpoi}t^57s0mOSi;OKzc
zV$c(6QdHq&JizOWnBeVPWJPf%WdS@dVa_~Ord2$RoQ&MNE3Z5uT&S{N8aiL_(76cC
z>D-z*1^LxRL)2z*)h`Prl*LBD0dr&=W}I_j-8PtEenjNk0q7sC>&kRMRnNsWq?AK#
zMv^{NT8wglh;}%vt#qA}abQXhgGXTm&#Eq%O1@g8D-QHO<>QTBci2GsenFEZ2L|KE
zS_VRvJ}q*vRI&39@s>iXs*Zv;^7{KV+KSLvHEWE!G^BYiyHoUE6v1k4SHJP<W|}X&
z-evxJ)mgQf+OlGnRYO(3YQ%8z-pLEnQpDv8f2A*XJQlPU<TZufVd54g;bwz_Dk8?s
zV*@1dZMx`biCKp%KfF_xV7kWh`c*7Pw_4}YL=tvM;BgO!Nqij}Ha=y=d0uRpDSVLP
zZj<7IG$tY13B%c{m~JTwg75F!662r>_r<udz@+2nlcyDfAEb6%$zu6!jffj~WECvD
zEttx>EbLI_%guK^pZ*rk&jo<|^j8lSP=Szd>tY%V_8R+LOR3FyM}I{AM?im`dNq0&
zXK@s@i2siw20>7jAGRufi#4F`EjU68)V}DJ!%A(+oGSw*v{ed5*IymffZ1V&CC`*U
zH!NhR=0Vdq)Wm=Z>P6v<LY^Ev*a_K*dEq<caqc7z^9+_DdTB^;zZf5wOp3~V6Qql-
z%!z|vpWjT7)33+#E1QQOMq<CMa_c5%%&n{p^t7j$^~%uzG1JB_8WIP*HgqMZ^OV2k
z;R&))7TJ`WDw{4PY>_5DeYv<St{J{8Sf$&If`j=?Klt>q+QR)>CBeL>%AlQjb4MB%
z@jSUuJV5c`s;cVXMb+Wx)RSyobQo#@2)=ZSaKCD+E2T7;Vcaw2Y)P__5R&9wo=vQ)
zZj#jnn_b~``62c`LF!ds4_1g7rUXEo0MYXPI0+3O*$zYGy}HSX(Iewv+*ICU8rZP)
zcvCdGOIz+Bl>j4k_cNW|#-CK6fqFCj)Vz5lLgSeF>IpGf6;BEYjjYb5y0%v{s@ifV
z3!<f>Isy;P%xtHmq&Q|x(aJJ2%(hWajvx1x9BHb}^as#DqNbS6l5t9>M9w0AR~r3E
z!nRnhvBUb0VTKQFHwQDxB~6{Op;KbBQ2H%A(8HJH6pCkA)(X<R{x%~|x<5xBIPkCK
zMZRdyObR1dak>0z!V9$+N@|eTrzJhK3a|t$iqkk`_utDXO?yDFepn0xi)&K@JqDd!
zRU1~YLS<T|nI42?uPkQ*N&^iehtU+yw1r<X%%C8jHa!zZtr)SKQ{Ow)2@15oW+A<v
zMhD{GXGb}d{6Lr{fQ8W&^JO_pD!F;-=d7B>M`46#Bbc~G=F8!HfC&5Hco}G5`joSK
z&C4jOX$W&FIWa1bHe2Ww`$fjh-d#V8h>7H(n`pxKV`-UH9>cNG`C3P0{%mBoQ_jwz
zPW-?vU2g`?SufcYODl~!%EPG@R|L#o?OTWsr6zt6B;1R=+smq<v;_BiG2p?bGD2~l
z_(QP$hrAKK>KV(CWD`wUFKTB#-h;s<u5FKK2MU8_pdx^_GpxKn@wLvr-gmJ0Ya*EY
zWZ_tz#kth}BDuNE20yO1e!$TyBhmQG8WMQf{w#%^V6+5jJRard)|SI>z)pXEe=Yct
zWGR&i#$yyZBbfm5)61XTC9=`@d`jxp_fEPw)5l)&s<#Q1!piH2_0AQVeqFlfHqJSk
zO<-?i{X}SQl?%r+om{b2+d)s9X1R^c13$y&P<>0mhh3;~!^k+>j;w<EO#Ya%t=e5q
z&{#Fz(3O9!P~)o)yFQz&$R@SL#yxW^Vg0RmR4(S@mW%Ex2DkM@xMZJg6@Lk8-q#Dg
zv5XZ@UH6VR_5bQozsGIG=EJ`8ouh&s*Puu2z;a;cyH(|6(dOvCfj1ZOW=~wp(gIag
zRO(Qusq>R9^~r^WeVHsBP(scvNBM_;sFO1Z;6YwrecPKn8+2kI3kA1LzAZ&#w%dTU
z-CJ?8od+#h3vugT64=-|-^j=0T&XdE%sLG%Eqi{Wu@)BeCx?fZ_ZOSFK?y_zf6*3y
z0Y{jyRFZVzJe=e@Q#Q%k77Lb+6ROegyPv}+-NYK;9@<KrnlnU-Y!q3*0PI4V%wQH&
zn!Ut>_~~N>e0+S{j~{1H*rwXMJMZ(=ZnEahm;W2#v&r%g5~L2QDkYHB4KXm&7<I{{
zFD@%8QbskW`~xGJb^r9oby}d@f5<Z2Fa>Pba+Ni?ruAbW3S9LGvekk@1leYhk*hwk
z?UMI-=zh?}bc@pX8y<N5D9lE;%H$oddS}A|x!ptjNX-9<XzF%@qXUu8{<b~E?Ch?A
z;Aa^cXf&8)XJ<=RjcBZ~vyOYT{RYxxc#{OFOck3x25$UIpI+mJwI{kQJuo)<0wd@D
zOaNMvF}6%jQY3#eT@2ja>A@#<Bcm+&RXH{^l$lfUleOZ-E}2-RSM~n{kyUF!uKe6X
zIi3H5Ov8m~FF+t5&Iokr7N^cQK4=1mEaZdatOhiLom+H?&=3%mn~*?`f=Pant?y8Q
zYVQ8U@$FJwcMd>Z@l#8+;6sW^J`W%KMS*#FgpamRMm<#T?$Cli$Dl<Npxt+y^u4Da
zs<^$qje<AEc3c0S$Tn3B$npJP@Vn1{Q;-$JjWBX~(oekVzdAJF5*Sp79H<XFeJgdd
z+XF7Vn$o8{JgD)psJ%}#`}zNduRSISHX^GcO#SD&Dc!GFogHt=rf?4)qA+F(81!zV
z6g<4VyvwZ&N^bKgFre(K8RoOFc}VjV?^%SNF)Gz`mX6iI3!H2z`iD^qUVvAC?~y-z
z_-I82;}Ih7A!96}l$CWa*hKIj-p__7qA@>EDS&&2lI)KSMp`jY;6&<2v2JUeBu01z
zD7YOlYlZIal=X}urAG;7$6wK+zJ`z59B_YOcN_85pxXRowJ101#cq2{V2<WcG{^QA
z^5#X*scmoF4PXc`Wy-ycj;W%a`M^X;L@{B*4va$HM0+$gd=vYN)_lxEv@DFdYI3g?
z6&P^mb5IlQi5Jl&EsY-<c-DA<#l7GWx-^s{^M4@lXP`&<GG#Gp5;?EV(#I^3nW>WQ
zF4viEx!2!Q>pkUMAOD`sGc5LnId2A870VNgYbhiKtBAvfZ%(nRho%a}qJN`G@uK77
z&IoY33TK8^*X;x+#_XD^hKYoHZWGQaS5h=0{yfivmlGdXg<=2m0SYk-e_Z?^L<kG^
zK6m4L)Hr=e^0?Ql|9aJbS$bVlkq{lq>HnXHeSYBl*P}o(&>zx&28vqw|F=&7{VznZ
dXu%coGLrho^9Svnzn^VWc&_rSSk~~<{{sN$)kFXQ

literal 0
HcmV?d00001

diff --git a/content/admin/identity-and-access-management/index.md b/content/admin/identity-and-access-management/index.md
index 24df6fbcd560..79d73184645f 100644
--- a/content/admin/identity-and-access-management/index.md
+++ b/content/admin/identity-and-access-management/index.md
@@ -19,7 +19,7 @@ children:
   - /using-cas-for-enterprise-iam
   - /using-ldap-for-enterprise-iam
   - /using-saml-for-enterprise-iam
-  - /using-enterprise-managed-users-and-saml-for-iam
+  - /using-enterprise-managed-users-for-iam
   - /managing-recovery-codes-for-your-enterprise
 ---
 
diff --git a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md
index d43f7dbceace..92c57b81bc37 100644
--- a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md
+++ b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md
@@ -1,7 +1,7 @@
 ---
 title: Accessing your enterprise account if your identity provider is unavailable
 shortTitle: Access your enterprise account
-intro: 'You can sign into {% data variables.product.product_name %} even if your identity provider is unavailable by bypassing SAML single sign-on (SSO) with a recovery code.'
+intro: 'You can sign into {% data variables.product.product_name %} even if your identity provider is unavailable by bypassing single sign-on (SSO) with a recovery code.'
 versions:
   ghec: '*'
 type: how_to
@@ -13,9 +13,9 @@ topics:
 permissions: Enterprise owners can use a recovery code to access an enterprise account.
 ---
 
-You can use a recovery code to access your enterprise account when a SAML configuration error or an issue with your identity provider (IdP) prevents you from using SAML SSO. 
+You can use a recovery code to access your enterprise account when a authentication configuration error or an issue with your identity provider (IdP) prevents you from using SSO. 
 
-In order to access your enterprise account this way, you must have previously downloaded and stored the recovery codes for your enterprise. For more information, see "[Downloading your enterprise account's SAML single sign-on recovery codes](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes)."
+In order to access your enterprise account this way, you must have previously downloaded and stored the recovery codes for your enterprise. For more information, see "[Downloading your enterprise account's single sign-on recovery codes](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)."
 
 {% data reusables.saml.recovery-code-caveats %}
 
diff --git a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes.md b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes.md
deleted file mode 100644
index 9acf1165cd04..000000000000
--- a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Downloading your enterprise account's SAML single sign-on recovery codes
-shortTitle: Download recovery codes
-intro: "To ensure that you can access {% data variables.product.product_name %} if your identity provider (IdP) is unavailable, you should download your enterprise account's SAML single sign-on (SSO) recovery codes."
-versions:
-  ghec: '*'
-type: how_to
-topics:
-  - Accounts
-  - Authentication
-  - Enterprise
-  - SSO
-permissions: Enterprise owners can download the SAML SSO recovery codes for the enterprise account.
----
-
-In the event that your IdP is unavailable, you can use a recovery code to sign in and access your enterprise on {% data variables.product.product_location %}. For more information, see "[Accessing your enterprise account if your identity provider is unavailable](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
-
-If you did not save your recovery codes when you configured SAML SSO, you can still access the codes from your enterprise's settings.
-
-{% data reusables.enterprise-accounts.access-enterprise %}
-{% data reusables.enterprise-accounts.settings-tab %}
-{% data reusables.enterprise-accounts.security-tab %}
-
-1. Under "Require SAML authentication", click **Save your recovery codes**.
-![Screenshot of the button to test SAML configuration before enforcing](/assets/images/help/enterprises/saml-recovery-codes-link.png)
-
-2. To save your recovery codes, click **Download**, **Print**, or **Copy**.
-![Screenshot of the buttons to download, print, or copy your recovery codes](/assets/images/help/saml/saml_recovery_code_options.png)
diff --git a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes.md b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes.md
new file mode 100644
index 000000000000..4a9ea25bbbcb
--- /dev/null
+++ b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes.md
@@ -0,0 +1,37 @@
+---
+title: Downloading your enterprise account's single sign-on recovery codes
+shortTitle: Download recovery codes
+intro: "To ensure that you can access {% data variables.product.product_name %} if your identity provider (IdP) is unavailable, you should download your enterprise account's single sign-on (SSO) recovery codes."
+versions:
+  ghec: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+redirect_from:
+  - /admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes
+permissions: Enterprise owners can download the SSO recovery codes for the enterprise account.
+---
+
+In the event that your IdP is unavailable, you can use a recovery code to sign in and access your enterprise on {% data variables.product.product_location %}. For more information, see "[Accessing your enterprise account if your identity provider is unavailable](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
+
+If you did not save your recovery codes when you configured SSO, you can still access the codes from your enterprise's settings.
+
+
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+
+1. Under{% if oidc-for-emu %} either{% endif %} "Require SAML authentication"{% if oidc-for-emu %} or "Require OIDC authentication"{% endif %}, click **Save your recovery codes**.{% if oidc-for-emu %}
+  {% note %}
+  
+  **Note:** OIDC SSO is only available for {% data variables.product.prodname_emus %}. For more information, see "[About Enterprise Managed Users](/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users)."
+  
+  {% endnote %}{% endif %}
+  
+  ![Screenshot of the button to test SAML configuration before enforcing](/assets/images/help/enterprises/saml-recovery-codes-link.png)
+1. To save your recovery codes, click **Download**, **Print**, or **Copy**.
+  ![Screenshot of the buttons to download, print, or copy your recovery codes](/assets/images/help/saml/saml_recovery_code_options.png)
diff --git a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/index.md b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/index.md
index 52e8a21ed025..052080e27646 100644
--- a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/index.md
+++ b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/index.md
@@ -10,7 +10,7 @@ topics:
   - Enterprise
   - SSO
 children:
-  - /downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes
+  - /downloading-your-enterprise-accounts-single-sign-on-recovery-codes
   - /accessing-your-enterprise-account-if-your-identity-provider-is-unavailable
 ---
 
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md
similarity index 60%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md
index c4c01a9af902..f20b2073336c 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md
@@ -8,6 +8,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/about-enterprise-managed-users
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users
 versions:
   ghec: '*'
 type: overview
@@ -20,11 +21,17 @@ topics:
 
 ## About {% data variables.product.prodname_emus %}
 
-With {% data variables.product.prodname_emus %}, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your IdP are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.
+With {% data variables.product.prodname_emus %}, you can control the user accounts of your enterprise members through your identity provider (IdP). You can simplify authentication with SAML{% if oidc-for-emu %} or OIDC{% endif %} single sign-on (SSO) and provision, update, and deprovision user accounts for your enterprise members. Users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your IdP are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} and added to your enterprise. You control usernames, profile data, team membership, and repository access from your IdP.
 
 In your IdP, you can give each {% data variables.product.prodname_managed_user %} the role of user, enterprise owner, or billing manager. {% data variables.product.prodname_managed_users_caps %} can own organizations within your enterprise and can add other {% data variables.product.prodname_managed_users %} to the organizations and teams within. For more information, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)" and "[About organizations](/organizations/collaborating-with-groups-in-organizations/about-organizations)."
 
-Organization membership can be managed manually or updated automatically as {% data variables.product.prodname_managed_users %} are added to IdP groups that are connected to teams within the organization. When a {% data variables.product.prodname_managed_user %} is manually added to an organization, unassigning them from the {% data variables.product.prodname_emu_idp_application %} application on your IdP will suspend the user but not remove them from the organization. For more information about managing organization and team membership automatically, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+Organization membership can be managed manually or updated automatically as {% data variables.product.prodname_managed_users %} are added to IdP groups that are connected to teams within the organization. When a {% data variables.product.prodname_managed_user %} is manually added to an organization, unassigning them from the {% data variables.product.prodname_emu_idp_application %} application on your IdP will suspend the user but not remove them from the organization. For more information about managing organization and team membership automatically, see "[Managing team memberships with identity provider groups](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups)."
+
+{% if oidc-for-emu %}
+
+{% data reusables.enterprise-accounts.emu-cap-validates %} For more information, see "[About support for your IdP's Conditional Access Policy](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."
+
+{% endif %}
 
 You can grant {% data variables.product.prodname_managed_users %} access and the ability to contribute to repositories within your enterprise, but {% data variables.product.prodname_managed_users %} cannot create public content or collaborate with other users, organizations, and enterprises on the rest of {% data variables.product.prodname_dotcom %}. The {% data variables.product.prodname_managed_users %} provisioned for your enterprise cannot be invited to organizations or repositories outside of the enterprise, nor can the {% data variables.product.prodname_managed_users %} be invited to other enterprises. Outside collaborators are not supported by {% data variables.product.prodname_emus %}.
 
@@ -39,10 +46,18 @@ To use {% data variables.product.prodname_emus %}, you need a separate type of e
 
 ## Identity provider support
 
-{% data variables.product.prodname_emus %} supports the following IdPs:
+{% data variables.product.prodname_emus %} supports the following IdPs{% if oidc-for-emu %} and authentication methods:
+
+|                                  | SAML                                          | OIDC (beta)                                   |
+|----------------------------------|-----------------------------------------------|-----------------------------------------------|
+| Azure Active Directory           | {% octicon "check" aria-label="Check icon" %} | {% octicon "check" aria-label="Check icon" %} |
+| Okta                             | {% octicon "check" aria-label="Check icon" %} |                                               |
+{% else %}:
 
 {% data reusables.enterprise-accounts.emu-supported-idps %}
 
+{% endif %}
+
 ## Abilities and restrictions of {% data variables.product.prodname_managed_users %}
 
 {% data variables.product.prodname_managed_users_caps %} can only contribute to private and internal repositories within their enterprise and private repositories owned by their user account. {% data variables.product.prodname_managed_users_caps %} have read-only access to the wider {% data variables.product.prodname_dotcom %} community. These visibility and access restrictions for users and content apply to all requests, including API requests.
@@ -58,21 +73,36 @@ To use {% data variables.product.prodname_emus %}, you need a separate type of e
 * Only private and internal repositories can be created in organizations owned by an {% data variables.product.prodname_emu_enterprise %}, depending on organization and enterprise repository visibility settings. 
 * {% data variables.product.prodname_managed_users_caps %} are limited in their use of {% data variables.product.prodname_pages %}. For more information, see "[About {% data variables.product.prodname_pages %}](/pages/getting-started-with-github-pages/about-github-pages#limitations-for-enterprise-managed-users)."
 
-## About enterprises with managed users
-
-To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. To try out {% data variables.product.prodname_emus %} or to discuss options for migrating from your existing enterprise, please contact [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact).
-
-Your contact on the GitHub Sales team will work with you to create your new {% data variables.product.prodname_emu_enterprise %}. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. {% data reusables.enterprise-accounts.emu-shortcode %} For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
-
-After we create your enterprise, you will receive an email from {% data variables.product.prodname_dotcom %} inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. Use an incognito or private browsing window when setting the password. The setup user is only used to configure SAML single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SAML is successfully enabled.
-
-The setup user's username is your enterprise's shortcode suffixed with `_admin`. After you log in to your setup user, you can get started by configuring SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
-
-{% note %}
-
-{% data reusables.enterprise-accounts.emu-password-reset-session %}
-
-{% endnote %}
+## Getting started with {% data variables.product.prodname_emus %}
+
+Before your developers can use {% data variables.product.prodname_ghe_cloud %} with {% data variables.product.prodname_emus %}, you must follow a series of configuration steps.
+
+1. To use {% data variables.product.prodname_emus %}, you need a separate type of enterprise account with {% data variables.product.prodname_emus %} enabled. To try out {% data variables.product.prodname_emus %} or to discuss options for migrating from your existing enterprise, please contact [{% data variables.product.prodname_dotcom %}'s Sales team](https://enterprise.github.com/contact).
+  
+  Your contact on the GitHub Sales team will work with you to create your new {% data variables.product.prodname_emu_enterprise %}. You'll need to provide the email address for the user who will set up your enterprise and a short code that will be used as the suffix for your enterprise members' usernames. {% data reusables.enterprise-accounts.emu-shortcode %} For more information, see "[Usernames and profile information](#usernames-and-profile-information)."
+  
+2. After we create your enterprise, you will receive an email from {% data variables.product.prodname_dotcom %} inviting you to choose a password for your enterprise's setup user, which will be the first owner in the enterprise. Use an incognito or private browsing window when setting the password. The setup user is only used to configure single sign-on and SCIM provisioning integration for the enterprise. It will no longer have access to administer the enterprise account once SSO is successfully enabled. The setup user's username is your enterprise's shortcode suffixed with `_admin`. 
+  
+  {% note %}
+  
+  {% data reusables.enterprise-accounts.emu-password-reset-session %}
+  
+  {% endnote %}
+  
+3. After you log in to your setup user, get started by configuring {% if oidc-for-emu %}how your members will authenticate. If you are using Azure Active Directory as your identity provider, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). Both options provide a seamless sign-in experience for your members, but only OIDC includes support for Conditional Access Policies (CAP). If you are using Okta as your identity provider, you can use SAML to authenticate your members.{% else %}SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."{% endif %}
+  
+  {% if oidc-for-emu %}
+  
+  To get started, read the guide for your chosen authentication method.
+  
+    - "[Configuring OIDC for Enterprise Managed Users](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."
+    - "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+  
+  {% endif %}
+  
+4. Once you have configured SSO, you can configure SCIM provisioning. SCIM is how your identity provider will provision and manage member accounts and teams on {% data variables.product.prodname_dotcom_the_website %}. For more information on configuring SCIM provisioning, see "[Configuring SCIM provisioning for enterprise managed users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."
+  
+5. Once authentication and provisioning are configured, you can start provisioning members and managing teams. For more information, see "[Managing team memberships with identity provider groups](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
 
 ## Authenticating as a {% data variables.product.prodname_managed_user %}
 
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md
new file mode 100644
index 000000000000..c29621459c12
--- /dev/null
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md
@@ -0,0 +1,47 @@
+---
+title: About support for your IdP's Conditional Access Policy
+shortTitle: Conditional access policy
+intro: 'When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will validate access to your enterprise and its resources using your IdP''s Conditional Access Policy (CAP).'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  feature: 'oidc-for-emu'
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+---
+
+{% data reusables.enterprise-accounts.oidc-beta-notice %}
+
+## About support for Conditional Access Policies
+
+{% data reusables.enterprise-accounts.emu-cap-validates %}
+
+CAP support is enabled automatically for any {% data variables.product.prodname_emu_enterprise %} that enables OIDC SSO and cannot be disabled. {% data variables.product.prodname_dotcom %} enforces your IdP's IP conditions but not device compliance conditions.
+
+For more information about using OIDC with {% data variables.product.prodname_emus %}, see "[Configuring OIDC for Enterprise Managed Users](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)" and "[Migrating from SAML to OIDC](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc)."
+
+## About using CAP with IP allow lists
+
+We recommend disabling your enterprise account's IP allow list and relying on your IdP's CAP. If you enable IP allow lists for your enterprise and also make use of your IdP's CAP, both the IP allow list and CAP will be enforced. If either restriction rejects a user's IP address, the request fails. For more information about IP allow lists, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)."
+
+## Considerations for integrations and automations
+
+{% data variables.product.prodname_dotcom %} sends the originating IP address to your IdP for validation against your CAP. To make sure  actions and apps are not blocked by your IdP's CAP, you will need to make changes to your configuration.
+
+{% data reusables.enterprise-accounts.oidc-gei-warning %}
+
+### {% data variables.product.prodname_actions %}
+
+Actions that use a personal access token will likely be blocked by your IdP's CAP. We recommend that personal access tokens are created by a service account which is then exempted from IP controls in your IdP's CAP. 
+
+If you're unable to use a service account, another option for unblocking actions that use personal access tokens is to allow the IP ranges used by {% data variables.product.prodname_actions %}. For more information, see "[About GitHub's IP addresses](/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)."
+
+### {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} 
+
+When {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} make requests on a member's behalf, {% data variables.product.prodname_dotcom %} will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail.
+
+You can contact the owners of the apps you want to use, ask for their IP ranges, and configure your IdP's CAP to allow access from those IP ranges. If you're unable to contact the owners, you can review your IdP sign-in logs to review the IP addresses seen in the requests, then allow-list those addresses. 
+
+You can also enable IP allow list configuration for installed {% data variables.product.prodname_github_apps %}. When enabled, all {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} will continue working regardless of the originating IP address. For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#allowing-access-by-github-apps)."
\ No newline at end of file
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md
new file mode 100644
index 000000000000..1b18092f7f78
--- /dev/null
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md
@@ -0,0 +1,47 @@
+---
+title: Configuring OIDC for Enterprise Managed Users
+shortTitle: OIDC for managed users
+intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP''s Conditional Access Policy (CAP).'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  feature: 'oidc-for-emu'
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+---
+
+{% data reusables.enterprise-accounts.oidc-beta-notice %}
+
+## About OIDC for Enterprise Managed Users
+
+With {% data variables.product.prodname_emus %}, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your {% data variables.product.prodname_emu_enterprise %}. Enabling OIDC SSO is a one-click setup process with certificates managed by {% data variables.product.prodname_dotcom %} and your IdP.
+
+{% data reusables.enterprise-accounts.emu-cap-validates %} For more information, see "[About support for your IdP's Conditional Access Policy](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."
+
+You can adjust the lifetime of a session, and how often a {% data variables.product.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from  your IdP. The default lifetime is one hour. For more information, see "[Configurable token lifetimes in the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes)" in the Azure AD documentation.
+
+If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "[Migrating from SAML to OIDC](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc)." 
+
+{% data reusables.enterprise-accounts.oidc-gei-warning %}
+
+## Identity provider support
+
+Support for OIDC is in public beta and available for customers using Azure Active Directory (Azure AD).
+
+## Configuring OIDC for Enterprise Managed Users
+
+1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Select **Require OIDC single sign-on**.  
+   ![Screenshot showing the "Require OIDC single sign-on" checkbox](/assets/images/help/enterprises/require-oidc.png)
+1. To continue setup and be redirected to Azure AD, click **Save**.
+{% data reusables.enterprise-accounts.emu-azure-admin-consent %}
+{% data reusables.enterprise-accounts.download-recovery-codes %}
+
+## Enabling provisioning
+
+After you enable OIDC SSO, enable provisioning. For more information, see "[Configuring SCIM provisioning for enterprise managed users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."
\ No newline at end of file
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md
similarity index 96%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md
index 1aa1148b3088..c36fb58cb371 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md
@@ -7,6 +7,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users
 versions:
   ghec: '*'
 type: tutorial
@@ -112,5 +113,5 @@ After you install and configure the {% data variables.product.prodname_emu_idp_a
 
 ### Enabling provisioning
 
-After you enable SAML SSO, enable provisioning. For more information, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+After you enable SAML SSO, enable provisioning. For more information, see "[Configuring SCIM provisioning for enterprise managed users](//admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."
 
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
similarity index 90%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
index ed6b46facafe..5e4e68060d4b 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md
@@ -10,6 +10,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
 type: tutorial
 topics:
   - Accounts
@@ -20,9 +21,9 @@ topics:
 
 ## About provisioning with Okta
 
-You can use {% data variables.product.prodname_emus %} with Okta as your identity provider to provision new accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. For more information about provisioning for {% data variables.product.prodname_emus %}, see "[Configuring SCIM provisioning for enterprise managed users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users)."
+You can use {% data variables.product.prodname_emus %} with Okta as your identity provider to provision new accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. For more information about provisioning for {% data variables.product.prodname_emus %}, see "[Configuring SCIM provisioning for enterprise managed users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."
 
-Before you can configure provisioning with Okta, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+Before you can configure provisioning with Okta, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."
 
 To configure provisioning with Okta, you must set your enterprise's name in the {% data variables.product.prodname_emu_idp_application %} application and enter your setup user's personal access token. You can then start provisioning users in Okta.
 
@@ -83,7 +84,7 @@ After you have configured SAML SSO and provisioning, you will be able provision
 
 {% data reusables.scim.emu-scim-rate-limit %}
 
-You can also automatically manage organization membership by assigning groups to the application and adding them to the "Push Groups" tab in Okta. When the group is provisioned successfully, it will be available to connect to teams in the enterprise's organizations. For more information about managing teams, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+You can also automatically manage organization membership by assigning groups to the application and adding them to the "Push Groups" tab in Okta. When the group is provisioned successfully, it will be available to connect to teams in the enterprise's organizations. For more information about managing teams, see "[Managing team memberships with identity provider groups](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups)."
 
 When assigning users, you can use the "Roles" attribute in the {% data variables.product.prodname_emu_idp_application %} application to set a user's role in your enterprise on {% data variables.product.product_name %}. For more information on roles, see "[Roles in an enterprise](/github/setting-up-and-managing-your-enterprise/managing-users-in-your-enterprise/roles-in-an-enterprise)."
 
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md
similarity index 62%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md
index 02d67fe5761f..94ff3acec6c3 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md
@@ -7,6 +7,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
 versions:
   ghec: '*'
 topics:
@@ -18,13 +19,16 @@ topics:
 
 You must configure provisioning for {% data variables.product.prodname_emus %} to create, manage, and deactivate user accounts for your enterprise members. When you configure provisioning for {% data variables.product.prodname_emus %}, users assigned to the {% data variables.product.prodname_emu_idp_application %} application in your identity provider are provisioned as new user accounts on {% data variables.product.prodname_dotcom %} via SCIM, and the users are added to your enterprise. 
 
-When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the {% data variables.product.prodname_emu_idp_application %} application or deactivate a user's account on your IdP, your IdP will communicate with {% data variables.product.prodname_dotcom %} to invalidate any SAML sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the {% data variables.product.prodname_emu_idp_application %} application or reactivate their account on your IdP, the {% data variables.product.prodname_managed_user %} account on {% data variables.product.prodname_dotcom %} will be reactivated and username restored.
+When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the {% data variables.product.prodname_emu_idp_application %} application or deactivate a user's account on your IdP, your IdP will communicate with {% data variables.product.prodname_dotcom %} to invalidate any sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the {% data variables.product.prodname_emu_idp_application %} application or reactivate their account on your IdP, the {% data variables.product.prodname_managed_user %} account on {% data variables.product.prodname_dotcom %} will be reactivated and username restored.
 
-Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "[Managing team memberships with identity provider groups](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups)."
+Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "[Managing team memberships with identity provider groups](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups)."
 
 ## Prerequisites
 
-Before you can configure provisioning for {% data variables.product.prodname_emus %}, you must configure SAML single-sign on. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+Before you can configure provisioning for {% data variables.product.prodname_emus %}, you must configure SAML{% if oidc-for-emu %} or OIDC{% endif %} single-sign on. {% if oidc-for-emu %}
+
+- For more information on configuring OIDC, see "[Configuring OIDC for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users)" 
+- {% endif %}For information on configuring SAML, see "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."
 
 ## Creating a personal access token
 
@@ -55,11 +59,14 @@ To configure provisioning for your {% data variables.product.prodname_emu_enterp
 
 ## Configuring provisioning for {% data variables.product.prodname_emus %}
 
-After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.
+After creating your personal access token and storing it securely, you can configure provisioning on your identity provider. 
 
 {% data reusables.scim.emu-scim-rate-limit %}
 
-To configure Azure Active Directory to provision users for your {% data variables.product.prodname_emu_enterprise %}, see [Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial) in the Azure AD documentation.
-
-To configure Okta to provision users for your {% data variables.product.prodname_emu_enterprise %}, see "[Configuring SCIM provisioning for Enterprise Managed Users with Okta](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta)."
+To configure provisioning, follow the appropriate link from the table below.
 
+| Identity provider | SSO method | More information |
+|---|---|---|{% if oidc-for-emu %}
+| Azure AD | OIDC | [Tutorial: Configure GitHub Enterprise Managed User (OIDC) for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial) in the Azure AD documentation |{% endif %}
+| Azure AD | SAML | [Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning](https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial) in the Azure AD documentation |
+| Okta | SAML | [Configuring SCIM provisioning for Enterprise Managed Users with Okta](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users-with-okta) |
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/index.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md
similarity index 76%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/index.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md
index dfca2e1783a4..3cdd6e2a6a1a 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/index.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md
@@ -1,5 +1,5 @@
 ---
-title: Using Enterprise Managed Users and SAML for IAM
+title: Using Enterprise Managed Users for IAM
 shortTitle: Enterprise Managed Users
 product: '{% data reusables.gated-features.emus %}'
 intro: You can manage identity and access with your identity provider and provision accounts that can only contribute to your enterprise.
@@ -7,6 +7,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam
 versions:
   ghec: '*'
 topics:
@@ -15,8 +16,11 @@ topics:
 children:
   - /about-enterprise-managed-users
   - /configuring-saml-single-sign-on-for-enterprise-managed-users
+  - /configuring-oidc-for-enterprise-managed-users
   - /configuring-scim-provisioning-for-enterprise-managed-users
   - /configuring-scim-provisioning-for-enterprise-managed-users-with-okta
   - /managing-team-memberships-with-identity-provider-groups
+  - /about-support-for-your-idps-conditional-access-policy
+  - /migrating-from-saml-to-oidc
 ---
 
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups.md
similarity index 97%
rename from content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups.md
rename to content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups.md
index 4bd46d92edcf..f797dce094cf 100644
--- a/content/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups.md
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups.md
@@ -7,6 +7,7 @@ redirect_from:
   - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups
   - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups
   - /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/managing-team-memberships-with-identity-provider-groups
+  - /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups
 versions:
   ghec: '*'
 type: how_to
diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md
new file mode 100644
index 000000000000..946351bb9de0
--- /dev/null
+++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md
@@ -0,0 +1,58 @@
+---
+title: Migrating from SAML to OIDC
+shortTitle: Migrating from SAML to OIDC
+intro: 'If you''re using SAML to authenticate members in your {% data variables.product.prodname_emu_enterprise %}, you can migrate to OpenID Connect (OIDC) and benefit from support for your IdP''s Conditional Access Policy.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+  feature: 'oidc-for-emu'
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+---
+
+{% data reusables.enterprise-accounts.oidc-beta-notice %}
+
+## About migrating your {% data variables.product.prodname_emu_enterprise %} from SAML to OIDC
+
+If your {% data variables.product.prodname_emu_enterprise %} uses SAML SSO to authenticate with Azure Active Directory (Azure AD), you can migrate to OIDC. {% data reusables.enterprise-accounts.emu-cap-validates %}
+
+When you migrate from SAML to OIDC, {% data variables.product.prodname_managed_users %} and groups that were previously provisioned for SAML but are not provisioned by the {% data variables.product.prodname_emu_idp_oidc_application %} application will have "(SAML)" appended to their display names.
+
+If you're new to {% data variables.product.prodname_emus %} and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up OIDC single sign-on immediately. For more information, see "[Configuring OIDC for Enterprise Managed Users](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."
+
+## Migrating your enterprise
+
+{% note %}
+
+**Note:** To sign in as the setup user, you will need a recovery code. If you do not already have your recovery codes, you can access the codes while signed in as an enterprise owner. For more information, see "[Downloading your enterprise account's single sign-on recovery codes](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)."
+
+{% endnote %}
+
+1. Before you begin the migration, sign in to Azure and disable provisioning in the existing {% data variables.product.prodname_emu_idp_application %} application.
+1.  Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your enterprise with the username **@<em>SHORT-CODE</em>_admin**. 
+1. When prompted to continue to your identity provider, click **Use a recovery code** and sign in using one of your enterprise's recovery codes.
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. At the bottom of the page, next to "Migrate to OpenID Connect single sign-on", click **Configure with Azure**.  
+   {% warning %} 
+
+   **Warning:** The migration can take up to an hour, and it is important that no users are provisioned during the migration. You can confirm if the migration is still in progress by returning to your enterprise's security settings page; if "Require SAML authentication" is still checked, the migration is still in progress.
+
+   {% endwarning %}
+
+   ![Screenshot showing the "Configure with Azure" button](/assets/images/help/enterprises/saml-to-oidc-button.png)
+1. Read both warnings and click to continue.
+{% data reusables.enterprise-accounts.emu-azure-admin-consent %}
+1. In a new tab or window, while signed in as the setup user on {% data variables.product.prodname_dotcom_the_website %}, create a personal access token with the **admin:enterprise** scope and **no expiration** and copy it to your clipboard. For more information about creating a new token, see "[Creating a personal access token](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)."
+1. In the settings for the {% data variables.product.prodname_emu_idp_oidc_application %} application in Azure Portal, under "Tenant URL", type `https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE`, replacing YOUR_ENTERPRISE with the name of your enterprise account.  
+   
+   For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, the name of the enterprise account is `octo-corp`.
+1. Under "Secret token", paste the personal access token with the **admin:enterprise** scope that you created earlier.
+1. To test the configuration, click **Test Connection**.
+1. To save your changes, at the top of the form, click **Save**.
+1. In Azure Portal, copy the users and groups from the old {% data variables.product.prodname_emu_idp_application %} application to the new {% data variables.product.prodname_emu_idp_oidc_application %} application.
+1. Test your configuration by provisioning a single new user.
+1. If your test is successful, start provisioning for all users by clicking **Start provisioning**.
\ No newline at end of file
diff --git a/data/features/oidc-for-emu.yml b/data/features/oidc-for-emu.yml
new file mode 100644
index 000000000000..3d999160e8d1
--- /dev/null
+++ b/data/features/oidc-for-emu.yml
@@ -0,0 +1,5 @@
+# Issues 6495 and 6494
+# OIDC/CAP for Enterprise Managed Users
+versions:
+  ghec: '*'
+  ghae: 'issue-6495'
diff --git a/data/reusables/enterprise-accounts/download-recovery-codes.md b/data/reusables/enterprise-accounts/download-recovery-codes.md
index 64ca2128ad53..3481a78d7645 100644
--- a/data/reusables/enterprise-accounts/download-recovery-codes.md
+++ b/data/reusables/enterprise-accounts/download-recovery-codes.md
@@ -1,3 +1,3 @@
-1. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click **Download**, **Print**, or **Copy** to save your recovery codes. For more information, see "[Downloading your enterprise account's SAML single sign-on recovery codes](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-saml-single-sign-on-recovery-codes)."
+1. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click **Download**, **Print**, or **Copy** to save your recovery codes. For more information, see "[Downloading your enterprise account's single sign-on recovery codes](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)."
 
    ![Screenshot of the buttons to download, print, or copy your recovery codes](/assets/images/help/saml/saml_recovery_code_options.png)
diff --git a/data/reusables/enterprise-accounts/emu-azure-admin-consent.md b/data/reusables/enterprise-accounts/emu-azure-admin-consent.md
new file mode 100644
index 000000000000..22ac9ba7bc43
--- /dev/null
+++ b/data/reusables/enterprise-accounts/emu-azure-admin-consent.md
@@ -0,0 +1,6 @@
+1. When redirected, sign in to your identity provider, then follow the instructions to give consent and install the {% data variables.product.prodname_emu_idp_oidc_application %} application.
+   {% warning %}
+
+   **Warning:** You must sign in to Azure AD as a user with global admin rights in order to consent to the installation of the {% data variables.product.prodname_emu_idp_oidc_application %} application.
+
+   {% endwarning %}
\ No newline at end of file
diff --git a/data/reusables/enterprise-accounts/emu-cap-validates.md b/data/reusables/enterprise-accounts/emu-cap-validates.md
new file mode 100644
index 000000000000..6701264a9206
--- /dev/null
+++ b/data/reusables/enterprise-accounts/emu-cap-validates.md
@@ -0,0 +1 @@
+When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with {% data variables.product.prodname_dotcom %}, when members change IP addresses, and each time a personal access token or SSH key is used.
\ No newline at end of file
diff --git a/data/reusables/enterprise-accounts/oidc-beta-notice.md b/data/reusables/enterprise-accounts/oidc-beta-notice.md
new file mode 100644
index 000000000000..77e3430f9507
--- /dev/null
+++ b/data/reusables/enterprise-accounts/oidc-beta-notice.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is in public beta and only available for Azure AD.
+
+{% endnote %}
\ No newline at end of file
diff --git a/data/reusables/enterprise-accounts/oidc-gei-warning.md b/data/reusables/enterprise-accounts/oidc-gei-warning.md
new file mode 100644
index 000000000000..73ed859d4476
--- /dev/null
+++ b/data/reusables/enterprise-accounts/oidc-gei-warning.md
@@ -0,0 +1,5 @@
+{% warning %}
+
+**Warning:** If you use {% data variables.product.prodname_importer_proper_name %} to migrate an organization from {% data variables.product.product_location_enterprise %}, make sure to use a service account that is exempt from Azure AD's CAP otherwise your migration may be blocked.
+
+{% endwarning %}
\ No newline at end of file
diff --git a/data/variables/product.yml b/data/variables/product.yml
index 251e5af531e0..3898e939891a 100644
--- a/data/variables/product.yml
+++ b/data/variables/product.yml
@@ -45,6 +45,9 @@ prodname_github_connect: 'GitHub Connect'
 prodname_unified_contributions: 'unified contributions'
 prodname_unified_search: 'unified search'
 
+# GitHub Enterprise migration tool
+prodname_importer_proper_name: 'GitHub Enterprise Importer'
+
 # GitHub Education
 prodname_education: 'GitHub Education'
 prodname_education_community: 'Education Community'
@@ -102,10 +105,11 @@ prodname_discussions: 'GitHub Discussions'
 
 # GitHub Enterprise Managed Users
 prodname_emu_idp_application: 'GitHub Enterprise Managed User'
+prodname_emu_idp_oidc_application: 'GitHub Enterprise Managed User (OIDC)'
 prodname_emus: 'Enterprise Managed Users'
-prodname_managed_user: 'managed user'
-prodname_managed_users: 'managed users'
-prodname_managed_users_caps: 'Managed users'
+prodname_managed_user: 'managed user account'
+prodname_managed_users: 'managed user accounts'
+prodname_managed_users_caps: 'Managed user accounts'
 prodname_emu_enterprise: 'enterprise with managed users'
 prodname_emu_org: 'organization with managed users'
 
diff --git a/lib/redirects/static/redirect-exceptions.txt b/lib/redirects/static/redirect-exceptions.txt
index 4228a87474f1..e4ed6ee0fdcf 100644
--- a/lib/redirects/static/redirect-exceptions.txt
+++ b/lib/redirects/static/redirect-exceptions.txt
@@ -169,31 +169,37 @@
 - /github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account
 - /admin/authentication/managing-identity-and-access-for-your-enterprise/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users
 - /early-access/github/articles/get-started-with-managed-users-for-your-enterprise
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/about-enterprise-managed-users
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
 - /early-access/github/articles/configuring-provisioning-for-managed-users-with-okta
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users
 
-/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups
+/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups
 - /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/managing-team-memberships-with-identity-provider-groups
+- /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/managing-team-memberships-with-identity-provider-groups
 
 /enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise
 - /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/auditing-activity-in-your-enterprise