Repo sync

content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md

@@ -13,16 +13,21 @@ topics:
 permissions: Enterprise owners can use a recovery code to access an enterprise account.
 ---
 
+## About recovery codes
+
 You can use a recovery code to access your enterprise account when an authentication configuration error or an issue with your identity provider (IdP) prevents you from using SSO.
 
 In order to access your enterprise account this way, you must have previously downloaded and stored the recovery codes for your enterprise. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)."
 
 {% data reusables.saml.recovery-code-caveats %}
 
+## Using a recovery code
+
 {% note %}
 
 **Note:** If your enterprises uses {% data variables.product.prodname_emus %}, you must sign in as the setup user to use a recovery code.
 
 {% endnote %}
 
+1. Attempt to access the enterprise account.
 {% data reusables.saml.recovery-code-access %}

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md

@@ -1,6 +1,6 @@
 ---
 title: Configuring OIDC for Enterprise Managed Users
-shortTitle: OIDC for managed users
+shortTitle: Configure OIDC
 intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP''s Conditional Access Policy (CAP).'
 product: '{% data reusables.gated-features.emus %}'
 versions:

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -1,6 +1,6 @@
 ---
 title: Configuring SAML single sign-on for Enterprise Managed Users
-shortTitle: SAML for managed users
+shortTitle: Configure SAML
 intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).'
 product: '{% data reusables.gated-features.emus %}'
 redirect_from:
@@ -85,8 +85,7 @@ To configure your IdP, follow the instructions they provide for configuring the
 
 After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise.
 
-1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
-
+{% data reusables.emus.sign-in-as-setup-user %}
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md

@@ -1,6 +1,6 @@
 ---
 title: Configuring SCIM provisioning for Enterprise Managed Users with Okta
-shortTitle: Set up provisioning with Okta
+shortTitle: Configure SCIM with Okta
 intro: You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider.
 product: '{% data reusables.gated-features.emus %}'
 versions:

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md

@@ -1,6 +1,6 @@
 ---
 title: Configuring SCIM provisioning for Enterprise Managed Users
-shortTitle: Provisioning managed users
+shortTitle: Configure SCIM provisioning
 intro: You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.
 product: '{% data reusables.gated-features.emus %}'
 redirect_from:

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users.md

@@ -0,0 +1,36 @@
+---
+title: Disabling authentication for Enterprise Managed Users
+shortTitle: Disable authentication
+intro: 'You can disable SAML single sign-on (SSO) or OIDC for {% data variables.product.prodname_emus %} by using a recovery code to sign in as the setup user.'
+versions:
+  ghec: '*'
+type: overview
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - SSO
+permissions: The setup user can disable SAML SSO or OIDC for {% data variables.product.prodname_emus %}.
+---
+
+## About disabled authentication for {% data variables.product.prodname_emus %}
+
+After you disable SAML SSO or OIDC for your enterprise, the following effects apply:
+
+- All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)."
+- All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members-in-an-enterprise-with-managed-users)."
+- All of the external groups provisioned by SCIM will be deleted. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
+
+If you later reconfigure authentication for the enterprise, external groups must be re-provisioned via SCIM, and {% data variables.enterprise.prodname_managed_users %} must be re-provisioned before users can sign in.
+
+If you want to migrate to a new identity provider (IdP) or tenant rather than disabling authentication entirely, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant)."
+
+## Disabling authentication
+
+{% data reusables.emus.sign-in-as-setup-user %}
+1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SAML single sign-on", deselect **Require SAML authentication** or **Require OIDC single sign-on**.
+1. Click **Save**.

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md

@@ -24,4 +24,5 @@ children:
   - /migrating-from-saml-to-oidc
   - /migrating-from-oidc-to-saml
   - /migrating-your-enterprise-to-a-new-identity-provider-or-tenant
+  - /disabling-authentication-for-enterprise-managed-users
 ---

content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md

@@ -46,15 +46,8 @@ To migrate to a new IdP or tenant, you cannot edit your existing SAML configurat
     - If you use Okta, navigate to the "Provisioning" tab of the application, click the **Integration** tab, and then click **Edit**. Deselect **Enable API integration**.
     - If you use PingFederate, navigate to the channel settings in the application. From the **Activation & Summary** tab, click **Active** or **Inactive** to toggle the provisioning status, and then click **Save**. For more information about managing provisioning, see "[Reviewing channel settings](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saaschanneltasklet_saasactivationstate)" and "[Managing channels](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saasmanagementtasklet_saasmanagementstate)" in the Ping Federate documentation.
 1. Use a recovery code to sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user, whose username is your enterprise's shortcode suffixed with `_admin`. For more information about the setup user, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)."
-
-1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}.
-
-   -  From your profile, click **Your enterprises**, and then click the appropriate enterprise.
-   - Click {% octicon "gear" aria-label="The Settings gear" %} **Settings**, and then click **Authentication security**.
-   - Under "SAML single sign-on", deselect **Require SAML authentication**, and then click **Save**.
-
+1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)."
 1. Wait for all users in the enterprise to show as suspended.
-
 1. While still signed in as the setup user, configure SAML and SCIM for the new IdP or tenant with a new {% data variables.product.prodname_emus %} application.
 
    After you configure provisioning for the new application, the {% data variables.enterprise.prodname_managed_users %} will be unsuspended, and your developers will be able to sign into their existing accounts again.

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md

@@ -0,0 +1,37 @@
+---
+title: Disabling SAML single sign-on for your enterprise
+intro: 'You can disable SAML single sign-on (SSO) for your enterprise account.'
+versions:
+  ghec: '*'
+topics:
+  - Authentication
+  - Enterprise
+type: how_to
+shortTitle: Disable SAML SSO
+---
+
+## About disabled SAML SSO for your enterprise
+
+After you disable SAML SSO for your enterprise, the following effects apply:
+
+- All external identities for your enterprise will be removed. For more information, see - All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)."
+- Any SAML settings configured for individual organizations within the enterprise will take effect. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization)."
+
+## Disabling SAML
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+
+   {% note %}
+
+   **Note:** If you're unable to access the enterprise because your IdP is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
+
+  {% endnote %}
+
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+1. Under "SAML single sign-on", deselect **Require SAML authentication**.
+1. Click **Save**.
+
+## Further reading
+
+- "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)"

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/index.md

@@ -25,6 +25,7 @@ children:
   - /configuring-user-provisioning-with-scim-for-your-enterprise
   - /managing-team-synchronization-for-organizations-in-your-enterprise
   - /configuring-saml-single-sign-on-for-your-enterprise-using-okta
+  - /disabling-saml-single-sign-on-for-your-enterprise
   - /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
   - /configuring-authentication-and-provisioning-for-your-enterprise-using-okta
   - /mapping-okta-groups-to-teams

content/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable.md

@@ -1,6 +1,6 @@
 ---
 title: Accessing your organization if your identity provider is unavailable
-intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on and using their recovery codes.'
+intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on (SSO) and using their recovery codes.'
 redirect_from:
   - /articles/accessing-your-organization-if-your-identity-provider-is-unavailable
   - /github/setting-up-and-managing-organizations-and-teams/accessing-your-organization-if-your-identity-provider-is-unavailable
@@ -10,14 +10,16 @@ topics:
   - Organizations
   - Teams
 shortTitle: Unavailable identity provider
+permissions: Organization owners can use a recovery code to bypass SAML SSO.
 ---
 
+## About recovery codes
+
 Organization owners can use one of their downloaded or saved recovery codes to bypass single sign-on. You may have saved these to a password manager. For more information about downloading recovery codes, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes)."
 
 {% data reusables.saml.recovery-code-caveats %}
 
-{% data reusables.saml.recovery-code-access %}
-
-## Further reading
+## Using a recovery code
 
-- "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)"
+1. Attempt to access the organization.
+{% data reusables.saml.recovery-code-access %}

content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md

@@ -0,0 +1,25 @@
+---
+title: Disabling SAML single sign-on for your organization
+intro: 'You can disable SAML single sign-on (SSO) for your organization.'
+versions:
+  ghec: '*'
+topics:
+  - Organizations
+  - Teams
+shortTitle: Disable SAML
+permissions: Organization owners can disable SAML SSO for an organization.
+---
+
+After you disable SAML SSO for your organization, all external identities for your organization will be removed. For more information, see "[AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)."
+
+{% data reusables.profile.access_org %}
+{% data reusables.profile.org_settings %}
+
+    {% note %}
+
+    **Note:** If you're unable to access the organization because your identity provider (IdP) is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable)."
+
+    {% endnote %}
+{% data reusables.organizations.security %}
+1. Under "SAML single sign-on", deselect **Enable SAML authentication**.
+1. Click **Save**.

content/organizations/managing-saml-single-sign-on-for-your-organization/index.md

@@ -20,6 +20,7 @@ children:
   - /enforcing-saml-single-sign-on-for-your-organization
   - /downloading-your-organizations-saml-single-sign-on-recovery-codes
   - /managing-team-synchronization-for-your-organization
+  - /disabling-saml-single-sign-on-for-your-organization
   - /accessing-your-organization-if-your-identity-provider-is-unavailable
   - /troubleshooting-identity-and-access-management-for-your-organization
 shortTitle: Manage SAML single sign-on

data/reusables/enterprise-accounts/access-enterprise.md

@@ -1,8 +1,10 @@
-{% ifversion ghec %}1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**.
+{%- ifversion ghec %}
+1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**.
 
 1. In the list of enterprises, click the enterprise you want to view.
 
-{% elsif ghes or ghae %}1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**.
+{%- elsif ghes or ghae %}
+1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**.
 
     ![Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.](/assets/images/enterprise/settings/enterprise-settings.png)
-{% endif %}
+{%- endif %}