Merge pull request #35199 from github/repo-sync

Repo sync

content/admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md

@@ -49,15 +49,17 @@ Using your IdP's allow list deactivates the {% data variables.product.company_sh
 
 By default, your IdP runs the CAP on the initial interactive SAML or OIDC sign-in to {% data variables.product.company_short %} for any IP allow list configuration you choose.
 
-The OIDC CAP only applies for requests to the API using a user token, such as an OAuth token for an {% data variables.product.prodname_oauth_app %} or a user access token for a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses an installation access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)."
+The OIDC CAP applies to web requests and requests to the API using a user token, such as an OAuth token for an {% data variables.product.prodname_oauth_app %} or a user access token for a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses an installation access token. See "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)."
+
+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
 
 To ensure seamless use of the OIDC CAP while still applying the policy to OAuth tokens and user access tokens, you must copy all of the IP ranges from each {% data variables.product.prodname_github_app %} that your enterprise uses to your IdP policy.
 
 ## Using {% data variables.product.company_short %}'s IP allow list
 
 ### Enabling {% data variables.product.company_short %}'s IP allow list
 
-{% data reusables.profile.access_org %}
+{% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
 1. If you're using {% data variables.product.prodname_emus %} with OIDC, under "IP allow list", select the **IP allow list configuration** dropdown menu and click **GitHub**.
@@ -123,7 +125,7 @@ To ensure seamless use of the OIDC CAP while still applying the policy to OAuth
 
 {% endnote %}
 
-{% data reusables.profile.access_org %}
+{% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
 1. Under "IP allow list", select the **IP allow list configuration** dropdown menu and click **Identity Provider**.

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/about-support-for-your-idps-conditional-access-policy.md

@@ -21,6 +21,8 @@ redirect_from:
 
 {% data reusables.enterprise-accounts.emu-cap-validates %}
 
+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 {% data variables.product.product_name %} supports CAP for any {% data variables.enterprise.prodname_emu_enterprise %} where OIDC SSO is enabled. Enterprise owners can choose to use this IP allow list configuration instead of {% data variables.product.product_name %}'s IP allow list, and can do so once OIDC SSO is configured. For more information about IP allow lists, see "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list#about-your-idps-allow-list)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)."
 
 * {% data variables.product.product_name %} enforces your IdP's IP conditions but cannot enforce your device compliance conditions.

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users.md

@@ -23,6 +23,8 @@ With {% data variables.product.prodname_emus %}, your enterprise uses your ident
 
 {% data reusables.enterprise-accounts.emu-cap-validates %} See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."
 
+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. See "[Configure token lifetime policies](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-a-service-principal)" in the Microsoft documentation.
 
 To change the lifetime policy property, you will need the object ID associated with your {% data variables.product.prodname_emus %} OIDC. See "[AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/finding-the-object-id-for-your-entra-oidc-application)."

content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md

@@ -21,6 +21,8 @@ redirect_from:
 
 If your {% data variables.enterprise.prodname_emu_enterprise %} uses SAML SSO to authenticate with Entra ID, you can migrate to OIDC. {% data reusables.enterprise-accounts.emu-cap-validates %}
 
+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 When you migrate from SAML to OIDC, {% data variables.enterprise.prodname_managed_users %} and groups that were previously provisioned for SAML but are not provisioned by the {% data variables.product.prodname_emu_idp_oidc_application %} application will have "(SAML)" appended to their display names.
 
 If you're new to {% data variables.product.prodname_emus %} and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up OIDC single sign-on immediately. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."

content/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported.md

@@ -27,12 +27,12 @@ If your country is not on this list, then we aren't currently able to reliably d
 <li>Austria</li>
 <li>Bahamas</li>
 <li>Bahrain</li>
-<li>Bangladesh</li>
 <li>Belarus</li>
 <li>Belgium</li>
 <li>Benin</li>
 <li>Bolivia</li>
 <li>Bosnia and Herzegovina</li>
+<li>Brazil</li>
 <li>Brunei</li>
 <li>Bulgaria</li>
 <li>Burundi</li>
@@ -65,15 +65,13 @@ If your country is not on this list, then we aren't currently able to reliably d
 <li>Hungary</li>
 <li>Iceland</li>
 <li>India</li>
-<li>Indonesia</li>
 <li>Ireland</li>
 <li>Israel</li>
 <li>Italy</li>
 <li>Ivory Coast</li>
 <li>Jamaica</li>
 <li>Japan</li>
 <li>Jordan</li>
-<li>Kazakhstan</li>
 <li>Kuwait</li>
 <li>Latvia</li>
 <li>Libya</li>
@@ -98,7 +96,6 @@ If your country is not on this list, then we aren't currently able to reliably d
 <li>New Zealand</li>
 <li>Nigeria</li>
 <li>Norway</li>
-<li>Philippines</li>
 <li>Poland</li>
 <li>Portugal</li>
 <li>Qatar</li>
@@ -127,7 +124,7 @@ If your country is not on this list, then we aren't currently able to reliably d
 <li>United Arab Emirates</li>
 <li>United Kingdom</li>
 <li>United States</li>
-<li>Uzbekistan</li>
+<li>Uruguay</li>
 <li>Venezuela</li>
 </ul>
 

data/reusables/enterprise-accounts/azure-emu-support-oidc.md

@@ -1,5 +1 @@
-{% note %}
-
-**Note:** OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is only available for Microsoft Entra ID (previously known as Azure AD).
-
-{% endnote %}
+>[!NOTE] OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is only available for Microsoft Entra ID (previously known as Azure AD).

data/reusables/enterprise-accounts/emu-cap-public-preview.md

@@ -0,0 +1,5 @@
+>[!NOTE] CAP protection for web sessions is currently in {% data variables.release-phases.public_preview %} and may change.
+>
+> New enterprises that enable IdP CAP support after November 5th, 2024, will have protection for web sessions enabled by default.
+>
+> Existing enterprises that already enabled IdP CAP support can opt into extended protection for web sessions from their enterprise's "Authentication security" settings.

data/reusables/enterprise-accounts/emu-cap-validates.md

@@ -1 +1 @@
-When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will automatically use your IdP's conditional access policy (CAP) IP conditions to validate interactions with {% data variables.product.prodname_dotcom %} when members change IP addresses, and for each authentication with a {% data variables.product.pat_generic %} or SSH key associated with a user account.
+When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will automatically use your IdP's conditional access policy (CAP) IP conditions to validate interactions with {% data variables.product.prodname_dotcom %} when members use the web UI or change IP addresses, and for each authentication with a {% data variables.product.pat_generic %} or SSH key associated with a user account.

src/archives/middleware/archived-enterprise-versions.ts

@@ -234,7 +234,7 @@ export default async function archivedEnterpriseVersions(
         )
         .replaceAll(
           `${OLD_AZURE_BLOB_ENTERPRISE_DIR}/${requestedVersion}/`,
-          `${req.protocol}://${req.get('host')}/enterprise-server@${requestedVersion}/`,
+          `${req.protocol}://${req.get('x-forwarded-host') || req.get('host')}/enterprise-server@${requestedVersion}/`,
         )
     }
 

src/frame/middleware/remote-ip.ts

@@ -7,6 +7,8 @@ export default function remoteIp(req: Request, res: Response) {
   res.json({
     ip: req.ip,
     'x-forwarded-for': req.headers['x-forwarded-for'] || null,
+    'x-forwarded-host': req.headers['x-forwarded-host'] || null,
+    host: req.headers['host'] || null,
     'fastly-client-ip': req.headers['fastly-client-ip'] || null,
   })
 }

src/github-apps/lib/config.json

@@ -60,5 +60,5 @@
       "2022-11-28"
     ]
   },
-  "sha": "10e2f151b45a960f135417e71bd6f0ac5ce0aa97"
+  "sha": "8f64fcb5cee86e8cf793e6129b230f8fbedaf96c"
 }