Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42

6 files changed, 21 insertions, 18 deletions

diff --git a/doc/user/group/saml_sso/group_managed_accounts.md b/doc/user/group/saml_sso/group_managed_accounts.md
index a9b1901bc8c..d62b569a795 100644
--- a/doc/user/group/saml_sso/group_managed_accounts.md
+++ b/doc/user/group/saml_sso/group_managed_accounts.md
@@ -104,9 +104,11 @@ This expiration date is not a requirement, and can be set to any arbitrary date.
 
 Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
 
-### Setting a limit
+### Set a limit
 
-Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens) on the lifetime of personal access tokens apply.
+Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field
+is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens)
+on the lifetime of personal access tokens apply.
 
 To set a limit on how long personal access tokens are valid for users in a group managed account:
 
diff --git a/doc/user/group/saml_sso/img/group_saml_settings_v13_12.png b/doc/user/group/saml_sso/img/group_saml_settings_v13_12.png
new file mode 100644
index 00000000000..2271f281655
--- /dev/null
+++ b/doc/user/group/saml_sso/img/group_saml_settings_v13_12.png
diff --git a/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png b/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png
deleted file mode 100644
index f6450c7c1ba..00000000000
--- a/doc/user/group/saml_sso/img/group_saml_settings_v13_3.png
+++ /dev/null
diff --git a/doc/user/group/saml_sso/img/saml_group_links_nav_v13_6.png b/doc/user/group/saml_sso/img/saml_group_links_nav_v13_6.png
deleted file mode 100644
index c1980b24a6d..00000000000
--- a/doc/user/group/saml_sso/img/saml_group_links_nav_v13_6.png
+++ /dev/null
diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index f2f28046443..1864547c57f 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -66,6 +66,9 @@ the user details need to be passed to GitLab as SAML assertions.
 At a minimum, the user's email address *must* be specified as an assertion named `email` or `mail`.
 See [the assertions list](../../../integration/saml.md#assertions) for other available claims.
 
+NOTE:
+The `username` assertion is not supported for GitLab.com SaaS integrations.
+
 ### Metadata configuration
 
 GitLab provides metadata XML that can be used to configure your identity provider.
@@ -82,21 +85,21 @@ After you set up your identity provider to work with GitLab, you must configure
 1. Find the SSO URL from your identity provider and enter it the **Identity provider single sign-on URL** field.
 1. Find and enter the fingerprint for the SAML token signing certificate in the **Certificate** field.
 1. Select the access level to be applied to newly added users in the **Default membership role** field. The default access level is 'Guest'.
-1. Select the **Enable SAML authentication for this group** toggle switch.
+1. Select the **Enable SAML authentication for this group** checkbox.
 1. Select the **Save changes** button.
 
-![Group SAML Settings for GitLab.com](img/group_saml_settings_v13_3.png)
+![Group SAML Settings for GitLab.com](img/group_saml_settings_v13_12.png)
 
 NOTE:
 Please note that the certificate [fingerprint algorithm](../../../integration/saml.md#notes-on-configuring-your-identity-provider) must be in SHA1. When configuring the identity provider, use a secure signature algorithm.
 
 ### SSO enforcement
 
-- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5291) in GitLab 11.8.
-- [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9255) in GitLab 11.11 with ongoing enforcement in the GitLab UI.
-- [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/292811) in GitLab 13.8, with an updated timeout experience.
-- [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/211962) in GitLab 13.8 with allowing group owners to not go through SSO.
-- [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9152) in GitLab 13.11 with enforcing open SSO session to use Git if this setting is switched on.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5291) in GitLab 11.8.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9255) in GitLab 11.11 with ongoing enforcement in the GitLab UI.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/292811) in GitLab 13.8, with an updated timeout experience.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/211962) in GitLab 13.8 with allowing group owners to not go through SSO.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9152) in GitLab 13.11 with enforcing open SSO session to use Git if this setting is switched on.
 
 With this option enabled, users (except owners) must go through your group's GitLab single sign-on URL if they wish to access group resources through the UI. Users can't be manually added as members.
 
@@ -322,11 +325,9 @@ Ensure your SAML identity provider sends an attribute statement named `Groups` o
 ```
 
 When SAML SSO is enabled for the top-level group, `Maintainer` and `Owner` level users
-see a new menu item in group **Settings -> SAML Group Links**. Each group (parent or subgroup) can specify
+see a new menu item in group **Settings > SAML Group Links**. Each group (parent or subgroup) can specify
 one or more group links to map a SAML identity provider group name to a GitLab access level.
 
-![SAML Group Links navigation](img/saml_group_links_nav_v13_6.png)
-
 To link the SAML `Freelancers` group in the attribute statement example above:
 
 1. Enter `Freelancers` in the `SAML Group Name` field.
diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md
index 7bf54aea60e..65b3e2d095d 100644
--- a/doc/user/group/saml_sso/scim_setup.md
+++ b/doc/user/group/saml_sso/scim_setup.md
@@ -71,7 +71,7 @@ your SAML configuration differs from [the recommended SAML settings](index.md#az
 modify the corresponding `customappsso` settings accordingly. If a mapping is not listed in the
 table, use the Azure defaults.
 
-| Azure Active Directory Attribute | customappsso Attribute | Matching precedence |
+| Azure Active Directory Attribute | `customappsso` Attribute | Matching precedence |
 | -------------------------------- | ---------------------- | -------------------- |
 | `objectId`                       | `externalId`           | 1 |
 | `userPrincipalName`              | `emails[type eq "work"].value` |  |
@@ -129,11 +129,11 @@ configuration. Otherwise, the Okta SCIM app may not work properly.
     - For **API Token** enter the SCIM token obtained from the GitLab SCIM configuration page
 1. Click 'Test API Credentials' to verify configuration.
 1. Click **Save** to apply the settings.
-1. After saving the API integration details, new settings tabs will appear on the left. Choose **To App**.
+1. After saving the API integration details, new settings tabs appear on the left. Choose **To App**.
 1. Click **Edit**.
 1. Check the box to **Enable** for both **Create Users** and **Deactivate Users**.
 1. Click **Save**.
-1. Assign users in the **Assignments** tab. Assigned users will be created and
+1. Assign users in the **Assignments** tab. Assigned users are created and
    managed in your GitLab group.
 
 #### Okta Known Issues
@@ -212,7 +212,7 @@ Ensure that the user has been added to the SCIM app.
 
 If you receive "User is not linked to a SAML account", then most likely the user already exists in GitLab. Have the user follow the [User access and linking setup](#user-access-and-linking-setup) instructions.
 
-The **Identity** (`extern_uid`) value stored by GitLab is updated by SCIM whenever `id` or `externalId` changes. Users won't be able to sign in unless the GitLab Identity (`extern_uid`) value matches the `NameId` sent by SAML.
+The **Identity** (`extern_uid`) value stored by GitLab is updated by SCIM whenever `id` or `externalId` changes. Users cannot sign in unless the GitLab Identity (`extern_uid`) value matches the `NameId` sent by SAML.
 
 This value is also used by SCIM to match users on the `id`, and is updated by SCIM whenever the `id` or `externalId` values change.
 
@@ -242,9 +242,9 @@ you can address the problem in the following ways:
 - You can have users unlink and relink themselves, based on the ["SAML authentication failed: User has already been taken"](index.md#message-saml-authentication-failed-user-has-already-been-taken) section.
 - You can unlink all users simultaneously, by removing all users from the SAML app while provisioning is turned on.
 - It may be possible to use the [SCIM API](../../../api/scim.md#update-a-single-scim-provisioned-user) to manually correct the `externalId` stored for users to match the SAML `NameId`.
-  To look up a user, you'll need to know the desired value that matches the `NameId` as well as the current `externalId`.
+  To look up a user, you need to know the desired value that matches the `NameId` as well as the current `externalId`.
 
-It is important not to update these to incorrect values, since this will cause users to be unable to sign in. It is also important not to assign a value to the wrong user, as this would cause users to get signed into the wrong account.
+It is important not to update these to incorrect values, since this causes users to be unable to sign in. It is also important not to assign a value to the wrong user, as this causes users to get signed into the wrong account.
 
 ### I need to change my SCIM app