Skip to main content

Configuring SAML single sign-on and SCIM using Okta

You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your organization on GitHub.com.

Organization owners can configure SAML SSO and SCIM using Okta for an organization.

About SAML and SCIM with Okta

You can control access to your organization on GitHub.com and other web applications from one central interface by configuring the organization to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to organization resources like repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to your organization on GitHub.com when you make changes in Okta. For more information, see "About identity and access management with SAML single sign-on" and "About SCIM."

After you enable SCIM, the following provisioning features are available for any users that you assign your GitHub Enterprise Cloud application to in Okta.

FeatureDescription
Push New UsersWhen you create a new user in Okta, the user will receive an email to join your organization on GitHub.com.
Push User DeactivationWhen you deactivate a user in Okta, Okta will remove the user from your organization on GitHub.com.
Push Profile UpdatesWhen you update a user's profile in Okta, Okta will update the metadata for the user's membership in your organization on GitHub.com.
Reactivate UsersWhen you reactivate a user in Okta, Okta will send an email invitation for the user to rejoin your organization on GitHub.com.

Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for enterprise accounts is only available with Enterprise Managed Users. For more information, see "Configuring SAML single sign-on for your enterprise using Okta" and "Configuring SCIM provisioning for Enterprise Managed Users with Okta."

Adding the GitHub Enterprise Cloud application in Okta

  1. Sign into your Okta account.
  2. Navigate to the Github Enterprise Cloud - Organization application in the Okta Integration Network and click Add Integration.
  3. Optionally, to the right of "Application label", type a descriptive name for the application.
  4. In the GitHub Organization field, type the name of your organization on GitHub.com. For example, if your organization's URL is https://github.com/octo-org, the organization name would be octo-org.
  5. Click Done.

Enabling and testing SAML SSO

  1. Sign into your Okta account.
  2. In the left sidebar, use the Applications dropdown and click Applications.
  3. In the list of applications, click the label for the application you created for the organization that uses GitHub Enterprise Cloud.
  4. Assign the application to your user in Okta. For more information, see Assign applications to users in the Okta documentation.
  5. Under the name of the application, click Sign on. Screenshot of "Sign on" tab for Okta application
  6. Under "SIGN ON METHODS", click View Setup Instructions.
  7. Enable and test SAML SSO on GitHub using the sign on URL, issuer URL, and public certificates from the "How to Configure SAML 2.0" guide. For more information, see "Enabling and testing SAML single sign-on for your organization."

Configuring access provisioning with SCIM in Okta

  1. In the left sidebar, use the Applications dropdown and click Applications.

  2. In the list of applications, click the label for the application you created for the organization that uses GitHub Enterprise Cloud.

  3. Under the name of the application, click Provisioning. Screenshot of "Provisioning" tab for Okta application

  4. Click Configure API Integration.

  5. Select Enable API integration.

  6. Click Authenticate with Github Enterprise Cloud - Organization.

  7. To the right of your organization's name, click Grant.

    "Grant" button for authorizing Okta SCIM integration to access organization

    Note: If you don't see your organization in the list, go to https://github.com/orgs/ORGANIZATION-NAME/sso in your browser and authenticate with your organization via SAML SSO using your administrator account on the IdP. For example, if your organization's name is octo-org, the URL would be https://github.com/orgs/octo-org/sso. For more information, see "About authentication with SAML single sign-on."

  8. Click Authorize OktaOAN.

  9. Click Save.

  10. To avoid syncing errors and confirm that your users have SAML enabled and SCIM linked identities, we recommend you audit your organization's users. For more information, see "Auditing users for missing SCIM metadata."

  11. To the right of "Provisioning to App", click Edit.

    Screenshot of "Edit" button for Okta application's provisioning options

  12. To the right of Create Users, Update User Attributes, and Deactivate Users, select Enable.

    Screenshot of "Enable" checkboxes for "Create Users", "Update User Attributes", and "Deactivate Users" options

  13. Click Save.

Further reading