Configuring SAML single sign-on and SCIM for your enterprise account using Okta

You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your enterprise account on GitHub.

Las cuentas empresariales se encuentran disponibles con GitHub Enterprise Cloud y Servidor de GitHub Enterprise. Para obtener más información, consulta la sección "Acerca de las cuentas empresariales".

En este artículo

About SAML and SCIM with Okta
Prerequisites
Adding the GitHub Enterprise Cloud application in Okta
Enabling and testing SAML SSO
Creating groups in Okta
Configuring user provisioning with SCIM in Okta
Enabling SAML user provisioning

Nota: El aprovisionamiento de usuario para las cuentas empresariales se encuentra actualmente en un beta privado y está sujeto a cambios. Para solicitar acceso al beta, contacta a nuestro equipo de administración de cuentas.

About SAML and SCIM with Okta

You can control access to your enterprise account in GitHub and other web applications from one central interface by configuring the enterprise account to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to organizations owned by your enterprise account when you make changes in Okta. For more information, see "Enforcing security settings in your enterprise account."

After you enable SCIM, the following provisioning features are available for any users that you assign your GitHub Enterprise Cloud application to in Okta.

Feature	Description
Push New Users	New users created in Okta will gain access to enterprise account resources, and can optionally be automatically invited to any of the organizations owned by the enterprise account
Push User Deactivation	Deactivating a user in Okta will revoke the user's access to the enterprise account resources and remove the user from all organizations owned by the enterprise account
Push Profile Updates	Updates made to the user's profile in Okta will be pushed to the user’s enterprise account metadata
Reactivate Users	Reactivating the user in Okta will re-enable the user's access to the enterprise account and will optionally send email invitations for the user to rejoin any of the organizations owned by the enterprise account that the user was previously a member of

Prerequisites

Debes utilizar la "IU Clásica" en Okta. Para obtener más información, consulta la sección Organized Navigation en el blog de Okta.

Seleccionar "IU Clásica" en el selector de estilos de UI de Okta sobre el tablero

Adding the GitHub Enterprise Cloud application in Okta

En Okta, en la esquina superior derecha, da clic en Admin.
En el tablero de Okta, da clic en Aplicaciones.
Da clic en Agregar aplicación.
En el campo de búsqueda, teclea "GitHub Enterprise Cloud".
Click "GitHub Enterprise Cloud - Enterprise Accounts".
Click Add.
Optionally, to the right of "Application label", type a descriptive name for the application.
To the right of "GitHub Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, type octo-corp.
Click Done.

Enabling and testing SAML SSO

En Okta, en la esquina superior derecha, da clic en Admin.
En el tablero de Okta, da clic en Aplicaciones.
Da clic en la etiqueta de la aplicación que creaste para tu cuenta empresarial.
Asigna la aplicación a tu usuario en Okta. Para obtener más información, consulta la sección Asignar aplicaciones a los usuarios en la documentación de Okta.
Debajo del nombre de la aplicación, da clic en Iniciar sesión.
To the right of Settings, click Edit.
Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select Matches regex.
To the right of the drop-down menu, type .*.*.
Click Save.
Debajo de "MÉTODOS DE REGISTRO", da clic en **Ver las instrucciones de configuración".

Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "Enabling SAML single sign-on for organizations in your enterprise account."

Creating groups in Okta

In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is https://github.com/octo-org, name the group octo-org.
Assign the application you created for your enterprise account to each group. GitHub will receive all groups data for each user.
Add users to groups based on the organizations you'd like users to belong to.

Configuring user provisioning with SCIM in Okta

Si estás participando en el beta privado para el aprovisionamiento de usuario para cuentas empresariales, cuando habilites SAML para tu cuenta empresarial, se habilitará predeterminadamente el aprovisionamiento y desaprovisionamiento de SCIM en GitHub. Puedes utilizar el aprovisionamiento para administrar la membrecía de la organización si configuras SCIM en tu IdP.

To configure user provisioning with SCIM in Okta, you must authorize an OAuth application to create a token that Okta can use to authenticate to GitHub on your behalf. The okta-oauth application is created by Okta in partnership with GitHub.

En Okta, en la esquina superior derecha, da clic en Admin.
En el tablero de Okta, da clic en Aplicaciones.
Da clic en la etiqueta de la aplicación que creaste para tu cuenta empresarial.
Debajo del nombre de la aplicación, da clic en Aprovisionamiento.
Da clic en Configurar la integraciòn de la API.
Selecciona Habilitar la Integraciòn de la API.
Click Authenticate with Github Enterprise Cloud - Enterprise Accounts.
To the right of your enterprise account's name, click Grant.
Click Authorize okta-oauth.
Haz clic en Save (Guardar).
A la derecha de "Aprovisionar a la App", da clic en Editar.
A la derecha de "Crear Usuarios", selecciona Habilitar.
A la derecha de "Actualizar Atributos de Usuario", selecciona Habilitar.
A la derecha de "Desactivar Usuarios", selecciona Habilitar.
Haz clic en Save (Guardar).
Under the name of the application, click Push Groups.
Use the Push Groups drop-down menu, and select Find groups by name.
Add a push group for each organization in your enterprise account that you want to enable user provisioning for.
- Under "PUSH GROUPS BY NAME", search for a group that corresponds to an organization owned by your enterprise account, then click the group in the search results.
- To the right of the group name, in the "Match results & push action" drop-down menu, verify that Create Group is selected.
- Click Save.
- Repeat for each organization.
Under the name of your application, click Assignments.
If you see Provision users, users who were a member of an Okta group before you added a push group for that group have not been provisioned. To send SCIM data to GitHub for these users, click Provision users.

Enabling SAML user provisioning

After you enable SCIM provisioning and deprovisioning, you can optionally enable SAML user provisioning and deprovisioning.

Visita la cuenta de tu empresa en https://github.com/enterprises/ENTERPRISE-NAME, reemplazando ENTERPRISE-NAME por el nombre de la cuenta de tu empresa.
En la barra lateral de la cuenta de empresa, haz clic en Settings (Configuraciones).
En la barra lateral izquierda, haz clic en Security (Seguridad).
Under "SAML User Provisioning", select Enable SAML user provisioning.
Click Save.
Optionally, enable SAML user deprovisioning.
- Select Enable SAML user deprovisioning, then click Save.
- Read the warning, then click Enable SAML deprovisioning.