Enabling guest collaborators

You can use the role of guest collaborator to grant limited access to vendors and contractors in your enterprise.

In this article

About guest collaborators

Note

The guest collaborator role is only available with Enterprise Managed Users.

If your enterprise uses Enterprise Managed Users, you can use the role of guest collaborator to grant limited access to vendors and contractors. For more information, see "Roles in an enterprise."

All repository access for organization members, including guest collaborators, is governed by the base permission policy for the organization. For more information, see "Setting base permissions for an organization."

If you use Microsoft Entra ID (previously known as Azure AD) or Okta for SAML authentication, or if you use Entra ID for OIDC authentication, you may need to update your IdP application to use guest collaborators.

Enabling guest collaborators with Entra ID

  1. Sign into the Microsoft Azure portal.

  2. Click Identity.

  3. Click Applications.

  4. Click Enterprise applications.

  5. Click All applications.

  6. View the details for your Enterprise Managed Users application

  7. In the left sidebar, click Users and Groups.

  8. View the application registration.

    • If the application registration displays the "Restricted User" or "Guest Collaborator" roles, you're ready to invite guest collaborators to your enterprise.
    • If the application registration does not display the roles, proceed to the next step.

  9. In the Azure portal, click App registrations.

  10. Click All applications, then use the search bar to find your application for Enterprise Managed Users.

  11. Click your SAML or OIDC application.

  12. In the left sidebar, click Manifest.

  13. Search for the following id: 1ebc4a02-e56c-43a6-92a5-02ee09b90824 within the Manifest file:

    • If the id is not present, proceed to the next step.
    • If the id is present, review the description and displayName values. If the values are not set to Guest Collaborator, you can rename both to be so, and proceed to step 15.

  14. Under the appRoles object, add the following block:

    {
  "allowedMemberTypes": [
    "User"
  ],
  "description": "Guest Collaborator",
  "displayName": "Guest Collaborator",
  "id": "1ebc4a02-e56c-43a6-92a5-02ee09b90824",
  "isEnabled": true,
  "lang": null,
  "origin": "Application",
  "value": null
},

    Note: The id value is critical. If another id value is present, the update will fail.

  15. Click Save.

Enabling guest collaborators with Okta

To add the guest collaborator role to your Okta application:

  1. Navigate to your application for Enterprise Managed Users on Okta.

  2. Click Provisioning.

  3. Click Go to Profile Editor.

  4. Find "Roles" at the bottom of the profile editor and click the edit icon.

  5. Add a new role.

    • For "Display name", type Guest Collaborator.
    • For "Value", type guest_collaborator.

  6. Click Save.

Enabling guest collaborators with PingFederate

For more information about adding guest collaborators using PingFederate, see "Configure PingFederate for provisioning and SSO."

Enabling guest collaborators with the GitHub REST API

For more information about adding guest collaborators with SCIM using GitHub's REST API, see "Provisioning users and groups with SCIM using the REST API."

Adding guest collaborators to your enterprise

After you enable guest collaborators, you can add guest collaborators to your enterprise as you would any other user. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."

When you have added a guest collaborator to your enterprise, to give the user access to repositories in the enterprise, you can do either of the following things.

  • To give the user access to repositories in an organization, add the user as a member of the organization. The base permission policy for the organization determines whether the guest collaborator has access to internal and private repositories. If the base permission is set to "No permission", the guest collaborator will not have access to internal and private repositories unless added directly to one of the repositories as a collaborator, or through an authorized team. For more information, see "Setting base permissions for an organization."
  • To give the user access to specific repositories, add the guest collaborator to the repositories as a repository collaborator. This gives the user access to the repository without giving them access to other internal or private repositories in the same organization. For more information, see "Roles in an organization."