Switching your SAML configuration from an organization to an enterprise account

Learn special considerations and best practices for replacing an organization-level SAML configuration with an enterprise-level SAML configuration.

Enterprise owners can configure SAML single sign-on for an enterprise account.

企业帐户可用于 GitHub Enterprise Cloud 和 GitHub Enterprise Server。 更多信息请参阅“关于企业帐户”。

Note: If your enterprise uses Enterprise Managed Users, you must follow a different process to configure SAML single sign-on. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

关于企业帐户的 SAML 单点登录

SAML 单点登录 (SSO) 为 GitHub 上的组织所有者和企业所有者提供一种控制安全访问仓库、议题和拉取请求等组织资源的方法。 企业所有者可以通过 SAML IdP 跨企业帐户拥有的所有组织启用 SAML SSO 和集中式身份验证。 为企业帐户启用 SAML SSO 后,默认情况下会为您的企业帐户拥有的所有组织实施 SAML SSO。 所有成员都需要使用 SAML SSO 进行身份验证才能访问其所属的组织,并且企业所有者在访问企业帐户时需要使用 SAML SSO 进行身份验证。

There are special considerations when enabling SAML SSO for your enterprise account if any of the organizations owned by the enterprise account are already configured to use SAML SSO.

When you configure SAML SSO at the organization level, each organization must be configured with a unique SSO tenant in your IdP, which means that your members will be associated with a unique SAML identity record for each organization they have successfully authenticated with. If you configure SAML SSO for your enterprise account instead, each enterprise member will have one SAML identity that is used for all organizations owned by the enterprise account.

After you configure SAML SSO for your enterprise account, the new configuration will override any existing SAML SSO configurations for organizations owned by the enterprise account.

Enterprise members will not be notified when an enterprise owner enables SAML for the enterprise account. If SAML SSO was previously enforced at the organization level, members should not see a major difference when navigating directly to organization resources. The members will continue to be prompted to authenticate via SAML. If members navigate to organization resources via their IdP dashboard, they will need to click the new tile for the enterprise-level app, instead of the old tile for the organization-level app. The members will then be able to choose the organization to navigate to.

Any personal access tokens (PATs), SSH keys, OAuth 应用程序, and GitHub 应用程序 that were previously authorized for the organization will continue to be authorized for the organization. However, members will need to authorize any PATs, SSH keys, OAuth 应用程序, and GitHub 应用程序 that were never authorized for use with SAML SSO for the organization.

SCIM provisioning is not currently supported when SAML SSO is configured for an enterprise account. If you are currently using SCIM for an organization owned by your enterprise account, you will lose this functionality when switching to an enterprise-level configuration.

You are not required to remove any organization-level SAML configurations before configuring SAML SSO for your enterprise account, but you may want to consider doing so. If SAML is ever disabled for the enterprise account in the future, any remaining organization-level SAML configurations will take effect. Removing the organization-level configurations can prevent unexpected issues in the future.

Switching your SAML configuration from an organization to an enterprise account

  1. Enforce SAML SSO for your enterprise account, making sure all organization members are assigned or given access to the IdP app being used for the enterprise account. 更多信息请参阅“配置企业的 SAML 单点登录”。
  2. Optionally, remove any existing SAML configuration for organizations owned by the enterprise account. To help you decide whether to remove the configurations, see "About SAML single sign-on for enterprise accounts."
  3. If you kept any organization-level SAML configurations in place, to prevent confusion, consider hiding the tile for the organization-level apps in your IdP.
  4. Advise your enterprise members about the change.

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。