Configuring SAML single sign-on for Enterprise Managed Users

You can automatically manage access to your enterprise account on GitHub by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which are available with GitHub Enterprise Cloud. 更多信息请参阅“关于 Enterprise Managed Users”。

About SAML single sign-on for Enterprise Managed Users

With Enterprise Managed Users, your enterprise uses SAML SSO to authenticate all members. Instead of signing in to GitHub with a GitHub username and password, members of your enterprise will sign in through your IdP.

Enterprise Managed Users supports the following IdPs:

  • Azure Active Directory (Azure AD)
  • Okta

After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable. For more information, see "Saving your recovery codes."

Configuring SAML single sign-on for Enterprise Managed Users

To configure SAML SSO for your enterprise with managed users, you must configure an application on your IdP and then configure your enterprise on GitHub.com. After you configure SAML SSO, you can configure user provisioning.

To install and configure the GitHub Enterprise Managed User application on your IdP, you must have a tenant and administrative access on a supported IdP.

If you need to reset the password for your setup user, use an incognito or private browsing window to request a new password. When the email arrives with the link to reset your password, copy the link into your browser. For more information on resetting your password, see "Requesting a new password ."

  1. Configuring your identity provider
  2. 配置企业
  3. Enabling provisioning

Configuring your identity provider

To configure your IdP, follow the instructions they provide for configuring the GitHub Enterprise Managed User application on your IdP.

  1. To install the GitHub Enterprise Managed User application, click the link for your IdP below:

  2. To configure the GitHub Enterprise Managed User application and your IdP, click the link below and follow the instructions provided by your IdP:

  3. So you can test and configure your enterprise, assign yourself or the user that will be configuring SAML SSO on GitHub to the GitHub Enterprise Managed User application on your IdP.

  4. To enable you to continue configuring your enterprise on GitHub, locate and note the following information from the application you installed on your IdP:

    其他名称描述
    IdP Sign-On URLLogin URL, IdP URLApplication's URL on your IdP
    IdP Identifier URLIssuerIdP's identifier to service providers for SAML authentication
    Signing certificate, Base64-encodedPublic certificatePublic certificate that IdP uses to sign authentication requests

配置企业

After you install and configure the GitHub Enterprise Managed User application on your identity provider, you can configure your enterprise.

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  3. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  4. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  5. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  6. Under "SAML single sign-on", select Require SAML authentication. 用于启用 SAML SSO 的复选框

  7. Under Sign on URL, type the HTTPS endpoint of your IdP for single sign-on requests that you noted while configuring your IdP. 登录时将成员转发到的 URL 字段

  8. Under Issuer, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages. SAML 签发者姓名字段

  9. Under Public Certificate, paste the certificate that you noted while configuring your IdP, to verify SAML responses. 身份提供程序的公共证书字段

  10. 要验证来自 SAML 签发者的请求的完整性,请单击 。 Then, in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer. SAML 签发者使用的签名方法和摘要方法哈希算法下拉列表

  11. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click Test SAML configuration. 实施前测试 SAML 配置的按钮

  12. 单击 Save(保存)

    Note: When you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only managed users provisioned by your IdP will have access to the enterprise.

  13. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click Download, Print, or Copy to save your recovery codes. 实施前测试 SAML 配置的按钮

Enabling provisioning

After you enable SAML SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for enterprise managed users."

Saving your recovery codes

In the event that your identity provider is unavailable, you can use the setup user and a recovery code to sign in and access your enterprise. If you did not save your recovery codes when you configured SAML SSO, you can still access them from your enterprise's settings.

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  5. Under "Require SAML authentication", click Save your recovery codes. 实施前测试 SAML 配置的按钮

  6. To save your recovery codes, click Download, Print, or Copy. 实施前测试 SAML 配置的按钮

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。