Skip to main content

Configuring OIDC for Enterprise Managed Users

You can automatically manage access to your enterprise account on GitHub by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP's Conditional Access Policy (CAP).

要使用身份提供程序管理企业中的用户,必须为企业启用 企业托管用户,这可用于 GitHub Enterprise Cloud。 更多信息请参阅“关于 企业托管用户”。

Note: OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for 企业托管用户 is in public beta and only available for Azure AD.

About OIDC for Enterprise Managed Users

With 企业托管用户, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your 具有托管用户的企业. Enabling OIDC SSO is a one-click setup process with certificates managed by GitHub and your IdP.

When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used. For more information, see "About support for your IdP's Conditional Access Policy."

You can adjust the lifetime of a session, and how often a 托管用户帐户 needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for GitHub from your IdP. The default lifetime is one hour. For more information, see "Configurable token lifetimes in the Microsoft identity platform" in the Azure AD documentation.

If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "Migrating from SAML to OIDC."

Warning: If you use GitHub Enterprise Importer to migrate an organization from 您的 GitHub Enterprise Server 实例, make sure to use a service account that is exempt from Azure AD's CAP otherwise your migration may be blocked.

Identity provider support

Support for OIDC is in public beta and available for customers using Azure Active Directory (Azure AD).

Each Azure AD tenant can support only one OIDC integration with 企业托管用户. If you want to connect Azure AD to more than one enterprise on GitHub, use SAML instead. For more information, see "Configuring SAML single sign-on for 企业托管用户."

Configuring OIDC for Enterprise Managed Users

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  3. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  4. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  5. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  6. Select Require OIDC single sign-on.
    Screenshot showing the "Require OIDC single sign-on" checkbox

  7. To continue setup and be redirected to Azure AD, click Save.

  8. When redirected, sign in to your identity provider, then follow the instructions to give consent and install the GitHub Enterprise 托管用户 (OIDC) application.

    Warning: You must sign in to Azure AD as a user with global admin rights in order to consent to the installation of the GitHub Enterprise 托管用户 (OIDC) application.

  9. 若要确保在将来标识提供者不可用时仍可以访问企业,请单击 Download(下载)Print(打印)Copy(复制)以保存恢复代码。 更多信息请参阅“下载企业帐户的单点登录恢复代码”。

    用于下载、打印或复制恢复代码的按钮屏幕截图

Enabling provisioning

After you enable OIDC SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for enterprise managed users."