Skip to main content

Configuring SCIM provisioning for Enterprise Managed Users

You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.

要使用身份提供程序管理企业中的用户,必须为企业启用 企业托管用户,这可用于 GitHub Enterprise Cloud。 更多信息请参阅“关于 企业托管用户”。

About provisioning for 企业托管用户

You must configure provisioning for 企业托管用户 to create, manage, and deactivate user accounts for your enterprise members. When you configure provisioning for 企业托管用户, users assigned to the GitHub Enterprise 托管用户 application in your identity provider are provisioned as new user accounts on GitHub via SCIM, and the users are added to your enterprise.

When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the GitHub Enterprise 托管用户 application or deactivate a user's account on your IdP, your IdP will communicate with GitHub to invalidate any sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the GitHub Enterprise 托管用户 application or reactivate their account on your IdP, the 托管用户帐户 account on GitHub will be reactivated and username restored.

Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "Managing team memberships with identity provider groups."

Prerequisites

Before you can configure provisioning for 企业托管用户, you must configure SAML or OIDC single-sign on.

Creating a personal access token

To configure provisioning for your 具有托管用户的企业, you need a personal access token with the admin:enterprise scope that belongs to the setup user.

Warning: If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. 在任何页面的右上角,单击您的个人资料照片,然后单击 Settings(设置)

    用户栏中的 Settings 图标

  3. 在左侧栏中,单击 开发者设置

  4. 在左侧边栏中,单击 Personal access tokens(个人访问令牌)个人访问令牌

  5. 单击 Generate new token(生成新令牌)生成新令牌按钮

  6. Under Note, give your token a descriptive name. Screenshot showing the token's name

  7. Select the Expiration drop-down menu, then click No expiration. Screenshot showing token expiration set to no expiration

  8. Select the admin:enterprise scope. Screenshot showing the admin:enterprise scope

  9. Click Generate token. Generate token button

  10. To copy the token to your clipboard, click the . Newly created token

  11. To save the token for use later, store the new token securely in a password manager.

Configuring provisioning for 企业托管用户

After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.

Note: To avoid exceeding the rate limit on GitHub Enterprise Cloud, do not assign more than 1,000 users per hour to the IdP application. If you use groups to assign users to the IdP application, do not add more than 100 users to each group per hour. If you exceed these thresholds, attempts to provision users may fail with a "rate limit" error.

To configure provisioning, follow the appropriate link from the table below.

Identity providerSSO methodMore information
Azure ADOIDCTutorial: Configure GitHub Enterprise Managed User (OIDC) for automatic user provisioning in the Azure AD documentation
Azure ADSAMLTutorial: Configure GitHub Enterprise Managed User for automatic user provisioning in the Azure AD documentation
OktaSAMLConfiguring SCIM provisioning for Enterprise Managed Users with Okta