Skip to main content

Configuring SCIM provisioning for Enterprise Managed Users with Okta

You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider.

要使用身份提供程序管理企业中的用户,必须为企业启用 企业托管用户,这可用于 GitHub Enterprise Cloud。 更多信息请参阅“关于 企业托管用户”。

About provisioning with Okta

You can use 企业托管用户 with Okta as your identity provider to provision new accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. For more information about provisioning for 企业托管用户, see "Configuring SCIM provisioning for enterprise managed users."

Before you can configure provisioning with Okta, you must configure SAML single-sign on. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

To configure provisioning with Okta, you must set your enterprise's name in the GitHub Enterprise 托管用户 application and enter your setup user's personal access token. You can then start provisioning users in Okta.

Supported features

企业托管用户 supports many provisioning features in Okta.

FeatureDescription
Push New UsersUsers that are assigned to the GitHub Enterprise 托管用户 application in Okta are automatically created in the enterprise on GitHub Enterprise Cloud.
Push Profile UpdateUpdates made to the user's profile in Okta will be pushed to GitHub Enterprise Cloud.
Push GroupsGroups in Okta that are assigned to the GitHub Enterprise 托管用户 application as Push Groups are automatically created in the enterprise on GitHub Enterprise Cloud.
Push User DeactivationUnassigning the user from the GitHub Enterprise 托管用户 application in Okta will disable the user on GitHub Enterprise Cloud. The user will not be able to sign in, but the user's information is maintained.
Reactivate UsersUsers in Okta whose Okta accounts are reactivated and who are assigned back to the GitHub Enterprise 托管用户 application will be enabled.

Note: 企业托管用户 does not support modifications to usernames.

Setting your enterprise name

After your 具有托管用户的企业 has been created, you can begin to configure provisioning by setting your enterprise name in Okta.

  1. Navigate to your GitHub Enterprise 托管用户 application on Okta.
  2. Click the Sign On tab.
  3. To make changes, click Edit.
  4. Under "Advanced Sign-on Settings", in the "Enterprise Name" text box, type your enterprise name. For example, if you access your enterprise at https://github.com/enterprises/octoinc, your enterprise name would be "octoinc". Screenshot of the Enterprise Name field on Okta
  5. To save your enterprise name, click Save.

Configuring provisioning

After setting your enterprise name, you can proceed to configure provisioning settings.

To configure provisioning, the setup user with the @SHORT-CODE_admin username will need to provide a personal access token with the admin:enterprise scope. For more information on creating a new token, see "Creating a personal access token."

  1. Navigate to your GitHub Enterprise 托管用户 application on Okta.
  2. Click the Provisioning tab.
  3. In the settings menu, click Integration.
  4. To make changes, click Edit.
  5. Select Enable API integration.
  6. In the "API Token" field, enter the personal access token with the admin:enterprise scope belonging to the setup user. Screenshot showing the API Token field on Okta
  7. Click Test API Credentials. If the test is successful, a verification message will appear at the top of the screen.
  8. To save the token, click Save.
  9. In the settings menu, click To App. Screenshot showing the To App menu item on Okta
  10. To the right of "Provisioning to App", to allow changes to be made, click Edit.
  11. Select Enable for Create Users, Update User Attributes, and Deactivate Users. Screenshot showing provisioning options on Okta
  12. To finish configuring provisioning, click Save.

Assigning users and groups

After you have configured SAML SSO and provisioning, you will be able provision new users on GitHub.com by assigning users to the GitHub Enterprise 托管用户 application.

注意: 为避免超出 GitHub Enterprise Cloud 速率限制,请勿每小时为 IdP 应用程序分配超过 1,000 个用户。 如果您使用组将用户分配到 IdP 应用程序,则每小时向每个组添加的用户不要超过 100 个。 如果超过这些阈值,则尝试预配用户可能会失败,并显示“速率限制”错误。

You can also automatically manage organization membership by assigning groups to the application and adding them to the "Push Groups" tab in Okta. When the group is provisioned successfully, it will be available to connect to teams in the enterprise's organizations. For more information about managing teams, see "Managing team memberships with identity provider groups."

When assigning users, you can use the "Roles" attribute in the GitHub Enterprise 托管用户 application to set a user's role in your enterprise on GitHub Enterprise Cloud. For more information on roles, see "Roles in an enterprise."

Screenshot showing the role options for provisioned user on Okta

Deprovisioning users and groups

To remove a user or group from GitHub Enterprise Cloud, remove the user or group from both the "Assignments" tab and the "Push groups" tab in Okta. For users, make sure the user is removed from all groups in the "Push Groups" tab.