Skip to main content

Migrating from SAML to OIDC

If you're using SAML to authenticate members in your 具有托管用户的企业, you can migrate to OpenID Connect (OIDC) and benefit from support for your IdP's Conditional Access Policy.

要使用身份提供程序管理企业中的用户,必须为企业启用 企业托管用户,这可用于 GitHub Enterprise Cloud。 更多信息请参阅“关于 企业托管用户”。

Note: OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for 企业托管用户 is in public beta and only available for Azure AD.

About migrating your 具有托管用户的企业 from SAML to OIDC

If your 具有托管用户的企业 uses SAML SSO to authenticate with Azure Active Directory (Azure AD), you can migrate to OIDC. When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used.

When you migrate from SAML to OIDC, 托管用户帐户 and groups that were previously provisioned for SAML but are not provisioned by the GitHub Enterprise 托管用户 (OIDC) application will have "(SAML)" appended to their display names.

If you're new to 企业托管用户 and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up OIDC single sign-on immediately. For more information, see "Configuring OIDC for Enterprise Managed Users."

Migrating your enterprise

Note: To sign in as the setup user, you will need a recovery code. If you do not already have your recovery codes, you can access the codes while signed in as an enterprise owner. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

  1. Before you begin the migration, sign in to Azure and disable provisioning in the existing GitHub Enterprise 托管用户 application.

  2. Sign into as the setup user for your enterprise with the username @SHORT-CODE_admin.

  3. When prompted to continue to your identity provider, click Use a recovery code and sign in using one of your enterprise's recovery codes.

  4. 在 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  5. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  6. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  7. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  8. At the bottom of the page, next to "Migrate to OpenID Connect single sign-on", click Configure with Azure.

    Warning: The migration can take up to an hour, and it is important that no users are provisioned during the migration. You can confirm if the migration is still in progress by returning to your enterprise's security settings page; if "Require SAML authentication" is still checked, the migration is still in progress.

    Screenshot showing the "Configure with Azure" button

  9. Read both warnings and click to continue.

  10. When redirected, sign in to your identity provider, then follow the instructions to give consent and install the GitHub Enterprise 托管用户 (OIDC) application.

    Warning: You must sign in to Azure AD as a user with global admin rights in order to consent to the installation of the GitHub Enterprise 托管用户 (OIDC) application.

  11. In a new tab or window, while signed in as the setup user on, create a personal access token with the admin:enterprise scope and no expiration and copy it to your clipboard. For more information about creating a new token, see "Creating a personal access token."

  12. In the settings for the GitHub Enterprise 托管用户 (OIDC) application in Azure Portal, under "Tenant URL", type, replacing YOUR_ENTERPRISE with the name of your enterprise account.

    For example, if your enterprise account's URL is, the name of the enterprise account is octo-corp.

  13. Under "Secret token", paste the personal access token with the admin:enterprise scope that you created earlier.

  14. To test the configuration, click Test Connection.

  15. To save your changes, at the top of the form, click Save.

  16. In Azure Portal, copy the users and groups from the old GitHub Enterprise 托管用户 application to the new GitHub Enterprise 托管用户 (OIDC) application.

  17. Test your configuration by provisioning a single new user.

  18. If your test is successful, start provisioning for all users by clicking Start provisioning.