Skip to main content

About SAML for enterprise IAM

You can use SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) to centrally manage access to organizations owned by your enterprise on GitHub.com.

About SAML SSO for your enterprise on GitHub.com

SAML 单点登录 (SSO) 为使用 GitHub Enterprise Cloud 的组织所有者和企业所有者提供一种控制安全访问仓库、议题和拉取请求等组织资源的方法。 企业所有者可以通过 SAML IdP 跨企业帐户拥有的所有组织启用 SAML SSO 和集中式身份验证。 为企业帐户启用 SAML SSO 后,默认情况下会为您的企业帐户拥有的所有组织实施 SAML SSO。 所有成员都需要使用 SAML SSO 进行身份验证才能访问其所属的组织,并且企业所有者在访问企业帐户时需要使用 SAML SSO 进行身份验证。 For more information, see "Configuring SAML single sign-on for your enterprise."

If your enterprise members manage their own personal accounts on GitHub.com, you can configure SAML authentication as an additional access restriction for your enterprise or organization. Alternatively, you can provision and manage the accounts of your enterprise members on GitHub.com by using an enterprise account with 企业托管用户 enabled. For more information, see "About authentication for your enterprise."

If a SAML configuration error or an issue with your identity provider (IdP) prevents you from using SAML SSO, you can use a recovery code to access your enterprise. For more information, see "Managing recovery codes for your enterprise."

After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.

If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. 当您将 GitHub 团队与 IdP 组同步时,IdP 组的变更将自动反映在 GitHub Enterprise Cloud 上,从而减少对手动更新和自定义脚本的需求。 您可以使用 IdP 与团队同步来管理一系列管理任务,如新成员登记、为组织内的调动授予新权限及删除成员对组织的访问权限。 For more information, see "Managing team synchronization for organizations in your enterprise account."

如果企业帐户拥有的任何组织已配置为使用 SAML SSO,则为企业帐户启用 SAML SSO 时,有一些特殊注意事项。 For more information, see "Switching your SAML configuration from an organization to an enterprise account."

About 企业托管用户

企业托管用户 is a feature of GitHub Enterprise Cloud that provides even greater control over enterprise members and resources. With 企业托管用户, all members are provisioned and managed through your identity provider (IdP) instead of users creating their own accounts on GitHub Enterprise Cloud. Team membership can be managed using groups on your IdP. 托管用户 are restricted to their enterprise and are unable to push code, collaborate, or interact with users, repositories, and organizations outside of their enterprise. For more information, see "About 企业托管用户."

Note: You cannot use SCIM at the enterprise level unless your enterprise is enabled for 企业托管用户.

Configuring 企业托管用户 for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using 托管用户. If your enterprise uses 企业托管用户, see "Configuring SAML single sign-on for Enterprise Managed Users."

Supported IdPs

We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

IdPSAMLTeam synchronization
Active Directory Federation Services (AD FS)
Azure Active Directory (Azure AD)
Okta
OneLogin
PingOne
Shibboleth

Further reading