Skip to main content

Configuring SAML single sign-on for your enterprise

You can control and secure access to resources like repositories, issues, and pull requests within your enterprise's organizations by enforcing SAML single sign-on (SSO) through your identity provider (IdP).

Enterprise owners can configure SAML SSO for an enterprise on GitHub Enterprise Cloud.

注意:如果您的企业使用 企业托管用户,则必须按照不同的过程来配置 SAML 单点登录。 更多信息请参阅“为企业托管用户配置 SAML 单点登录”。

About SAML SSO

SAML 单点登录 (SSO) 为使用 GitHub Enterprise Cloud 的组织所有者和企业所有者提供一种控制安全访问仓库、议题和拉取请求等组织资源的方法。 For more information, see "About identity and access management with SAML single sign-on."

企业所有者可以通过 SAML IdP 跨企业帐户拥有的所有组织启用 SAML SSO 和集中式身份验证。 为企业帐户启用 SAML SSO 后,默认情况下会为您的企业帐户拥有的所有组织实施 SAML SSO。 所有成员都需要使用 SAML SSO 进行身份验证才能访问其所属的组织,并且企业所有者在访问企业帐户时需要使用 SAML SSO 进行身份验证。

要在 GitHub Enterprise Cloud 上访问每个组织的资源,成员必须在其浏览器中启动 SAML 会话。 要使用 API 和 Git 访问每个组织的受保护资源,成员必须使用被授权在组织中使用的个人访问令牌或 SSH 密钥。 企业所有者可以随时查看和撤销成员链接的身份、活动的会话或授权的凭据。 For more information, see "Viewing and managing a user's SAML access to your enterprise account."

When SAML SSO is disabled, all linked external identities are removed from GitHub Enterprise Cloud.

不能将此 SCIM 实现用于企业帐户或 具有托管用户的组织。 如果您的企业启用了 企业托管用户,则必须使用不同的 SCIM 实现。 否则,SCIM 在企业级别不可用。 更多信息请参阅“配置 企业托管用户 的 SCIM 预配”。

Supported identity providers

GitHub Enterprise Cloud 支持 SAML SSO 与采用 SAML 2.0 标准的 IdP 一起使用。 更多信息请参阅 OASIS 网站上的 SAML Wiki

GitHub 正式支持并在内部测试以下 IdP。

  • Active Directory Federation Services (AD FS)
  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

Username considerations with SAML

If you use 企业托管用户, GitHub Enterprise Cloud normalizes a value from your IdP to determine the username for each new personal account in your enterprise on GitHub.com. For more information, see "Username considerations for external authentication."

Enforcing SAML single-sign on for organizations in your enterprise account

Notes:

  • When you enforce SAML SSO for your enterprise, the enterprise configuration will override any existing organization-level SAML configurations. 如果企业帐户拥有的任何组织已配置为使用 SAML SSO,则为企业帐户启用 SAML SSO 时,有一些特殊注意事项。 For more information, see "Switching your SAML configuration from an organization to an enterprise account."
  • When you enforce SAML SSO for an organization, GitHub removes any members of the organization that have not authenticated successfully with your SAML IdP. When you require SAML SSO for your enterprise, GitHub does not remove members of the enterprise that have not authenticated successfully with your SAML IdP. The next time a member accesses the enterprise's resources, the member must authenticate with your SAML IdP.

For more detailed information about how to enable SAML using Okta, see "Configuring SAML single sign-on for your enterprise account using Okta."

  1. 在 GitHub.com 的右上角,单击您的个人资料照片,然后单击 Your enterprises(您的企业)GitHub Enterprise Cloud 上个人资料照片下拉菜单中的"Your enterprises(您的企业)"

  2. 在企业列表中,单击您想要查看的企业。 企业列表中的企业名称

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  5. (可选)要在更改设置之前,查看企业帐户中所有组织的当前配置,请单击 View your organizations' current configurations(查看组织的当前配置)查看企业中组织的当前策略配置的链接

  6. Under "SAML single sign-on", select Require SAML authentication. Checkbox for enabling SAML SSO

  7. In the Sign on URL field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration. Field for the URL that members will be forwarded to when signing in

  8. Optionally, in the Issuer field, type your SAML issuer URL to verify the authenticity of sent messages. Field for the SAML issuer's name

  9. Under Public Certificate, paste a certificate to verify SAML responses. Field for the public certificate from your identity provider

  10. To verify the integrity of the requests from your SAML issuer, click . Then in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer. Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer

  11. Before enabling SAML SSO for your enterprise, click Test SAML configuration to ensure that the information you've entered is correct. Button to test SAML configuration before enforcing

  12. Click Save.

  13. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click Download, Print, or Copy to save your recovery codes. 更多信息请参阅“下载企业帐户的单点登录恢复代码”。

    用于下载、打印或复制恢复代码的按钮屏幕截图

Further reading