Skip to main content

Configuring SAML single sign-on for your enterprise

You can control and secure access to 您的 GitHub Enterprise Server 实例 by configuring SAML single sign-on (SSO) through your identity provider (IdP).

Site administrators can configure SAML SSO for a GitHub Enterprise Server instance.

About SAML SSO

SAML SSO allows you to centrally control and secure access to 您的 GitHub Enterprise Server 实例 from your SAML IdP. When an unauthenticated user visits 您的 GitHub Enterprise Server 实例 in a browser, GitHub Enterprise Server will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to 您的 GitHub Enterprise Server 实例. GitHub Enterprise Server validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for 您的 GitHub Enterprise Server 实例 is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

If you remove a user from your IdP, you must also manually suspend them. Otherwise, the account's owner can continue to authenticate using access tokens or SSH keys. 更多信息请参阅“挂起和取消挂起用户”。

Supported identity providers

GitHub Enterprise Server 支持 SAML SSO 与采用 SAML 2.0 标准的 IdP 一起使用。 更多信息请参阅 OASIS 网站上的 SAML Wiki

GitHub 正式支持并在内部测试以下 IdP。

  • Active Directory Federation Services (AD FS)
  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

Configuring SAML SSO

You can enable or disable SAML authentication for 您的 GitHub Enterprise Server 实例, or you can edit an existing configuration. You can view and edit authentication settings for GitHub Enterprise Server in the management console. For more information, see "Accessing the management console."

Note: GitHub strongly recommends that you verify any new configuration for authentication in a staging environment. An incorrect configuration could result in downtime for 您的 GitHub Enterprise Server 实例. 更多信息请参阅“设置暂存实例”。

  1. 从 GitHub Enterprise Server 上的管理帐户中,在任何页面的右上角,单击

    用于访问站点管理员设置的火箭飞船图标的屏幕截图

  2. 如果您尚未进入“站点管理员”页面,请在左上角单击 Site admin(站点管理员)

    "站点管理员" 链接的屏幕截图

  3. 在左侧边栏中,单击 管理控制台左侧边栏中的 管理控制台 选项卡

  4. 在左侧边栏中,单击 Authentication(身份验证)设置侧边栏中的身份验证选项卡

  5. Select SAML.

    Screenshot of option to enable SAML authentication in management console

  6. (可选)若要允许在外部身份验证系统上没有帐户的用户使用内置身份验证登录,请选择 Allow built-in authentication(允许内置身份验证)。 更多信息请参阅“允许对提供程序覆盖范围以外的用户进行内置身份验证”。

    Screenshot of option to enable built-in authentication outside of SAML IdP

  7. Optionally, to enable unsolicited response SSO, select IdP initiated SSO. By default, GitHub Enterprise Server will reply to an unsolicited Identity Provider (IdP) initiated request with an AuthnRequest back to the IdP.

    Screenshot of option to enable IdP-initiated unsolicited response

    Note: We recommend keeping this value unselected. You should enable this feature only in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by GitHub Enterprise 支持.

  8. Select Disable administrator demotion/promotion if you do not want your SAML provider to determine administrator rights for users on 您的 GitHub Enterprise Server 实例.

    Screenshot of option to enable option to respect the "administrator" attribute from the IdP to enable or disable administrative rights

  9. Optionally, to allow 您的 GitHub Enterprise Server 实例 to receive encrypted assertions from your SAML IdP, select Require encrypted assertions. You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide 您的 GitHub Enterprise Server 实例's public certificate to your IdP. For more information, see "Enabling encrypted assertions."

    Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section

  10. In the Single sign-on URL field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to configure 您的 GitHub Enterprise Server 实例 to use internal nameservers.

    Screenshot of text field for single sign-on URL

  11. Optionally, in the Issuer field, type your SAML issuer's name. This verifies the authenticity of messages sent to 您的 GitHub Enterprise Server 实例.

    Screenshot of text field for SAML issuer URL

  12. In the Signature Method and Digest Method drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from 您的 GitHub Enterprise Server 实例. Specify the format with the Name Identifier Format drop-down menu.

    Screenshot of drop-down menus to select signature and digest method

  13. Under Verification certificate, click Choose File and choose a certificate to validate SAML responses from the IdP.

    Screenshot of button for uploading validation certificate from IdP

  14. Modify the SAML attribute names to match your IdP if needed, or accept the default names.

    Screenshot of fields for entering additional SAML attributes

Further reading