Skip to main content

Configuring SAML single sign-on for your enterprise

You can control and secure access to your enterprise on GitHub AE by configuring SAML single sign-on (SSO) through your identity provider (IdP).

Who can use this feature

Enterprise owners can configure SAML SSO for an enterprise on GitHub AE.

About SAML SSO

SAML SSO allows you to centrally control and secure access to your enterprise from your SAML IdP. When an unauthenticated user visits your enterprise in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your enterprise. GitHub AE validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for your enterprise is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

要使某人成为企业所有者,必须在 IdP 中委派访问权限。 如果使用 Azure AD 和 SCIM,请为用户分配企业所有者角色。 对于其他 IdP,请在 IdP 上的用户帐户的 SAML 断言中包含 administrator 属性,其值为 true。 有关企业所有者的详细信息,请参阅“企业中的角色”。 有关使用 Azure AD 进行身份验证和预配的详细信息,请参阅“使用 Azure AD 为企业配置身份验证和预配”。

默认情况下,当您分配或取消分配应用程序时,您的 IdP 不会自动与 GitHub AE 通信。 GitHub AE 上的资源的访问,使用 SAML 实时 (JIT 创建用户帐户 ,) 首次导航到 GitHub AE 并通过通过 IdP 进行身份验证来登录。 当你授予 GitHub AE 的访问权限时,你可能需要手动通知用户,并且在停用期间必须手动 停用 GitHub AE 上的用户帐户。 当你在 IdP 上分配或取消分配应用程序时,可使用 SCIM 自动/创建或暂停 用户帐户和 GitHub AE 的访问权限。 For more information, see "Configuring user provisioning for your enterprise."

Supported identity providers

GitHub AE 支持 SAML SSO 与采用 SAML 2.0 标准的 IdP 一起使用。 有关详细信息,请参阅 OASIS 网站上的 SAML Wiki

GitHub 官方支持和内部测试以下 IdP。

  • Azure Active Directory (Azure AD)租户
  • Okta (beta)

Enabling SAML SSO

您将在初始化过程中输入SAML IdP 的详细信息,以配置 GitHub AE 的身份和访问管理。 有关详细信息,请参阅“初始化 GitHub AE”。

The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

IdPMore information
Azure AD"Configuring authentication and provisioning for your enterprise using Azure AD"
Okta"Configuring authentication and provisioning for your enterprise using Okta"

During initialization for GitHub AE, you must configure GitHub AE as a SAML service provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP. For more information, see "SAML configuration reference."

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for your enterprise. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

Note: 如果您因 GitHub AE 无法与您的 SAML IDP 通信而无法登录企业,您可以联系 GitHub 支持 帮助您访问 GitHub AE SAML SSO 配置。 有关详细信息,请参阅“从 GitHub 支持 获得帮助”。

  1. 在 GitHub AE 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub AE 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业帐户侧边栏中,单击 “设置”。 企业帐户侧边栏中的“设置”选项卡

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", type the new details for your IdP. Text entry fields with IdP details for SAML SSO configuration for an enterprise

  5. Optionally, click to configure a new signature or digest method. Edit icon for changing signature and digest method

    • Use the drop-down menus and choose the new signature or digest method. Drop-down menus for choosing a new signature or digest method
  6. To ensure that the information you've entered is correct, click Test SAML configuration. "Test SAML configuration" button

  7. Click Save. "Save" button for SAML SSO configuration

  8. Optionally, to automatically provision and deprovision user accounts for your enterprise, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

Disabling SAML SSO

Warning: If you disable SAML SSO for your enterprise, users without existing SAML SSO sessions cannot sign into your enterprise. SAML SSO sessions on your enterprise end after 24 hours.

Note: 如果您因 GitHub AE 无法与您的 SAML IDP 通信而无法登录企业,您可以联系 GitHub 支持 帮助您访问 GitHub AE SAML SSO 配置。 有关详细信息,请参阅“从 GitHub 支持 获得帮助”。

  1. 在 GitHub AE 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub AE 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业帐户侧边栏中,单击 “设置”。 企业帐户侧边栏中的“设置”选项卡

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", unselect Enable SAML authentication. Checkbox for "Enable SAML authentication"

  5. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save. "Save" button for SAML SSO configuration