Skip to main content
我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们
GitHub AE 目前是有限发行版。请联系我们的销售团队以了解更多信息。

Configuring SAML single sign-on for your enterprise

You can control and secure access to your enterprise on GitHub AE by configuring SAML single sign-on (SSO) through your identity provider (IdP).

Enterprise owners can configure SAML SSO for an enterprise on GitHub AE.

About SAML SSO

SAML SSO allows you to centrally control and secure access to 您的企业 from your SAML IdP. When an unauthenticated user visits 您的企业 in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to 您的企业. GitHub AE validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for 您的企业 is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

要使某人成为企业所有者,您必须在 IdP 中委派所有权权限。 在 IdP 用户帐户的 SAML 声明中包含 administrator 属性,其值为 true。 有关企业所有者的更多信息,请参阅“企业中的角色”。

By default, your IdP does not communicate with GitHub AE automatically when you assign or unassign the application. GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub AE, and you must manually deactivate the user account on GitHub AE during offboarding. You can use SCIM to create or suspend user accounts and access for GitHub AE automatically when you assign or unassign the application on your IdP. For more information, see "Configuring user provisioning for your enterprise."

Supported identity providers

GitHub AE 支持 SAML SSO 与采用 SAML 2.0 标准的 IdP 一起使用。 更多信息请参阅 OASIS 网站上的 SAML Wiki

GitHub 正式支持并在内部测试以下 IdP。

  • Azure Active Directory (Azure AD)
  • Okta(测试版)

Enabling SAML SSO

您将在初始化过程中输入SAML IdP 的详细信息,以配置 GitHub AE 的身份和访问管理。 更多信息请参阅“初始化 GitHub AE。”

The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

IdPMore information
Azure AD"Configuring authentication and provisioning for your enterprise using Azure AD"
Okta"Configuring authentication and provisioning for your enterprise using Okta"

During initialization for GitHub AE, you must configure GitHub AE as a SAML service provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP. For more information, see "SAML configuration reference."

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for 您的企业. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

Note: 如果您因 GitHub AE 无法与您的 SAML IDP 通信而无法登录企业,您可以联系 GitHub 支持 帮助您访问 GitHub AE SAML SSO 配置。 更多信息请参阅“从 GitHub 支持 获取帮助”。

  1. 在 GitHub AE 的右上角,单击您的个人资料照片,然后单击 Enterprise settings(Enterprise 设置)GitHub AE 上个人资料照片下拉菜单中的"Enterprise settings(企业设置)"

  2. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  3. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", type the new details for your IdP. Text entry fields with IdP details for SAML SSO configuration for an enterprise

  5. Optionally, click to configure a new signature or digest method. Edit icon for changing signature and digest method

    • Use the drop-down menus and choose the new signature or digest method. Drop-down menus for choosing a new signature or digest method
  6. To ensure that the information you've entered is correct, click Test SAML configuration. "Test SAML configuration" button

  7. Click Save. "Save" button for SAML SSO configuration

  8. Optionally, to automatically provision and deprovision user accounts for 您的企业, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

Disabling SAML SSO

Warning: If you disable SAML SSO for 您的企业, users without existing SAML SSO sessions cannot sign into 您的企业. SAML SSO sessions on 您的企业 end after 24 hours.

Note: 如果您因 GitHub AE 无法与您的 SAML IDP 通信而无法登录企业,您可以联系 GitHub 支持 帮助您访问 GitHub AE SAML SSO 配置。 更多信息请参阅“从 GitHub 支持 获取帮助”。

  1. 在 GitHub AE 的右上角,单击您的个人资料照片,然后单击 Enterprise settings(Enterprise 设置)GitHub AE 上个人资料照片下拉菜单中的"Enterprise settings(企业设置)"

  2. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  3. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", unselect Enable SAML authentication. Checkbox for "Enable SAML authentication"

  5. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save. "Save" button for SAML SSO configuration