Skip to main content

Configuring user provisioning for your enterprise

You can configure System for Cross-domain Identity Management (SCIM) for your enterprise, which automatically provisions user accounts on 您的企业 when you assign the application for 您的企业 to a user on your identity provider (IdP).

Enterprise owners can configure user provisioning for an enterprise on GitHub AE.

About user provisioning for your enterprise

GitHub AE 使用 SAML SSO 进行用户身份验证。 您可以从支持 SAML 2.0 标准的 IdP 集中管理对 GitHub AE 的访问。 For more information, see "Configuring SAML single sign-on for your enterprise."

You can configure user provisioning with SCIM to automatically create or suspend user accounts and grant access for GitHub AE when you assign or unassign the application on your IdP. For more information about SCIM, see System for Cross-domain Identity Management: Protocol (RFC 7644) on the IETF website.

If you do not configure user provisioning with SCIM, your IdP will not communicate with GitHub AE automatically when you assign or unassign the application to a user. Without SCIM, GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP.

Configuring provisioning allows your IdP to communicate with 您的企业 when you assign or unassign the application for GitHub AE to a user on your IdP. When you assign the application, your IdP will prompt 您的企业 to create an account and send an onboarding email to the user. When you unassign the application, your IdP will communicate with GitHub AE to invalidate any SAML sessions and disable the member's account.

To configure provisioning for your enterprise, you must enable provisioning on GitHub AE, then install and configure a provisioning application on your IdP.

The provisioning application on your IdP communicates with GitHub AE via our SCIM API for enterprises. For more information, see "GitHub Enterprise administration" in the GitHub REST API documentation.

Supported identity providers

The following IdPs are supported for SSO with GitHub AE:

注意: GitHub AE 对 Okta 的单点登录 (SSO) 支持目前处于测试阶段。

IdPSAML用户预配团队映射
Azure Active Directory (Azure AD)
Okta测试版测试版测试版

For IdPs that support team mapping, you can assign or unassign the application for GitHub AE to groups of users in your IdP. These groups are then available to organization owners and team maintainers in 您的企业 to map to GitHub AE teams. For more information, see "Mapping Okta groups to teams."

Prerequisites

To automatically provision and deprovision access to 您的企业 from your IdP, you must first configure SAML SSO when you initialize GitHub AE. For more information, see "Initializing GitHub AE."

You must have administrative access on your IdP to configure the application for user provisioning for GitHub AE.

Enabling user provisioning for your enterprise

  1. While signed into 您的企业 as an enterprise owner, create a personal access token with admin:enterprise scope. For more information, see "Creating a personal access token."

    Notes:

    • To create the personal access token, we recommend using the account for the first enterprise owner that you created during initialization. For more information, see "Initializing GitHub AE."
    • You'll need this personal access token to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.

    Warning: If the user account for the enterprise owner who creates the personal access token is deactivated or deprovisioned, your IdP will no longer provision and deprovision user accounts for your enterprise automatically. Another enterprise owner must create a new personal access token and reconfigure provisioning on the IdP.

  2. 在 GitHub AE 的右上角,单击您的个人资料照片,然后单击 Enterprise settings(Enterprise 设置)GitHub AE 上个人资料照片下拉菜单中的"Enterprise settings(企业设置)"

  3. 在企业帐户侧边栏中,单击 Settings(设置)企业帐户侧边栏中的“设置”选项卡

  4. 在左侧边栏中,单击 Security(安全)Security tab in the enterprise account settings sidebar

  5. Under "SCIM User Provisioning", select Require SCIM user provisioning. Checkbox for "Require SCIM user provisioning" within enterprise security settings

  6. Click Save. Save button under "Require SCIM user provisioning" within enterprise security settings

  7. Configure user provisioning in the application for GitHub AE on your IdP.

    The following IdPs provide documentation about configuring provisioning for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

    IdPMore information
    Azure ADTutorial: Configure GitHub AE for automatic user provisioning in the Microsoft Docs. To configure Azure AD for GitHub AE, see "Configuring authentication and provisioning for your enterprise using Azure AD."
    Okta(beta) To configure Okta for GitHub AE, see "Configuring authentication and provisioning for your enterprise using Okta."

    The application on your IdP requires two values to provision or deprovision user accounts on 您的企业.

    ValueOther namesDescriptionExample
    URLTenant URLURL to the SCIM provisioning API for your enterprise on GitHub AEhttps://[hostname]/api/v3/scim/v2
    Shared secretPersonal access token, secret tokenToken for application on your IdP to perform provisioning tasks on behalf of an enterprise ownerPersonal access token you created in step 1