About user provisioning for organizations in your enterprise account

You can manage organization membership in an enterprise account directly from an identity provider (IdP).

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

Note: User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, contact our account management team.

If you use Okta as an IdP and participate in a private beta for enterprise accounts, you can manage membership in your enterprise account's organizations with SCIM. SCIM automatically invites people to or removes people from organizations in your enterprise account based on whether they are members of the group that corresponds to each organization in your IdP.

If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in GitHub. You can use provisioning to manage organization membership by configuring SCIM in your IdP. Optionally, you can also enable SAML provisioning and, separately, deprovisioning.

If you configure SCIM for the GitHub application in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to GitHub to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning.

For each SCIM call or SAML assertion, GitHub will check the IdP groups the user belongs to and perform the following operations:

  • If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call).
  • Cancel any existing invitations for the user to join an organization owned by your enterprise account.

For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, GitHub will also perform the following operation:

  • If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization.

If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "Managing unowned organizations in your enterprise account."

To enable user provisioning for your enterprise account using Okta, see "Configuring SAML single sign-on and SCIM for your enterprise account using Okta."

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Oder, learn how to contribute.