Configuring SAML single sign-on and SCIM for your enterprise account using Okta

You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your enterprise account on GitHub.

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

Note: User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, contact our account management team.

Über SAML und SCIM mit Okta

You can control access to your enterprise account in GitHub and other web applications from one central interface by configuring the enterprise account to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to organizations owned by your enterprise account when you make changes in Okta. Weiter Informationen findest Du unter „Sicherheitseinstellungen für Dein Enterprise-Konto erzwingen."

Nachdem Du SCIM aktiviert hast, stehen Dir folgende Bereitstellungsfunktionen für alle Benutzer zur Verfügung, denen Du Deine GitHub Enterprise Cloud-Anwendung in Okta zuweist.

FunktionBeschreibung
Push neuer BenutzerNew users created in Okta will gain access to enterprise account resources, and can optionally be automatically invited to any of the organizations owned by the enterprise account
Push Benutzer-DeaktivierungDeactivating a user in Okta will revoke the user's access to the enterprise account resources and remove the user from all organizations owned by the enterprise account
Push Profil-AktualisierungenUpdates made to the user's profile in Okta will be pushed to the user’s enterprise account metadata
Benutzer reaktivierenReactivating the user in Okta will re-enable the user's access to the enterprise account and will optionally send email invitations for the user to rejoin any of the organizations owned by the enterprise account that the user was previously a member of

Vorrausetzungen

You must use the "Classic UI" in Okta. Weitere Informationen findest Du unter „Organisierte Navigation auf dem Okta Blog.

Wähle "Classic UI" aus der Okta UI Stilauswahl über dem Dashboard

Die GitHub Enterprise Cloud-Anwendung in Okta hinzufügen

  1. In Okta, in the upper-right corner, click Admin. Admin button in Okta
  2. Klicke im Okta-Dashboard auf Applications (Anwendungen). Auswahl "Applications" (Anwendungen) in der Navigationsleiste des Okta-Dashboard
  3. Klicke auf Add application (Anwendung hinzufügen). Schaltfläche "Add application" (Anwendung hinzufügen) in der Anwendungs-Registerkarte des Okta Dashboard
  4. Gib im Suchfeld „GitHub Enterprise Cloud" ein. Feld "Search for an application" (eine Anwendung suchen) in Okta
  5. Click "GitHub Enterprise Cloud - Enterprise Accounts".
  6. Klicke auf Add (Hinzufügen).
  7. Optionally, to the right of "Application label", type a descriptive name for the application. Application label field
  8. To the right of "GitHub Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, type octo-corp. GitHub Enterprises field
  9. Klicke auf Done (Fertig).

SAML SSO aktivieren und testen

  1. In Okta, in the upper-right corner, click Admin. Admin button in Okta
  2. Klicke im Okta-Dashboard auf Applications (Anwendungen). Auswahl "Applications" (Anwendungen) in der Navigationsleiste des Okta-Dashboard
  3. Click the label for the application you created for your enterprise account.
  4. Assign the application to your user in Okta. For more information, see Assign applications to users in the Okta documentation.
  5. Under the name of the application, click Sign on. Registerkarte "Sign on" (Anmelden) für die Okta-Anwendung
  6. To the right of Settings, click Edit.
  7. Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select Matches regex.
  8. To the right of the drop-down menu, type .*.*.
  9. Klicke auf Save (Speichern).
  10. Klicke unter „SIGN ON METHODS" (Anmeldemethoden) auf View Setup Instructions (Setup-Anweisungen anzeigen). Schaltfläche "View Setup Instructions" (Setup-Anweisungen anzeigen) in der Registerkarte "Sign On" (Anmelden) der Okta-Anwendung
  11. Enable SAML for your enterprise account using the information in the setup instructions. Weitere Informationen findest Du unter „SAML Single Sign-On für Organisationen in Deinem Enterprise-Konto aktivieren."

Creating groups in Okta

  1. In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is https://github.com/octo-org, name the group octo-org.
  2. Assign the application you created for your enterprise account to each group. GitHub will receive all groups data for each user.
  3. Add users to groups based on the organizations you'd like users to belong to.

Configuring user provisioning with SCIM in Okta

If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in GitHub. You can use provisioning to manage organization membership by configuring SCIM in your IdP.

To configure user provisioning with SCIM in Okta, you must authorize an OAuth application to create a token that Okta can use to authenticate to GitHub on your behalf. The okta-oauth application is created by Okta in partnership with GitHub.

  1. In Okta, in the upper-right corner, click Admin. Admin button in Okta
  2. Klicke im Okta-Dashboard auf Applications (Anwendungen). Auswahl "Applications" (Anwendungen) in der Navigationsleiste des Okta-Dashboard
  3. Click the label for the application you created for your enterprise account.
  4. Under the name of the application, click Provisioning. Registerkarte "Provisioning" (Bereitstellung) der Okta-Anwendung
  5. Klicke auf Configure API Integration (API-Integration konfigurieren). Schaltfläche "Configure API Integration" (API-Integration konfigurieren) der Okta-Anwendung
  6. Wähle Enable API integration (API-Integration aktivieren). Kontrollkästchen "Enable API integration" (API-Integration aktivieren) der Okta-Anwendung
  7. Click Authenticate with Github Enterprise Cloud - Enterprise Accounts. Button to authenticate with GitHub
  8. To the right of your enterprise account's name, click Grant.
  9. Click Authorize okta-oauth.
  10. Klicke auf Save (Speichern). Schaltfläche "Save" (Speichern) für die Bereitstellungs-Konfiguration der Okta-Anwendung
  11. Klicke rechts neben „Provisioning to App" (Für die App bereitstellen) auf Edit (Bearbeiten). Schaltfläche "Edit" (Bearbeiten) für die Bereitstellungs-Optionen der Okta-Anwendung
  12. Wähle rechts neben „Create Users" (Benutzer erstellen) die Option Enable (Aktivieren). Kontrollkästchen "Enable" (Aktivieren) für die Option "Create Users" (Benutzer erstellen) der Okta-Anwendung
  13. Wähle rechts neben „Update User Attributes" (Benutzerattribute aktualisieren) die Option Enable (Aktivieren). Kontrollkästchen "Enable" (Aktivieren) für die Option "Update User Attributes" (Benutzerattribute aktualisieren) der Okta-Anwendung
  14. Wähle rechts neben "Deactivate Users" (Benutzer deaktivieren) die Option Enable (Aktivieren). Kontrollkästchen "Enable" (Aktivieren) für die Option "Deactivate Users" (Benutzer deaktivieren) der Okta-Anwendung
  15. Klicke auf Save (Speichern). Schaltfläche "Save" (Speichern) für die Bereitstellungs-Konfiguration der Okta-Anwendung
  16. Under the name of the application, click Push Groups. Push Groups tab
  17. Use the Push Groups drop-down menu, and select Find groups by name. Push Groups drop-down menu
  18. Add a push group for each organization in your enterprise account that you want to enable user provisioning for.
    • Under "PUSH GROUPS BY NAME", search for a group that corresponds to an organization owned by your enterprise account, then click the group in the search results.
    • To the right of the group name, in the "Match results & push action" drop-down menu, verify that Create Group is selected. Match result drop-down with Create Group selected
    • Klicke auf Save (Speichern).
    • Repeat for each organization.
  19. Under the name of your application, click Assignments. Assignments tab
  20. If you see Provision users, users who were a member of an Okta group before you added a push group for that group have not been provisioned. To send SCIM data to GitHub for these users, click Provision users.

Enabling SAML user provisioning

After you enable SCIM provisioning and deprovisioning, you can optionally enable SAML user provisioning and deprovisioning.

  1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises. "Your enterprises" in drop-down menu for profile photo on GitHub

  2. In the list of enterprises, click the enterprise you want to view. Name of an enterprise in list of your enterprises

  3. Klicke in der Seitenleiste des Enterprise-Kontos auf Settings (Einstellungen). Registerkarte „Settings“ (Einstellungen) in der Seitenleiste des Enterprise-Kontos

  4. Klicken Sie auf der linken Seitenleiste auf Security (Sicherheit). Security tab in the enterprise account settings sidebar

  5. Under "SAML User Provisioning", select Enable SAML user provisioning. Checkbox to enable user provisioning with SAML

  6. Klicke auf Save (Speichern).

  7. Optionally, enable SAML user deprovisioning.

    • Select Enable SAML user deprovisioning, then click Save. Checkbox to enable user deprovisioning with SAML
    • Read the warning, then click Enable SAML deprovisioning. Enable SAML deprovisioning button

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Oder, learn how to contribute.