Configuring SAML single sign-on for your enterprise using Okta

You can use Security Assertion Markup Language (SAML) single sign-on (SSO) with Okta to automatically manage access to your enterprise account on GitHub Enterprise Cloud.

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

Note: User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, contact our account management team.

Note: If your enterprise uses Enterprise Managed Users, you must follow a different process to configure SAML single sign-on. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

About SAML with Okta

You can control access to your enterprise account in GitHub Enterprise Cloud and other web applications from one central interface by configuring the enterprise account to use SAML SSO with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. For more information, see "Configuring SAML single sign-on for your enterprise."

There are special considerations when enabling SAML SSO for your enterprise account if any of the organizations owned by the enterprise account are already configured to use SAML SSO. For more information, see "Switching your SAML configuration from an organization to an enterprise account."

Prerequisites

You must use the "Classic UI" in Okta. For more information, see Organized Navigation on the Okta blog.

Selecting "Classic UI" from Okta UI style picker above dashboard

Adding the GitHub Enterprise Cloud application in Okta

  1. In Okta, in the upper-right corner, click Admin. Admin button in Okta
  2. In the Okta Dashboard, click Applications. "Applications" item in the Okta Dashboard navigation bar
  3. Click Add application. "Add application" button in the Okta Dashboard's Applications tab
  4. In the search field, type "GitHub Enterprise Cloud". Okta's "Search for an application" field
  5. Click "GitHub Enterprise Cloud - Enterprise Accounts".
  6. Click Add.
  7. Optionally, to the right of "Application label", type a descriptive name for the application. Application label field
  8. To the right of "GitHub Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, type octo-corp. GitHub Enterprises field
  9. Click Done.

Enabling and testing SAML SSO

  1. In Okta, in the upper-right corner, click Admin. Admin button in Okta
  2. In the Okta Dashboard, click Applications. "Applications" item in the Okta Dashboard navigation bar
  3. Click the label for the application you created for your enterprise account.
  4. Assign the application to your user in Okta. For more information, see Assign applications to users in the Okta documentation.
  5. Under the name of the application, click Sign on. "Sign on" tab for Okta application
  6. To the right of Settings, click Edit.
  7. Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select Matches regex.
  8. To the right of the drop-down menu, type .*.*.
  9. Click Save.
  10. Under "SIGN ON METHODS", click View Setup Instructions. "View Setup Instructions" button in Okta application's "Sign On" tab
  11. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "Configuring SAML single sign-on for your enterprise."

Creating groups in Okta

  1. In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is https://github.com/octo-org, name the group octo-org.
  2. Assign the application you created for your enterprise account to each group. GitHub will receive all groups data for each user.
  3. Add users to groups based on the organizations you'd like users to belong to.

Enabling SAML user provisioning

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises. "Your enterprises" in drop-down menu for profile photo on GitHub Enterprise Cloud

  2. In the list of enterprises, click the enterprise you want to view. Name of an enterprise in list of your enterprises

  3. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  4. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  5. Under "SAML User Provisioning", select Enable SAML user provisioning. Checkbox to enable user provisioning with SAML

  6. Click Save.

  7. Optionally, enable SAML user deprovisioning.

    • Select Enable SAML user deprovisioning, then click Save. Checkbox to enable user deprovisioning with SAML
    • Read the warning, then click Enable SAML deprovisioning. Enable SAML deprovisioning button

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.