About authentication methods for your enterprise
You can allow people to use a personal account on GitHub.com to access your enterprise's resources and optionally configure additional SAML access restriction, or you can provision and control the accounts for your enterprise using your identity provider (IdP) with Enterprise Managed Users. For more information, see "About identity and access management."
Both SAML SSO and Enterprise Managed Users increase security for your enterprise's resources. Enterprise Managed Users additionally allows you to control the user accounts for your enterprise members and restricts what the accounts are able to do. However, those restrictions may be unacceptable for your enterprise if they obstruct your developers' workflows.
To determine whether your enterprise would benefit more from SAML SSO or Enterprise Managed Users, ask yourself the following questions.
Do you want to control the user accounts for your users?
Enterprise Managed Users may be right for your enterprise if you don't want enterprise members to use their own personal accounts on GitHub.com to access your enterprise's resources.
With SAML SSO, developers create and manage their own personal accounts, and each account is linked to a SAML identity in your IdP. Enterprise Managed Users functions more like other familiar SSO solutions, as you will provision the accounts for your users. You can also ensure user accounts conform with your company identity, by controlling usernames and the email addresses associated with the accounts.
If you currently require your users to create a new account on GitHub.com to use with your enterprise only, Enterprise Managed Users might be right for you. However, SAML SSO may be a better option if using your IdP as the source of truth for your user and access management would add too much complexity. For example, perhaps your enterprise does not have an established process for onboarding new users in your IdP.
Which identity provider does your enterprise use?
For SAML SSO, you can configure authentication with an IdP that adheres to the SAML 2.0 standard. GitHub also officially supports and tests some IdPs. For more information, see "Configuring SAML single sign-on for your enterprise."
GitHub partners with some developers of identity management systems to provide a "paved-path" integration with Enterprise Managed Users. If you use a partner IdP, you can configure one application on your IdP to provide authentication and provisioning. If you don't use a partner IdP, or if you only use a partner IdP for authentication, you can integrate IdPs that implement the SAML 2.0 and System for Cross-domain Identity Management (SCIM) 2.0 standards. For more information, see "About Enterprise Managed Users."
Do your developers work in public repositories, gists, or GitHub Pages sites?
To prevent enterprise members from accidentally leaking corporate-owned content to the public on GitHub.com, Enterprise Managed Users imposes strong restrictions on what users can do. For example, managed user accounts cannot create public repositories, gists of any visibility, or GitHub Pages sites that are visible outside the enterprise. For a full list of restrictions, see "Abilities and restrictions of managed user accounts."
These restrictions are unacceptable for some enterprises. To determine whether Enterprise Managed Users will work for you, review the restrictions with your developers, and confirm whether any of the restrictions will hinder your existing workflows. If so, SAML SSO may be a better choice for your enterprise.
Do your developers rely on collaboration outside of your enterprise?
Managed user accounts can only contribute to repositories within your enterprise. If your developers must contribute to both repositories within and outside of your enterprise, including private repositories, Enterprise Managed Users may not be right for your enterprise. SAML SSO may be a better solution.
Some companies maintain repositories within an existing enterprise using SAML SSO on GitHub.com, and also create an enterprise with managed users. Developers who contribute to repositories owned by both enterprises from a single workstation must switch between the accounts on GitHub.com within a single browser, or use a different browser for each account. The developer may also need to customize the workstation's Git configuration to accommodate the two accounts. The complexity of this workflow can increase the risk of mistakenly leaking internal code to the public.
If you decide to create an enterprise with managed users but require that developers contribute to resources outside of the enterprise from a single workstation, you can provide support for switching between the accounts in a developer's local Git configuration. For more information, see "About Enterprise Managed Users."
Can your enterprise tolerate migration costs?
If your enterprise is new to GitHub.com, SAML SSO and Enterprise Managed Users are equally easy to adopt.
If you're already using GitHub.com with developers managing their own user accounts, adopting Enterprise Managed Users requires migrating to a new enterprise account. For more information, see "About Enterprise Managed Users."
Although Enterprise Managed Users is free, the migration process may require time or cost from your team. Confirm that this migration process is acceptable to your business and your developers. If not, SAML SSO may be the better choice for you.