Skip to main content

About support for your IdP's Conditional Access Policy

When your enterprise uses OIDC SSO, GitHub will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP).

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which are available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

Note: OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for Enterprise Managed Users is in public beta and only available for Azure AD.

About support for Conditional Access Policies

When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used.

CAP support is enabled automatically for any enterprise with managed users that enables OIDC SSO and cannot be disabled. GitHub enforces your IdP's IP conditions but not device compliance conditions.

For more information about using OIDC with Enterprise Managed Users, see "Configuring OIDC for Enterprise Managed Users" and "Migrating from SAML to OIDC."

About using CAP with IP allow lists

We recommend disabling your enterprise account's IP allow list and relying on your IdP's CAP. If you enable IP allow lists for your enterprise and also make use of your IdP's CAP, both the IP allow list and CAP will be enforced. If either restriction rejects a user's IP address, the request fails. For more information about IP allow lists, see "Enforcing policies for security settings in your enterprise."

Considerations for integrations and automations

GitHub sends the originating IP address to your IdP for validation against your CAP. To make sure actions and apps are not blocked by your IdP's CAP, you will need to make changes to your configuration.

Warning: If you use GitHub Enterprise Importer to migrate an organization from your GitHub Enterprise Server instance, make sure to use a service account that is exempt from Azure AD's CAP otherwise your migration may be blocked.

GitHub Actions

Actions that use a personal access token will likely be blocked by your IdP's CAP. We recommend that personal access tokens are created by a service account which is then exempted from IP controls in your IdP's CAP.

If you're unable to use a service account, another option for unblocking actions that use personal access tokens is to allow the IP ranges used by GitHub Actions. For more information, see "About GitHub's IP addresses."

GitHub Apps and OAuth Apps

When GitHub Apps and OAuth Apps make requests on a member's behalf, GitHub will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail.

You can contact the owners of the apps you want to use, ask for their IP ranges, and configure your IdP's CAP to allow access from those IP ranges. If you're unable to contact the owners, you can review your IdP sign-in logs to review the IP addresses seen in the requests, then allow-list those addresses.

You can also enable IP allow list configuration for installed GitHub Apps. When enabled, all GitHub Apps and OAuth Apps will continue working regardless of the originating IP address. For more information, see "Enforcing policies for security settings in your enterprise."