Skip to main content

Configuring SCIM provisioning for Enterprise Managed Users

You can manage the lifecycle of your enterprise's user accounts from your identity provider (IdP) using System for Cross-domain Identity Management (SCIM).

Who can use this feature?

Enterprise Managed Users is available for new enterprise accounts on GitHub Enterprise Cloud. See "About Enterprise Managed Users."

To create, manage, and deactivate user accounts for your enterprise members on GitHub, your IdP must implement SCIM for communication with GitHub. SCIM is an open specification for management of user identities between systems. Different IdPs provide different experiences for the configuration of SCIM provisioning.

If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to GitHub's REST API for SCIM. For more information, see About Enterprise Managed Users.

About user lifecycle management with SCIM

With SCIM, you manage the lifecycle of user accounts from your IdP:

  • After you configure provisioning for Enterprise Managed Users, your IdP uses SCIM to provision user accounts on GitHub and add the accounts to your enterprise. If you assign a group to the application in your IdP, your IdP will provision accounts for all members of the group.
  • When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.
  • When you unassign the user from the IdP application or deactivate a user's account on your IdP, your IdP will communicate with GitHub to invalidate any sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username, with the short code appended if applicable.
  • If you reassign a user to the IdP application or reactivate their account on your IdP, the user account will be reactivated, and the username will be restored.

To configure team and organization membership, repository access, and permissions on GitHub Enterprise Cloud, you can use groups on your IdP. For more information, see "Managing team memberships with identity provider groups."

Prerequisites

If you're configuring SCIM provisioning for a new enterprise, make sure to complete all previous steps in the initial configuration process. See Getting started with Enterprise Managed Users.

Configuring user provisioning for Enterprise Managed Users

After completing the setup on GitHub, you can configure provisioning on your IdP. The instructions you should follow differ depending on whether you use a partner IdP's application for both authentication and provisioning.

Configuring provisioning if you use a partner IdP's application

To use a partner IdP's application both authentication and provisioning, review the partner's instructions for configuring provisioning in the links in the following table.

IdPSSO methodInstructions
Microsoft Entra ID (previously known as Azure AD)OIDCTutorial: Configure GitHub Enterprise Managed User (OIDC) for automatic user provisioning on Microsoft Learn
Entra IDSAMLTutorial: Configure GitHub Enterprise Managed User for automatic user provisioning on Microsoft Learn
OktaSAMLConfiguring SCIM provisioning with Okta
PingFederateSAMLThe "Prerequisites" and "2. Configure SCIM" sections in Configuring authentication and provisioning with PingFederate

Configuring provisioning for other identity management systems

If you don't use a partner IdP, or if you only use a partner IdP for authentication, you can manage the lifecycle of user accounts using GitHub's REST API endpoints for SCIM provisioning. See Provisioning users and groups with SCIM using the REST API.

  1. Sign in as the setup user for your enterprise with the username SHORT-CODE_admin, replacing SHORT-CODE with your enterprise's short code.

    Note

    If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal. The usual password reset option by providing your email address will not work.

  2. In the top-right corner of GitHub, click your profile photo, then click Your enterprise.

  3. On the left side of the page, in the enterprise account sidebar, click Identity provider.

  4. Under Identity Provider, click Single sign-on configuration.

  5. Under "Open SCIM Configuration", select "Enable open SCIM configuration".

  6. Manage the lifecycle of your users by making calls to the REST API endpoints for SCIM provisioning. See Provisioning users and groups with SCIM using the REST API.

Assigning users and groups

After you have configured authentication and provisioning, you will be able to provision new users on GitHub by assigning users or groups to the GitHub Enterprise Managed User application.

When assigning users, you can use the "Roles" attribute in the application on your IdP to set a user's role in your enterprise on GitHub Enterprise Cloud. For more information about the roles available to assign, see "Roles in an enterprise."

Entra ID does not support provisioning nested groups. For more information, see How Application Provisioning works in Microsoft Entra ID on Microsoft Learn.