SAML single sign-on (SSO) gives organization owners and enterprise owners using GitHub Enterprise Cloud a way to control and secure access to organization resources like repositories, issues, and pull requests. Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enforced for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account. For more information, see "Configuring SAML single sign-on for your enterprise."
If your enterprise members manage their own personal accounts on GitHub.com, you can configure SAML authentication as an additional access restriction for your enterprise or organization. Alternatively, you can provision and manage the accounts of your enterprise members on GitHub.com by using an enterprise account with Enterprise Managed Users enabled. For more information, see "About authentication for your enterprise."
If a SAML configuration error or an issue with your identity provider (IdP) prevents you from using SAML SSO, you can use a recovery code to access your enterprise. For more information, see "Managing recovery codes for your enterprise."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. When you synchronize a GitHub team with an IdP group, changes to the IdP group are reflected on GitHub Enterprise Cloud automatically, reducing the need for manual updates and custom scripts. You can use an IdP with team synchronization to manage administrative tasks such as onboarding new members, granting new permissions for movements within an organization, and removing member access to the organization. For more information, see "Managing team synchronization for organizations in your enterprise account."
There are special considerations when enabling SAML SSO for your enterprise account if any of the organizations owned by the enterprise account are already configured to use SAML SSO. For more information, see "Switching your SAML configuration from an organization to an enterprise account."
Enterprise Managed Users is a feature of GitHub Enterprise Cloud that provides even greater control over enterprise members and resources. With Enterprise Managed Users, all members are provisioned and managed through your identity provider (IdP) instead of users creating their own accounts on GitHub Enterprise Cloud. Team membership can be managed using groups on your IdP. Managed users are restricted to their enterprise and are unable to push code, collaborate, or interact with users, repositories, and organizations outside of their enterprise. For more information, see "About Enterprise Managed Users."
Note: You cannot use SCIM at the enterprise level unless your enterprise is enabled for Enterprise Managed Users.
Configuring Enterprise Managed Users for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using managed users. If your enterprise uses Enterprise Managed Users, see "Configuring SAML single sign-on for Enterprise Managed Users."
We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.
|Active Directory Federation Services (AD FS)|
|Azure Active Directory (Azure AD)|
- SAML Wiki on the OASIS website
- System for Cross-domain Identity Management: Protocol (RFC 7644) on the IETF website