About SCIM

With System for Cross-domain Identity Management (SCIM), administrators can automate the exchange of user identity information between systems.

Note: If your enterprise uses Enterprise Managed Users, you cannot use team synchronization and must instead configure SCIM to manage membership with your identity provider. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."

If you use SAML SSO in your organization, you can implement SCIM to add, manage, and remove organization members' access to GitHub Enterprise Cloud. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.

If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. To remove access, organization administrators can either manually remove the authorized token from the organization or automate its removal with SCIM.

These identity providers are compatible with the GitHub Enterprise Cloud SCIM API for organizations. For more information, see SCIM in the GitHub API documentation.

  • Azure AD
  • Okta
  • OneLogin

Note: The SAML IdP and the SCIM client must use matching NameID and userName values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.

Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts.

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.