This version of GitHub Enterprise was discontinued on 2020-11-12. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

Using CAS

CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a user license until the user signs in.

In this article

If you want to authenticate users without adding them to your identity provider, you can configure built-in authentication. For more information, see "Allowing built-in authentication for users outside your identity provider."

Username considerations with CAS

GitHub Enterprise Server usernames can only contain alphanumeric characters and dashes (-). GitHub Enterprise Server will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of will be normalized to gregory-st-john. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes.

Usernames created from email addresses are created from the normalized characters that precede the @ character.

If multiple accounts are normalized into the same GitHub Enterprise Server username, only the first user account is created. Subsequent users with the same username won't be able to sign in.

This table gives examples of how usernames are normalized in GitHub Enterprise Server:

UsernameNormalized usernameResult
Ms.Bubblesms-bubblesThis username is created successfully.
!Ms.Bubbles-ms-bubblesThis username is not created, because it starts with a dash.
Ms.Bubbles!ms-bubbles-This username is not created, because it ends with a dash.
Ms!!Bubblesms--bubblesThis username is not created, because it contains two consecutive dashes.
Ms!Bubblesms-bubblesThis username is not created. Although the normalized username is valid, it already exists.
Ms.Bubbles@example.comms-bubblesThis username is not created. Although the normalized username is valid, it already exists.

Two-factor authentication

When using SAML or CAS, two-factor authentication is not supported or managed on the GitHub Enterprise Server appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available. For more information about enforcing two-factor authentication on organizations, see "Requiring two-factor authentication in your organization."

CAS attributes

The following attributes are available.

Attribute nameTypeDescription
usernameRequiredThe GitHub Enterprise Server username.

Configuring CAS

Warning: Before configuring CAS on your GitHub Enterprise Server instance, note that users will not be able to use their CAS usernames and passwords to authenticate API requests or Git operations over HTTP/HTTPS. Instead, they will need to create an access token.

  1. From an administrative account on GitHub Enterprise Server, click in the upper-right corner of any page.
    Rocketship icon for accessing site admin settings
  2. In the left sidebar, click Management Console.
    Management Console tab in the left sidebar
  3. In the left sidebar, click Authentication.
    Authentication tab in the settings sidebar
  4. Select CAS.
    CAS select
  5. Optionally, select Allow built-in authentication to invite users to use built-in authentication if they don’t belong to your GitHub Enterprise Server instance's identity provider.
    Select CAS built-in authentication checkbox
  6. In the Server URL field, type the full URL of your CAS server. If your CAS server uses a certificate that can't be validated by GitHub Enterprise Server, you can use the ghe-ssl-ca-certificate-install command to install it as a trusted certificate.