Skip to main content

Configuring authentication and provisioning for your enterprise using Okta

You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for your GitHub Enterprise Server instance.

Who can use this feature

Enterprise owners can configure authentication and provisioning for GitHub Enterprise Server.

About authentication and user provisioning with Okta

You can use Okta as an Identity Provider (IdP) for GitHub Enterprise Server, which allows your Okta users to sign in to GitHub Enterprise Server using their Okta credentials.

To use Okta as your IdP for GitHub Enterprise Server, you can add the GitHub Enterprise Server app to Okta, configure Okta as your IdP in GitHub Enterprise Server, and provision access for your Okta users and groups.

Note: SCIM for GitHub Enterprise Server is currently in private beta and is subject to change. For access to the beta, contact your account manager on GitHub's Sales team.

Warning: The beta is exclusively for testing and feedback, and no support is available. GitHub recommends testing with a staging instance. For more information, see "Setting up a staging instance."

The following provisioning features are available for all Okta users that you assign to your GitHub Enterprise Server application.

FeatureDescription
Push New UsersWhen you create a new user in Okta, the user is added to GitHub Enterprise Server.
Push User DeactivationWhen you deactivate a user in Okta, it will suspend the user from your enterprise on GitHub Enterprise Server.
Push Profile UpdatesWhen you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on GitHub Enterprise Server.
Reactivate UsersWhen you reactivate a user in Okta, it will unsuspend the user in your enterprise on GitHub Enterprise Server.

Prerequisites

  • To configure authentication and user provisioning for GitHub Enterprise Server using Okta, you must have an Okta account and tenant.

  • You must configure SAML SSO for your GitHub Enterprise Server instance. For more information, see "Configuring SAML single sign-on for your enterprise."

  • You must create and use a dedicated machine user account on your IdP to associate with an enterprise owner account on GitHub Enterprise Server. Store the credentials for the user account securely in a password manager. For more information, see "Configuring user provisioning with SCIM for your enterprise."

Adding the GitHub Enterprise Server application in Okta

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

    "Applications" menu navigation

  2. Click Browse App Catalog.

    "Browse App Catalog"

  3. In the search field, type "GitHub Enterprise Server", then click GitHub Enterprise Server in the results.

  4. Click Add.

  5. For "Base URL", type the URL of your GitHub Enterprise Server instance.

  6. Click Done.

Enabling SAML SSO for GitHub Enterprise Server

To enable single sign-on (SSO) for GitHub Enterprise Server, you must configure GitHub Enterprise Server to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find these details in the Okta app for GitHub Enterprise Server.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

    "Applications" menu navigation

  2. Click the GitHub Enterprise Server app.

  3. Under the name of the application, click Sign on.

    Sign On tab

  4. Use the details to enable SAML SSO for your GitHub Enterprise Server instance. For more information, see "Configuring SAML single sign-on for your enterprise."

Note: To test your SAML configuration from GitHub Enterprise Server, your Okta user account must be assigned to the GitHub Enterprise Server app.

Enabling API integration

The Okta app uses the REST API for GitHub Enterprise Server for SCIM provisioning. You can enable and test access to the API by configuring Okta with a personal access token for GitHub Enterprise Server.

  1. In GitHub Enterprise Server, generate a personal access token with the admin:enterprise scope. For more information, see "Creating a personal access token".

  2. In the Okta Dashboard, expand the Applications menu, then click Applications.

    "Applications" menu navigation

  3. Click the GitHub Enterprise Server app.

  4. Click Provisioning.

    Configure app

  5. Click Configure API Integration.

  6. Select Enable API integration.

    Enable API integration

  7. For "API Token", type the GitHub Enterprise Server personal access token you generated previously.

  8. Click Test API Credentials.

Note: If you see Error authenticating: No results for users returned, confirm that you have enabled SSO for GitHub Enterprise Server. For more information see "Enabling SAML SSO for GitHub Enterprise Server."

Configuring SCIM provisioning settings

This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to GitHub Enterprise Server.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

    "Applications" menu navigation

  2. Click the GitHub Enterprise Server app.

  3. Click Provisioning.

    Configure app

  4. Under "Settings", click To App.

    "To App" settings

  5. To the right of "Provisioning to App", click Edit.

  6. To the right of "Create Users", select Enable.

  7. To the right of "Update User Attributes", select Enable.

  8. To the right of "Deactivate Users", select Enable.

  9. Click Save.

Allowing Okta users and groups to access GitHub Enterprise Server

You can provision access to GitHub Enterprise Server for your individual Okta users, or for entire groups.

Provisioning access for Okta users

Before your Okta users can use their credentials to sign in to GitHub Enterprise Server, you must assign the users to the Okta app for GitHub Enterprise Server.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

    "Applications" menu navigation

  2. Click the GitHub Enterprise Server app.

  3. Click Assignments.

    Assignments tab

  4. Select the Assign drop-down menu and click Assign to People.

    "Assign to People" button

  5. To the right of the required user account, click Assign.

    List of users

  6. To the right of "Role", click a role for the user, then click Save and go back.

    Role selection

  7. Click Done.

Further reading