GitHub AE is currently under limited release. Please contact our Sales Team to find out more.

Configuring SAML single sign-on for your enterprise

You can configure SAML single sign-on (SSO) for your enterprise, which allows you to centrally control authentication for your enterprise using your identity provider (IdP).

Enterprise owners can configure SAML SSO for an enterprise on GitHub AE.

SAML single sign-on is available with GitHub Enterprise Cloud and GitHub AE. For more information, see "GitHub's products."

In this article

About SAML SSO

SAML SSO allows you to centrally control and secure access to your enterprise from your SAML IdP. When an unauthenticated user visits your enterprise in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your enterprise. GitHub AE validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for your enterprise is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

To make a person an enterprise owner, you must delegate ownership permission in your IdP. Include the administrator attribute in the SAML assertion for the user account on the IdP, with the value of true. For more information about enterprise owners, see "Roles in an enterprise."

By default, your IdP does not communicate with GitHub AE automatically when you assign or unassign the application. GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub AE, and you must manually deactivate the user account on GitHub AE during offboarding. You can use SCIM to provision and deprovision user accounts and access for GitHub AE automatically when you assign or unassign the application on your IdP. For more information, see "Configuring user provisioning for your enterprise."

Supported identity providers

GitHub AE supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

GitHub has tested SAML SSO for GitHub AE with the following IdPs.

  • Azure AD

Enabling SAML SSO

You'll configure identity and access management for GitHub AE by entering the details for your SAML IdP during initialization. For more information, see "Initializing GitHub AE."

The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

IdPMore information
Azure ADTutorial: Azure Active Directory single sign-on (SSO) integration with GitHub AE in the Microsoft Docs

During initialization for GitHub AE, you must configure GitHub AE as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP.

ValueOther namesDescriptionExample
SP Entity IDSP URLYour top-level URL for GitHub AEhttps://YOUR-GITHUB-AE-HOSTNAME
SP Assertion Consumer Service (ACS) URLReply URLURL where IdP sends SAML responseshttps://YOUR-GITHUB-AE-HOSTNAME/saml/consume
SP Single Sign-On (SSO) URLURL where IdP begins SSOhttps://YOUR-GITHUB-AE-HOSTNAME/sso

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for your enterprise. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Receiving help from GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", type the new details for your IdP. Text entry fields with IdP details for SAML SSO configuration for an enterprise

  5. Optionally, click to configure a new signature or digest method. Edit icon for changing signature and digest method

    • Use the drop-down menus and choose the new signature or digest method. Drop-down menus for choosing a new signature or digest method
  6. To ensure that the information you've entered is correct, click Test SAML configuration. "Test SAML configuration" button

  7. Click Save. "Save" button for SAML SSO configuration

  8. Optionally, to automatically provision and deprovision user accounts for your enterprise, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

Disabling SAML SSO

Warning: If you disable SAML SSO for your enterprise, users without existing SAML SSO sessions cannot sign into your enterprise. SAML SSO sessions on your enterprise end after 24 hours.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Receiving help from GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", unselect Enable SAML authentication. Checkbox for "Enable SAML authentication"

  5. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save. "Save" button for SAML SSO configuration

Did this doc help you? Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.