Skip to main content
GitHub AE is currently under limited release.
All products
Enterprise administrators

Username considerations for external authentication

In this article

GitHub AE follows certain rules to determine the username for each user account in your enterprise.

About usernames with external authentication

GitHub AE uses SAML SSO for authentication, and automatically creates a username for each person when the person signs in through your identity provider (IdP) for the first time.

Usernames must not exceed 39 characters.

About username normalization

Usernames for user accounts on GitHub AE can only contain alphanumeric characters and dashes (-).

When you configure SAML authentication, GitHub AE uses an identifier from the user account on your IdP to determine the username for the corresponding user account on GitHub AE. If the identifier includes unsupported characters, GitHub AE will normalize the username per the following rules.

  1. GitHub AE will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of mona.the.octocat will be normalized to mona-the-octocat. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes.

  2. Usernames created from email addresses are created from the normalized characters that precede the @ character.

  3. Usernames created from domain accounts are created from the normalized characters after the \\ separator.

  4. If multiple accounts are normalized into the same GitHub AE username, only the first user account is created. Subsequent users with the same username won't be able to sign in.

Examples of username normalization

Identifier on providerNormalized username on GitHubResult
The.Octocatthe-octocatThis username is created successfully.
!The.Octocat-the-octocatThis username is not created, because it starts with a dash.
The.Octocat!the-octocat-This username is not created, because it ends with a dash.
The!!Octocatthe--octocatThis username is not created, because it contains two consecutive dashes.
The!Octocatthe-octocatThis username is not created. Although the normalized username is valid, it already exists.
The.Octocat@example.comthe-octocatThis username is not created. Although the normalized username is valid, it already exists.
internal\\The.Octocatthe-octocatThis username is not created. Although the normalized username is valid, it already exists.
mona.lisa.the.octocat.from.github.united.states@example.commona-lisa-the-octocat-from-github-united-statesThis username is not created, because it exceeds the 39-character limit.

About username normalization with SAML

GitHub AE determines each person's username by one of the following assertions in the SAML response, ordered by descending priority.

  1. The custom username attribute, if defined and present
  2. An http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name assertion, if present
  3. An http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress assertion, if present
  4. The NameID element

GitHub AE requires the NameID element even if other attributes are present. For more information, see "SAML configuration reference."

GitHub AE creates a mapping between the NameID from the IdP and the username in your enterprise, so the NameID should be persistent, unique, and not subject to change for the lifecycle of the user.