Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see What is Azure Active Directory? in the Microsoft Docs.
To manage identity and access for GitHub AE, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access membership with SCIM, which allows you to create GitHub AE users and manage team and organization membership from your Azure AD tenant.
After you enable SAML SSO and SCIM for GitHub AE using Azure AD, you can accomplish the following from your Azure AD tenant.
- Assign the GitHub AE application on Azure AD to a user account to automatically create and grant access to a corresponding user account on GitHub AE.
- Unassign the GitHub AE application to a user account on Azure AD to deactivate the corresponding user account on GitHub AE.
- Assign the GitHub AE application to an IdP group on Azure AD to automatically create and grant access to user accounts on GitHub AE for all members of the IdP group. In addition, the IdP group is available on GitHub AE for connection to a team and its parent organization.
- Unassign the GitHub AE application from an IdP group to deactivate the GitHub AE user accounts of all IdP users who had access only through that IdP group and remove the users from the parent organization. The IdP group will be disconnected from any teams on GitHub AE.
For more information about managing identity and access for your enterprise on your enterprise, see "Managing identity and access for your enterprise." For more information about synchronizing teams with IdP groups, see "Synchronizing a team with an identity provider group."
To configure authentication and user provisioning for GitHub AE using Azure AD, you must have an Azure AD account and tenant. For more information, see the Azure AD website and Quickstart: Create an Azure Active Directory tenant in the Microsoft Docs.
To make a person an enterprise owner, you must delegate ownership permission in your IdP. Include the
administrator attribute in the SAML assertion for the user account on the IdP, with the value of
true. For more information about enterprise owners, see "Roles in an enterprise." For more information about including the
administrator attribute in the SAML claim from Azure AD, see How to: customize claims issued in the SAML token for enterprise applications in the Microsoft Docs.
Create and use a dedicated machine user account on your IdP to associate with the first enterprise owner account on GitHub AE. Store the credentials for the user account securely in a password manager.
In Azure AD, add the GitHub AE application to your tenant and configure single sign-on. For more information, see Tutorial: Azure Active Directory single sign-on (SSO) integration with GitHub AE in the Microsoft Docs.
In GitHub AE, enter the details for your Azure AD tenant.
You'll configure identity and access management for GitHub AE by entering the details for your SAML IdP during initialization. For more information, see "Initializing GitHub AE."
If you've already configured SAML SSO for your enterprise using another IdP and you want to use Azure AD instead, you can edit your configuration. For more information, see "Configuring SAML single sign-on for your enterprise."
Enable user provisioning in GitHub AE and configure user provisioning in Azure AD. For more information, see "Configuring user provisioning for your enterprise."