GitHub AE is currently under limited release.

Configuring authentication and provisioning for your enterprise using Okta

In this article

You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for your enterprise.

Who can use this feature

Enterprise owners can configure authentication and provisioning for GitHub AE.

Note: GitHub AE single sign-on (SSO) support for Okta is currently in beta.

About authentication and user provisioning with Okta

You can use Okta as an Identity Provider (IdP) for GitHub AE, which allows your Okta users to sign in to GitHub AE using their Okta credentials.

To use Okta as your IdP for GitHub AE, you can add the GitHub AE app to Okta, configure Okta as your IdP in GitHub AE, and provision access for your Okta users and groups.

When you use an IdP for IAM on GitHub AE, SAML SSO controls and secures access to enterprise resources like repositories, issues, and pull requests. SCIM automatically creates user accounts and manages access to your enterprise when you make changes on the IdP. You can also synchronize teams on GitHub AE with groups on your IdP. For more information, see the following articles.

After you enable SCIM, the following provisioning features are available for any users that you assign your GitHub AE application to in Okta.

The following provisioning features are available for all Okta users that you assign to your GitHub AE application.

FeatureDescription
Push New UsersWhen you create a new user in Okta, the user is added to GitHub AE.
Push User DeactivationWhen you deactivate a user in Okta, it will suspend the user from your enterprise on GitHub AE.
Push Profile UpdatesWhen you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on GitHub AE.
Reactivate UsersWhen you reactivate a user in Okta, it will unsuspend the user in your enterprise on GitHub AE.

For more information about managing identity and access for your enterprise on your enterprise, see "Using SAML for enterprise IAM."

Prerequisites

  • To configure authentication and user provisioning for GitHub AE using Okta, you must have an Okta account and tenant.

  • You must create and use a dedicated machine user account on your IdP to associate with the first enterprise owner account on GitHub AE. Store the credentials for the user account securely in a password manager. For more information, see "Configuring user provisioning with SCIM for your enterprise."

Adding the GitHub AE application in Okta

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.
  2. Click Browse App Catalog.
  3. In the search field, type "GitHub AE", then click GitHub AE in the results.
  4. Click Add.
  5. For "Base URL", type the URL of your enterprise on GitHub AE.
  6. Click Done.

Enabling SAML SSO for GitHub AE

To enable single sign-on (SSO) for GitHub AE, you must configure GitHub AE to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find these details in the Okta app for GitHub AE.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

  2. Click the GitHub AE app.

  3. Under the name of the application, click Sign on.

  4. Under "SIGN ON METHODS", click View Setup Instructions.

  5. Take note of the "Sign on URL", "Issuer", and "Public certificate" details.

  6. Use the details to enable SAML SSO for your enterprise on GitHub AE. For more information, see "Configuring SAML single sign-on for your enterprise."

Note: To test your SAML configuration from GitHub AE, your Okta user account must be assigned to the GitHub AE app.

Enabling API integration

The Okta app uses the REST API for GitHub AE for SCIM provisioning. You can enable and test access to the API by configuring Okta with a personal access token for GitHub AE.

  1. In GitHub AE, generate a personal access token with the admin:enterprise scope. For more information, see "Managing your personal access tokens".

  2. In the Okta Dashboard, expand the Applications menu, then click Applications.

  3. Click the GitHub AE app.

  4. Click Provisioning.

  5. Click Configure API Integration.

  6. Select Enable API integration.

  7. For "API Token", type the GitHub AE personal access token you generated previously.

  8. Click Test API Credentials.

Note: If you see Error authenticating: No results for users returned, confirm that you have enabled SSO for GitHub AE. For more information see "Enabling SAML SSO for GitHub AE."

Configuring SCIM provisioning settings

This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to GitHub AE.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.
  2. Click the GitHub AE app.
  3. Click Provisioning.
  4. Under "Settings", click To App.
  5. To the right of "Provisioning to App", click Edit.
  6. To the right of "Create Users", select Enable.
  7. To the right of "Update User Attributes", select Enable.
  8. To the right of "Deactivate Users", select Enable.
  9. Click Save.

Allowing Okta users and groups to access GitHub AE

You can provision access to GitHub AE for your individual Okta users, or for entire groups.

Provisioning access for Okta users

Before your Okta users can use their credentials to sign in to GitHub AE, you must assign the users to the Okta app for GitHub AE.

  1. In the Okta Dashboard, expand the Applications menu, then click Applications.

  2. Click the GitHub AE app.

  3. Click Assignments.

  4. Select the Assign dropdown menu, then click Assign to People.

  5. To the right of the required user account, click Assign.

  6. To the right of "Role", select the dropdown menu, then click a role for the user.

  7. Click Save and go back.

  8. Click Done.

Provisioning access for Okta groups

You can map your Okta group to a team in GitHub AE. Members of the Okta group will then automatically become members of the mapped GitHub AE team. For more information, see "Mapping Okta groups to teams."

Further reading