Skip to main content

Configuring SAML single sign-on for your enterprise

You can control and secure access to your enterprise on GitHub AE by configuring SAML single sign-on (SSO) through your identity provider (IdP).

Enterprise owners can configure SAML SSO for an enterprise on GitHub AE.

About SAML SSO

SAML SSO allows you to centrally control and secure access to your enterprise from your SAML IdP. When an unauthenticated user visits your enterprise in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your enterprise. GitHub AE validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for your enterprise is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

To make a person an enterprise owner, you must delegate ownership permission in your IdP. Include the administrator attribute in the SAML assertion for the user account on the IdP, with the value of true. For more information about enterprise owners, see "Roles in an enterprise."

By default, your IdP does not communicate with GitHub AE automatically when you assign or unassign the application. GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub AE, and you must manually deactivate the user account on GitHub AE during offboarding. You can use SCIM to create or suspend user accounts and access for GitHub AE automatically when you assign or unassign the application on your IdP. For more information, see "Configuring user provisioning for your enterprise."

Supported identity providers

GitHub AE supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

GitHub officially supports and internally tests the following IdPs.

  • Azure Active Directory (Azure AD)
  • Okta (beta)

Enabling SAML SSO

You'll configure identity and access management for GitHub AE by entering the details for your SAML IdP during initialization. For more information, see "Initializing GitHub AE."

The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

IdPMore information
Azure AD"Configuring authentication and provisioning for your enterprise using Azure AD"
Okta"Configuring authentication and provisioning for your enterprise using Okta"

During initialization for GitHub AE, you must configure GitHub AE as a SAML service provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP. For more information, see "SAML configuration reference."

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for your enterprise. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Receiving help from GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", type the new details for your IdP. Text entry fields with IdP details for SAML SSO configuration for an enterprise

  5. Optionally, click to configure a new signature or digest method. Edit icon for changing signature and digest method

    • Use the drop-down menus and choose the new signature or digest method. Drop-down menus for choosing a new signature or digest method
  6. To ensure that the information you've entered is correct, click Test SAML configuration. "Test SAML configuration" button

  7. Click Save. "Save" button for SAML SSO configuration

  8. Optionally, to automatically provision and deprovision user accounts for your enterprise, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

Disabling SAML SSO

Warning: If you disable SAML SSO for your enterprise, users without existing SAML SSO sessions cannot sign into your enterprise. SAML SSO sessions on your enterprise end after 24 hours.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Receiving help from GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub AE

  2. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  3. In the left sidebar, click Security. Security tab in the enterprise account settings sidebar

  4. Under "SAML single sign-on", unselect Enable SAML authentication. Checkbox for "Enable SAML authentication"

  5. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save. "Save" button for SAML SSO configuration