GitHub AE is currently under limited release. Please contact our Sales Team to find out more.

Synchronizing a team with an identity provider group

You can synchronize a GitHub AE team with an identity provider (IdP) group to automatically add and remove team members.

Organization owners and team maintainers can synchronize a GitHub team with an IdP group.

Synchronization of teams with SCIM groups is available for organizations using GitHub AE. For more information, see "GitHub's products."

In this article

About team synchronization

When you synchronize a GitHub team with an IdP group, changes to the IdP group are reflected on GitHub AE automatically, reducing the need for manual updates and custom scripts. You can use an IdP with team synchronization to manage administrative tasks such as onboarding new members, granting new permissions for movements within an organization, and removing member access to the organization.

You can connect a team on GitHub AE to one IdP group. All users in the group are automatically added to the team and also added to the parent organization as members. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization. You can assign an IdP group to multiple GitHub AE teams.

Once a GitHub team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on GitHub AE.

When group membership changes on your IdP, your IdP sends a SCIM request with the changes to GitHub AE according to the schedule determined by your IdP. Any requests that change GitHub team or organization membership will register in the audit log as changes made by the account used to configure user provisioning. For more information about this account, see "Configuring user provisioning for your enterprise." For more information about SCIM request schedules, see "Check the status of user provisioning" in the Microsoft Docs.

Parent teams cannot synchronize with IdP groups. If the team you want to connect to an IdP group is a parent team, we recommend creating a new team or removing the nested relationships that make your team a parent team. For more information, see "About teams," "Creating a team," and "Moving a team in your organization's hierarchy."

To manage repository access for any GitHub team, including teams connected to an IdP group, you must make changes with GitHub AE. For more information, see "About teams" and "Managing team access to an organization repository."

Prerequisites

Before you can connect a GitHub AE team with an IdP group, you must first configure user provisioning for your enterprise using a supported System for Cross-domain Identity Management (SCIM). For more information, see "Configuring user provisioning for your enterprise."

Once user provisioning for GitHub AE is configured using SCIM, you can assign the GitHub AE application to every IdP group that you want to use on GitHub AE. For more information, see Configure automatic user provisioning to GitHub AE in the Microsoft Docs.

Connecting an IdP group to a team

When you connect an IdP group to a GitHub AE team, all users in the group are automatically added to the team. Any users who were not already members of the parent organization members are also added to the organization.

  1. In the top right corner of GitHub AE, click your profile photo, then click Your profile.

    Profile photo

  2. On the left side of your profile page, under "Organizations", click the icon for your organization.

    organization icons

  3. Under your organization name, click Teams.

    Teams tab

  4. On the Teams tab, click the name of the team.

    List of the organization's teams

  5. At the top of the team page, click Settings.

    Team settings tab

  6. Under "Identity Provider Group", use the drop-down menu, and select an identity provider group from the list.

    Drop-down menu to choose identity provider group

  7. Click Save changes.

Disconnecting an IdP group from a team

If you disconnect an IdP group from a GitHub team, team members that were assigned to the GitHub team through the IdP group will be removed from the team. Any users who were members of the parent organization only because of that team connection are also removed from the organization.

  1. In the top right corner of GitHub AE, click your profile photo, then click Your profile.

    Profile photo

  2. On the left side of your profile page, under "Organizations", click the icon for your organization.

    organization icons

  3. Under your organization name, click Teams.

    Teams tab

  4. On the Teams tab, click the name of the team.

    List of the organization's teams

  5. At the top of the team page, click Settings.

    Team settings tab

  6. Under "Identity Provider Group", to the right of the IdP group you want to disconnect, click .

    Unselect a connected IdP group from the GitHub team

  7. Click Save changes.

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.