You can use GitHub Enterprise's built-in authentication, or choose between GitHub OAuth, CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to your GitHub Enterprise instance.

Single sign-on to an identity provider with CAS, SAML, or OAuth

Note: User authentication using GitHub OAuth is deprecated and can not be used for new installations.

CAS, SAML and OAuth provide single sign-on (SSO) behavior by redirecting and authenticating to an external identity provider and then redirecting back to GitHub Enterprise with a response describing the authenticated user. With these methods, you can enforce authentication requirements including 2FA, password policies, and VPN access.

Using CAS

CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a license seat until the user signs in to your Enterprise instance.

Using SAML

SAML is an XML-based standard for authentication and authorization. GitHub Enterprise can act as a service provider (SP) with your internal SAML identity provider (idP).

Using GitHub OAuth

GitHub OAuth uses GitHub.com organization membership to grant and control access to your GitHub Enterprise instance.

Authentication against internal LDAP directories

When LDAP authentication is configured, GitHub Enterprise validates credentials externally against users in your centrally managed LDAP directory service.

Optionally, LDAP configuration allows site admins to restrict authentication to members of configurable restricted groups. Administrators manage access to the GitHub Enterprise instance by managing the members of those groups from within LDAP. LDAP and LDAP Sync can also automate team membership, SSH key and email address management, and user suspension.

Using LDAP

LDAP lets you authenticate GitHub Enterprise against your existing accounts and centrally manage repository access.

Authentication on GitHub Enterprise

Built-in GitHub Enterprise authentication accepts instance-specific account credentials that aren't shared or connected to external identity providers or authentication services. Admins can manage these accounts through the web interface or programmatically through the API.

Using built-in authentication

When you use the default authentication method, all authentication details are stored within your GitHub Enterprise instance. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.

Changing authentication methods

You can change the way GitHub Enterprise authenticates with your existing accounts at any time.