You can use GitHub Enterprise's built-in authentication, or choose between CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to your GitHub Enterprise instance.
Single sign-on to an identity provider with CAS or SAML
Note: User authentication using GitHub OAuth is deprecated and can not be used for new installations.
CAS or SAML provide single sign-on (SSO) behavior by redirecting and authenticating to an external identity provider and then redirecting back to GitHub Enterprise with a response describing the authenticated user. With these methods, you can enforce authentication requirements including 2FA, password policies, and VPN access.
Using CAS
CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a license seat until the user signs in to your Enterprise instance.
Using SAML
SAML is an XML-based standard for authentication and authorization. GitHub Enterprise can act as a service provider (SP) with your internal SAML identity provider (idP).
Authentication against internal LDAP directories
When LDAP authentication is configured, GitHub Enterprise validates credentials externally against users in your centrally managed LDAP directory service.
Optionally, LDAP configuration allows site admins to restrict authentication to members of configurable restricted groups. Administrators manage access to the GitHub Enterprise instance by managing the members of those groups from within LDAP. LDAP and LDAP Sync can also automate team membership, SSH key and email address management, and user suspension.
Using LDAP
LDAP lets you authenticate GitHub Enterprise against your existing accounts and centrally manage repository access.
Authentication on GitHub Enterprise
Built-in GitHub Enterprise authentication accepts instance-specific account credentials that aren't shared or connected to external identity providers or authentication services. Admins can manage these accounts through the web interface or programmatically through the API.
Using built-in authentication
When you use the default authentication method, all authentication details are stored within your GitHub Enterprise instance. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.
Changing authentication methods
You can change the way GitHub Enterprise authenticates with your existing accounts at any time.