You can use GitHub Enterprise's built-in authentication, or choose between CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to your GitHub Enterprise instance.
Single sign-on to an identity provider with CAS or SAML
CAS and SAML provide single sign-on (SSO) behavior by redirecting and authenticating to an external identity provider and then redirecting back to GitHub Enterprise with a response describing the authenticated user. With these methods, you can enforce authentication requirements including 2FA, password policies, and VPN access.
CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a license seat until the user signs in to your Enterprise instance.
SAML is an XML-based standard for authentication and authorization. GitHub Enterprise can act as a service provider (SP) with your internal SAML identity provider (IdP).
Authentication against internal LDAP directories
When LDAP authentication is configured, GitHub Enterprise validates credentials externally against users in your centrally managed LDAP directory service.
Optionally, LDAP configuration allows site admins to restrict authentication to members of configurable restricted groups. Administrators manage access to your GitHub Enterprise instance by managing the members of those groups from within LDAP. LDAP and LDAP Sync can also automate team membership, SSH key and email address management, and user suspension.
LDAP lets you authenticate GitHub Enterprise against your existing accounts and centrally manage repository access.
Authentication on GitHub Enterprise
Built-in GitHub Enterprise authentication accepts instance-specific account credentials that aren't shared or connected to external identity providers or authentication services. Admins can manage these accounts through the web interface or programmatically through the API.
When you use the default authentication method, all authentication details are stored within your GitHub Enterprise instance. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.
You can change the way GitHub Enterprise authenticates with your existing accounts at any time.