Enterprise owners on GitHub Enterprise Cloud can control the requirements for authentication and access to the enterprise's resources.
You can choose to allow members to create and manage user accounts, or your enterprise can create and manage accounts for members with Usuarios Administrados de Enterprise. If you allow members to manage their own accounts, you can also configure SAML authentication to both increase security and centralize identity and access for the web applications that your team uses.
After learning more about these options, to determine which method is best for your enterprise, see "Identifying the best authentication method for your enterprise."
The following options are available for account management and authentication on GitHub Enterprise Cloud.
- Autenticación mediante GitHub.com
- Autenticación mediante GitHub.com con restricción de acceso adicional de SAML
- Authentication with Usuarios Administrados de Enterprise and federation
By default, each member must create a personal account on GitHub.com. You grant access to your enterprise, and the member can access your enterprise's resources after signing into the account on GitHub.com. The member manages the account, and can contribute to other enterprises, organizations, and repositories on GitHub.com.
If you configure additional SAML access restriction, each member must create and manage a personal account on GitHub.com. You grant access to your enterprise, and the member can access your enterprise's resources after both signing into the account on GitHub.com and successfully authenticating with your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on GitHub.com using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see "About SAML for enterprise IAM."
If you use a standalone organization with GitHub Enterprise Cloud, or if you don't want to use SAML authentication for every organization in your enterprise, you can configure SAML for an individual organization. Para obtener más información, consulta la sección "Acerca de la administración de identidad y accesos con el inicio de sesión único de SAML".
If you need more control of the accounts for your enterprise members on GitHub.com, you can use Usuarios Administrados de Enterprise. With Usuarios Administrados de Enterprise, you provision and manage accounts for your enterprise members on GitHub.com using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions to the rest of GitHub.com are restricted. Para obtener más información, consulta la sección "Acerca de Usuarios Administrados de Enterprise".
Both SAML SSO and Usuarios Administrados de Enterprise increase security for your enterprise's resources. Usuarios Administrados de Enterprise additionally allows you to control the user accounts for your enterprise members and restricts what the accounts are able to do. However, those restrictions may be unacceptable for your enterprise if they obstruct your developers' workflows.
To determine whether your enterprise would benefit more from SAML SSO or Usuarios Administrados de Enterprise, ask yourself these questions.
- Do you want to control the user accounts for your users?
- Which identity provider does your enterprise use?
- Do your developers work in public repositories, gists, or Páginas de GitHub sites?
- Do your developers rely on collaboration outside of your enterprise?
- Does your enterprise rely on outside collaborators?
- Can your enterprise tolerate migration costs?
Usuarios Administrados de Enterprise may be right for your enterprise if you don't want enterprise members to use their own personal accounts on GitHub.com to access your enterprise's resources.
With SAML SSO, developers create and manage their own personal accounts, and each account is linked to a SAML identity in your IdP. Usuarios Administrados de Enterprise functions more like other familiar SSO solutions, as you will provision the accounts for your users. You can also ensure user accounts conform with your company identity, by controlling usernames and the email addresses associated with the accounts.
If you currently require your users to create a new account on GitHub.com to use with your enterprise only, Usuarios Administrados de Enterprise might be right for you. However, SAML SSO may be a better option if using your IdP as the source of truth for your user and access management would add too much complexity. For example, perhaps your enterprise does not have an established process for onboarding new users in your IdP.
Usuarios Administrados de Enterprise is supported for a limited number of IdPs, while SAML SSO offers full support for a larger number of IdPs, plus limited support for all IdPs that implement the SAML 2.0 standard. Para obtener la lista de IdP compatibles para cada opción, consulta las secciones "Acerca de las Usuarios Administrados de Enterprise" y "Acerca de SAML para el IAM empresarial".
You can use Usuarios Administrados de Enterprise with an unsupported IdP only if you federate the unsupported IdP to a supported IdP to use as an integration point. If you wish to avoid this extra complexity, SAML SSO may be a better solution for you.
To prevent enterprise members from accidentally leaking corporate-owned content to the public on GitHub.com, Usuarios Administrados de Enterprise imposes strong restrictions on what users can do. For example, cuentas de usuarios adminsitrados cannot create public repositories, gists of any visibility, or Páginas de GitHub sites that are visible outside the enterprise. For a full list of restrictions, see "Abilities and restrictions of cuentas de usuarios adminsitrados."
These restrictions are unacceptable for some enterprises. To determine whether Usuarios Administrados de Enterprise will work for you, review the restrictions with your developers, and confirm whether any of the restrictions will hinder your existing workflows. If so, SAML SSO may be a better choice for your enterprise.
Cuentas de usuarios administrados can only contribute to repositories within your enterprise. If your developers need to collaborate in repositories outside your enterprise, even private repositories, to complete their work, Usuarios Administrados de Enterprise may not be right for your enterprise, and SAML SSO may be a better solution.
With SAML SSO, you can give access to specific repositories to people who are not members of your IdP's directory, by using the outside collaborator role. This can be especially useful for collaborators that are external to your business, such as contractors. For more information, see "Adding outside collaborators to repositories in your organization."
With Usuarios Administrados de Enterprise, the outside collaborator role does not exist. Your enterprise's resources can only be accessed by cuentas de usuarios adminsitrados, which are always provisioned by your IdP. To give external collaborators access to your enterprise, you would have to use guest accounts in your IdP. If you're interested in Usuarios Administrados de Enterprise, confirm with your developers whether this will hinder any of their existing workflows. If so, SAML SSO may be a better solution.
If your enterprise is new to GitHub.com, SAML SSO and Usuarios Administrados de Enterprise are equally easy to adopt.
If you're already using GitHub.com with developers managing their own user accounts, adopting Usuarios Administrados de Enterprise requires migrating to a new enterprise account. For more information, see "About enterprises with cuentas de usuarios adminsitrados."
Although Usuarios Administrados de Enterprise is free, the migration process may require time or cost from your team. Confirm that this migration process is acceptable to your business and your developers. If not, SAML SSO may be the better choice for you.