Skip to main content

Configuring SCIM provisioning with Okta

If you use Okta as an identity provider (IdP), you can manage the lifecycle of your enterprise's user accounts on GitHub.com using System for Cross-domain Identity Management (SCIM).

¿Quién puede utilizar esta característica?

Enterprise Managed Users está disponible para las cuentas empresariales nuevas que usan GitHub Enterprise Cloud. Consulte "About Enterprise Managed Users".

About provisioning with Okta

If you use Okta as an IdP, you can use Okta's application to provision user accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. Okta is a partner IdP, so you can simplify your authentication and provisioning configuration by using the Okta application for Enterprise Managed Users. For more information, see "About Enterprise Managed Users."

Alternatively, if you only intend to use Okta for SAML authentication and you want to use a different IdP for provisioning, you can integrate with GitHub's REST API for SCIM. For more information, see "Provisioning users and groups with SCIM using the REST API."

For more information about provisioning for Enterprise Managed Users, see "Configuring SCIM provisioning for Enterprise Managed Users."

Supported features

Enterprise Managed Users supports the following provisioning features for Okta.

FeatureDescription
Push New UsersUsers that are assigned to the GitHub Enterprise Managed User application in Okta are automatically created in the enterprise on GitHub Enterprise Cloud.
Push Profile UpdateUpdates made to the user's profile in Okta will be pushed to GitHub Enterprise Cloud.
Push GroupsGroups in Okta that are assigned to the GitHub Enterprise Managed User application as Push Groups are automatically created in the enterprise on GitHub Enterprise Cloud.
Push User DeactivationUnassigning the user from the GitHub Enterprise Managed User application in Okta will disable the user on GitHub Enterprise Cloud. The user will not be able to sign in, but the user's information is maintained.
Reactivate UsersUsers in Okta whose Okta accounts are reactivated and who are assigned back to the GitHub Enterprise Managed User application will be enabled.

Note: Enterprise Managed Users does not support modifications to usernames.

Prerequisites

  • You must use Okta's application for both authentication and provisioning.

  • Tu producto Okta debe ser compatible con System for Cross-domain Identity Management (SCIM). Para obtener más información, revisa la documentación de Okta o ponte en contacto con el equipo de soporte técnico de Okta.

  • GitHub recomienda autenticar solo las solicitudes con la aplicación SCIM de Okta mediante un personal access token (classic) asociado al usuario de configuración de tu empresa. El token requiere el ámbito admin:enterprise. Para obtener más información, vea «Configuring SCIM provisioning for Enterprise Managed Users».

Setting your enterprise name

After your empresa con usuarios administrados has been created, you can begin to configure provisioning by setting your enterprise name in Okta.

  1. Navigate to your GitHub Enterprise Managed User application on Okta.
  2. Click the Sign On tab.
  3. To make changes, click Edit.
  4. Under "Advanced Sign-on Settings", in the "Enterprise Name" text box, type your enterprise name. For example, if you access your enterprise at https://github.com/enterprises/octoinc, your enterprise name would be "octoinc".
  5. To save your enterprise name, click Save.

Configuring provisioning

After setting your enterprise name, you can proceed to configure provisioning settings.

To configure provisioning, the setup user with the @SHORT-CODE_admin username will need to provide a personal access token (classic) with the admin:enterprise scope. For more information on creating a new token, see "Configuring SCIM provisioning for Enterprise Managed Users."

  1. Navigate to your GitHub Enterprise Managed User application on Okta.

  2. Click the Provisioning tab.

  3. In the settings menu, click Integration.

  4. To make changes, click Edit.

  5. Select Enable API integration.

  6. In the "API Token" field, enter the personal access token (classic) with the admin:enterprise scope belonging to the setup user.

    Note

    "Importar grupos" no es compatible con GitHub. La selección o deselección de la casilla no afecta a la configuración.

  7. Click Test API Credentials. If the test is successful, a verification message will appear at the top of the screen.

  8. To save the token, click Save.

  9. In the settings menu, click To App.

  10. To the right of "Provisioning to App", to allow changes to be made, click Edit.

  11. Select Enable to the right of Create Users, Update User Attributes, and Deactivate Users.

  12. To finish configuring provisioning, click Save.

Assigning users and groups

Después de haber configurado la autenticación y el aprovisionamiento, podrá aprovisionar usuarios nuevos en GitHub asignando usuarios o grupos a la aplicación de GitHub Enterprise Managed User.

Nota: Para evitar superar el límite de frecuencia en GitHub Enterprise Cloud, no asignes más de 1000 usuarios por hora a la integración de SCIM en tu IdP. Si usas grupos para asignar usuarios a la aplicación IdP, no agregues más de 1000 usuarios por hora a cada grupo. Si superas estos umbrales, los intentos de aprovisionar usuarios pueden producir un error de "límite de velocidad". Puedes revisar los registros de IdP para confirmar si se ha producido un error en las operaciones de envío de cambios o de aprovisionamiento de SCIM que se han intentado realizar debido a un error de límite de frecuencia. La respuesta a un intento de aprovisionamiento con errores dependerá del IdP. Para obtener más información, consulta "Troubleshooting identity and access management for your enterprise".

You can also automatically manage organization membership by adding groups to the "Push Groups" tab in Okta. When the group is provisioned successfully, it will be available to connect to teams in the enterprise's organizations. For more information about managing teams, see "Managing team memberships with identity provider groups."

Cuando asignas usuarios, puedes utilizar el atributo de "Roles" en la aplicación de GitHub Enterprise Managed User para configurar el rol de un usuario en tu empresa en GitHub Enterprise Cloud. Para más información sobre los roles disponibles para asignar, consulta "Roles en una empresa".

Note: You can only set the "Roles" attribute for an individual user, not a group. If you want to set roles for everyone in a group that's assigned to the GitHub Enterprise Managed User application, you must use the "Roles" attribute for each group member, individually.

Deprovisioning users and groups

To remove a user or group from GitHub Enterprise Cloud, remove the user or group from both the "Assignments" tab and the "Push groups" tab in Okta. For users, make sure the user is removed from all groups in the "Push Groups" tab.