About SAML configuration
Para utilizar el inicio de sesión único (SSO) de SAML para autenticarse en GitHub Enterprise Server, debes configurar tanto tu proveedor de identidad (IdP) externo de SAML como tu instancia de GitHub Enterprise Server. In a SAML configuration, GitHub Enterprise Server functions as a SAML service provider (SP).
You must enter unique values from your SAML IdP when configuring SAML SSO for GitHub Enterprise Server, and you must also enter unique values from GitHub Enterprise Server on your IdP. Para obtener más información sobre la configuración del SSO de SAML para GitHub Enterprise Server, consulta la sección "Configurar el inicio de sesión único de SAML para tu empresa".
Metadatos SAML
The SP metadata for tu instancia de GitHub Enterprise Server is available at http(s)://HOSTNAME/saml/metadata, where HOSTNAME is the hostname for your instance. GitHub Enterprise Server utiliza el enlace urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.
| Valor | Otros nombres | Descripción | Ejemplo |
|---|---|---|---|
| ID de Entidad de SP | URL de SP, restricción de la audiencia | Tu URL de más alto nivel para GitHub Enterprise Server | http(s)://HOSTNAME |
| URL del Servicio de Consumidor de Aserciones (ACS) del SP | URL de respuesta, receptora o de destino | URL a la que el IdP enviará respuestas de SAML | http(s)://HOSTNAME/saml/consume |
| URL de inicio de sesión único (SSO) del SP | URL en donde el IdP comienza con SSO | http(s)://HOSTNAME/sso |
Atributos de SAML
The following SAML attributes are available for GitHub Enterprise Server. You can change the attribute names in the management console, with the exception of the administrator attribute. For more information, see "Accessing the management console."
| Nombre | Required? | Descripción |
|---|---|---|
ID del nombre | Sí | Un identificador de usuario persistente. Se puede usar cualquier formato de identificador de nombre persistente. GitHub Enterprise Server will normalize the NameID element to use as a username unless one of the alternative assertions is provided. Para obtener más información, consulta la sección "Consideraciones de nombre de usuario para la autenticación externa". |
SessionNotOnOrAfter | No | The date that GitHub Enterprise Server invalidates the associated session. After invalidation, the person must authenticate once again to access tu instancia de GitHub Enterprise Server. For more information, see "Session duration and timeout." |
administrator | No | When the value is true, GitHub Enterprise Server will automatically promote the user to be a site administrator. Setting this attribute to anything but true will result in demotion, as long as the value is not blank. Omitting this attribute or leaving the value blank will not change the role of the user. |
full_name | No | The full name of the user to display on the user's profile page. |
Para especificar más de un valor para un atributo, utiliza elementos múltiples de <saml2:AttributeValue>.
<saml2:Attribute FriendlyName="public_keys" Name="urn:oid:1.2.840.113549.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue>ssh-rsa LONG KEY</saml2:AttributeValue>
<saml2:AttributeValue>ssh-rsa LONG KEY 2</saml2:AttributeValue>
</saml2:Attribute>
SAML response requirements
GitHub Enterprise Server requires that the response message from your IdP fulfill the following requirements.
-
Your IdP must provide the
<Destination>element on the root response document and match the ACS URL only when the root response document is signed. If your IdP signs the assertion, GitHub Enterprise Server will ignore the assertion. -
Your IdP must always provide the
<Audience>element as part of the<AudienceRestriction>element. El valor debe empatar con tuEntityIdpara GitHub Enterprise Server. Este valor es la URL en donde accedes a tu instancia de GitHub Enterprise Server, tal comohttp(s)://HOSTNAME. -
Your IdP must protect each assertion in the response with a digital signature. You can accomplish this by signing each individual
<Assertion>element or by signing the<Response>element. -
Your IdP must provide a
<NameID>element as part of the<Subject>element. You may use any persistent name identifier format. -
Your IdP must include the
Recipientattribute, which must be set to the ACS URL. The following example demonstrates the attribute.<samlp:Response ...> <saml:Assertion ...> <saml:Subject> <saml:NameID ...>...</saml:NameID> <saml:SubjectConfirmation ...> <saml:SubjectConfirmationData Recipient="https://HOSTNAME/saml/consume" .../> </saml:SubjectConfirmation> </saml:Subject> <saml:AttributeStatement> <saml:Attribute FriendlyName="USERNAME-ATTRIBUTE" ...> <saml:AttributeValue>monalisa</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Session duration and timeout
Para prevenir que una persona se autentique con tu IdP y se mantenga autorizad por tiempo indefinido, GitHub Enterprise Server invalida con frecuencia la sesión de cada cuenta de usuario con acceso a tu instancia de GitHub Enterprise Server. After invalidation, the person must authenticate with your IdP once again. By default, if your IdP does not assert a value for the SessionNotOnOrAfter attribute, GitHub Enterprise Server invalidates a session one week after successful authentication with your IdP.
To customize the session duration, you may be able to define the value of the SessionNotOnOrAfter attribute on your IdP. If you define a value less than 24 hours, GitHub Enterprise Server may prompt people to authenticate every time GitHub Enterprise Server initiates a redirect.
Notas:
- For Azure AD, the configurable lifetime policy for SAML tokens does not control session timeout for GitHub Enterprise Server.
- Okta does not currently send the
SessionNotOnOrAfterattribute during SAML authentication with GitHub Enterprise Server. For more information, contact Okta.