Configuring user provisioning for your enterprise

You can configure System for Cross-domain Identity Management (SCIM) for your enterprise, which automatically provisions user accounts on tu instancia de servidor de GitHub Enterprise when you assign the application for tu instancia de servidor de GitHub Enterprise to a user on your identity provider (IdP).

Enterprise owners can configure user provisioning for an enterprise on GitHub Enterprise.

El inicio de sesión único de SAML se encuentra disponible con GitHub Enterprise Cloud. Para obtener más información, consulta la sección "Productos de GitHub".

About user provisioning for your enterprise

GitHub Enterprise uses SAML SSO for user authentication. You can centrally manage access to GitHub AE from an IdP that supports the SAML 2.0 standard. For more information, see "Configuring SAML single sign-on for your enterprise."

By default, your IdP does not communicate with GitHub Enterprise automatically when you assign or unassign the application. GitHub Enterprise creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub Enterprise and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub Enterprise, and you must manually deactivate the user account on GitHub Enterprise during offboarding. You can use SCIM to provision and deprovision user accounts and access for GitHub Enterprise automatically when you assign or unassign the application on your IdP. For more information about SCIM, see System for Cross-domain Identity Management: Protocol (RFC 7644) on the IETF website.

Configuring provisioning allows your IdP to communicate with tu instancia de servidor de GitHub Enterprise when you assign or unassign the application for GitHub Enterprise to a user on your IdP. When you assign the application, your IdP will prompt tu instancia de servidor de GitHub Enterprise to create an account and send an onboarding email to the user. When you unassign the application, your IdP will communicate with GitHub Enterprise to invalidate any SAML sessions and disable the member's account.

To configure provisioning for your enterprise, you must enable provisioning on GitHub Enterprise, then install and configure a provisioning application on your IdP.

The provisioning application on your IdP communicates with GitHub Enterprise via our SCIM API for enterprises. For more information, see "GitHub Enterprise administration" in the GitHub REST API documentation.

Supported identity providers

The following IdPs can provision or deprovision user accounts on tu instancia de servidor de GitHub Enterprise using SCIM.

  • Azure AD

When you set up user provisioning with a supported IdP, you can also assign or unassign the application for GitHub Enterprise to groups of users. These groups are then available to organization owners and team maintainers in tu instancia de servidor de GitHub Enterprise to map to GitHub Enterprise teams. For more information, see "Synchronizing a team with an identity provider group."

Prerequisites

To automatically provision and deprovision access to tu instancia de servidor de GitHub Enterprise from your IdP, you must first configure SAML SSO when you initialize GitHub Enterprise. For more information, see "Initializing GitHub AE."

You must have administrative access on your IdP to configure the application for user provisioning for GitHub Enterprise.

Enabling user provisioning for your enterprise

  1. While signed into tu instancia de servidor de GitHub Enterprise as an enterprise owner, create a personal access token with admin:enterprise scope. For more information, see "Creating a personal access token."

    Notes:

    • To create the personal access token, we recommend using the account for the first enterprise owner that you created during initialization. For more information, see "Initializing GitHub AE."
    • You'll need this personal access token to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.

    Warning: If the user account for the enterprise owner who creates the personal access token is deactivated or deprovisioned, your IdP will no longer provision and deprovision user accounts for your enterprise automatically. Another enterprise owner must create a new personal access token and reconfigure provisioning on the IdP.

  2. Visita la cuenta de tu empresa en https://github.com/enterprises/ENTERPRISE-NAME, reemplazando ENTERPRISE-NAME por el nombre de la cuenta de tu empresa.

  3. En la barra lateral de la cuenta de empresa, haz clic en Settings (Configuraciones). Pestaña Settings (Configuraciones) en la barra lateral de la cuenta de empresa

  4. En la barra lateral izquierda, haz clic en Security (Seguridad). Pestaña Security (Seguridad) en la barra lateral de parámetros de la cuenta de empresa

  5. Under "SCIM User Provisioning", select Require SCIM user provisioning. Checkbox for "Require SCIM user provisioning" within enterprise security settings

  6. Click Save. Save button under "Require SCIM user provisioning" within enterprise security settings

  7. Configure user provisioning in the application for GitHub Enterprise on your IdP.

    The following IdPs provide documentation about configuring provisioning for GitHub Enterprise. If your IdP isn't listed, please contact your IdP to request support for GitHub Enterprise.

    IdPMore information
    Azure ADTutorial: Configure GitHub AE for automatic user provisioning in the Microsoft Docs

    The application on your IdP requires two values to provision or deprovision user accounts on tu instancia de servidor de GitHub Enterprise.

    ValueOther namesDescriptionExample
    URLTenant URLURL to the SCIM provisioning API for your enterprise on GitHub AEhttp(s)://[hostname]/api/v3/scim/v2
    Shared secretPersonal access token, secret tokenToken for application on your IdP to perform provisioning tasks on behalf of an enterprise ownerPersonal access token you created in step 1

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

O, learn how to contribute.