Skip to main content

Configuring authentication and provisioning for your enterprise using Okta

You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for your enterprise.

Who can use this feature

Enterprise owners can configure authentication and provisioning for GitHub AE.

Nota: GitHub AE la compatibilidad con el inicio de sesión único (SSO) para Okta se encuentra actualmente en beta.

About authentication and user provisioning with Okta

You can use Okta as an Identity Provider (IdP) for GitHub AE, which allows your Okta users to sign in to GitHub AE using their Okta credentials.

To use Okta as your IdP for GitHub AE, you can add the GitHub AE app to Okta, configure Okta as your IdP in GitHub AE, and provision access for your Okta users and groups.

When you use an IdP for IAM on GitHub AE, SAML SSO controls and secures access to enterprise resources like repositories, issues, and pull requests. SCIM automatically creates user accounts and manages access to your enterprise when you make changes on the IdP. You can also synchronize teams on GitHub AE with groups on your IdP. For more information, see the following articles.

After you enable SCIM, the following provisioning features are available for any users that you assign your GitHub AE application to in Okta.

The following provisioning features are available for all Okta users that you assign to your GitHub AE application.

FeatureDescription
Push New UsersWhen you create a new user in Okta, the user is added to GitHub AE.
Push User DeactivationWhen you deactivate a user in Okta, it will suspend the user from your enterprise on GitHub AE.
Push Profile UpdatesWhen you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on GitHub AE.
Reactivate UsersWhen you reactivate a user in Okta, it will unsuspend the user in your enterprise on GitHub AE.

For more information about managing identity and access for your enterprise on your enterprise, see "Managing identity and access for your enterprise."

Prerequisites

  • To configure authentication and user provisioning for GitHub AE using Okta, you must have an Okta account and tenant.

  • Debes crear y usar una cuenta de usuario de máquina dedicada en el IdP para asociarla con la primera cuenta de propietario de empresa en GitHub AE. Almacena las credenciales para la cuenta de usuario de forma segura en un administrador de contraseñas. Para obtener más información, consulta "Configuración del aprovisionamiento de usuarios con SCIM para la empresa".

Adding the GitHub AE application in Okta

  1. En el panel de Okta, expanda el menú Aplicaciones y, después, haga clic en Aplicaciones.

    Navegación del menú "Aplicaciones"

  2. Haz clic en Examinar catálogo de aplicaciones.

    "Examinar catálogo de aplicaciones"

  3. In the search field, type "GitHub AE", then click GitHub AE in the results.

    "Search result"

  4. Click Add.

    "Add GitHub AE app"

  5. For "Base URL", type the URL of your enterprise on GitHub AE.

    "Configure Base URL"

  6. Click Done.

Enabling SAML SSO for GitHub AE

To enable single sign-on (SSO) for GitHub AE, you must configure GitHub AE to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find these details in the Okta app for GitHub AE.

  1. En el panel de Okta, expanda el menú Aplicaciones y, después, haga clic en Aplicaciones.

    Navegación del menú "Aplicaciones"

  2. Haz clic en la aplicación GitHub AE.

  3. En el nombre de la aplicación, haga clic en Iniciar sesión.

    Pestaña de inicio de sesión

  4. En "SIGN ON METHODS" (MÉTODOS DE INICIO DE SESIÓN), haz clic en View Setup Instructions (Ver instrucciones de configuración).

    Pestaña de inicio de sesión

  5. Take note of the "Sign on URL", "Issuer", and "Public certificate" details.

  6. Use the details to enable SAML SSO for your enterprise on GitHub AE. For more information, see "Configuring SAML single sign-on for your enterprise."

Note: To test your SAML configuration from GitHub AE, your Okta user account must be assigned to the GitHub AE app.

Enabling API integration

The Okta app uses the REST API for GitHub AE for SCIM provisioning. You can enable and test access to the API by configuring Okta with a personal access token for GitHub AE.

  1. In GitHub AE, generate a personal access token with the admin:enterprise scope. For more information, see "Creating a personal access token".

  2. En el panel de Okta, expanda el menú Aplicaciones y, después, haga clic en Aplicaciones.

    Navegación del menú "Aplicaciones"

  3. Haz clic en la aplicación GitHub AE.

  4. Haz clic en Aprovisionamiento.

    Configuración de la aplicación

  5. Click Configure API Integration.

  6. Select Enable API integration.

    Enable API integration

  7. For "API Token", type the GitHub AE personal access token you generated previously.

  8. Click Test API Credentials.

Note: If you see Error authenticating: No results for users returned, confirm that you have enabled SSO for GitHub AE. For more information see "Enabling SAML SSO for GitHub AE."

Configuring SCIM provisioning settings

This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to GitHub AE.

  1. En el panel de Okta, expanda el menú Aplicaciones y, después, haga clic en Aplicaciones.

    Navegación del menú "Aplicaciones"

  2. Haz clic en la aplicación GitHub AE.

  3. Haz clic en Aprovisionamiento.

    Configuración de la aplicación

  4. Under "Settings", click To App.

    "To App" settings

  5. To the right of "Provisioning to App", click Edit.

  6. To the right of "Create Users", select Enable.

  7. To the right of "Update User Attributes", select Enable.

  8. To the right of "Deactivate Users", select Enable.

  9. Click Save.

Allowing Okta users and groups to access GitHub AE

You can provision access to GitHub AE for your individual Okta users, or for entire groups.

Provisioning access for Okta users

Before your Okta users can use their credentials to sign in to GitHub AE, you must assign the users to the Okta app for GitHub AE.

  1. En el panel de Okta, expanda el menú Aplicaciones y, después, haga clic en Aplicaciones.

    Navegación del menú "Aplicaciones"

  2. Haz clic en la aplicación GitHub AE.

  3. Click Assignments.

    Assignments tab

  4. Select the Assign drop-down menu and click Assign to People.

    "Assign to People" button

  5. To the right of the required user account, click Assign.

    List of users

  6. To the right of "Role", click a role for the user, then click Save and go back.

    Role selection

  7. Click Done.

Provisioning access for Okta groups

You can map your Okta group to a team in GitHub AE. Members of the Okta group will then automatically become members of the mapped GitHub AE team. For more information, see "Mapping Okta groups to teams."

Further reading