Skip to main content

Configuring SAML single sign-on for Enterprise Managed Users

You can automatically manage access to your enterprise account on GitHub by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).

ID プロバイダーを使用して企業内のユーザーを管理するには、GitHub Enterprise Cloud で利用可能な Enterprise Managed Users が企業で有効になっている必要があります。 詳細については、「Enterprise Managed Users について」を参照してください。

About SAML single sign-on for Enterprise Managed Users

With Enterprise Managed Users, your enterprise uses your corporate identity provider to authenticate all members. Instead of signing in to GitHub with a GitHub username and password, members of your enterprise will sign in through your IdP.

Enterprise Managed Users supports the following IdPs:

  • Azure Active Directory (Azure AD)
  • Okta

After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable.

現在、認証に SAML SSO を使っており、OIDC を使って CAP サポートの恩恵を受けたい場合は、移行パスをたどることができます。 詳細については、「SAML から OIDC への移行」を参照してください。

Note: When SAML SSO is enabled, the only setting you can update on GitHub for your existing SAML configuration is the SAML certificate. If you need to update the Sign on URL or Issuer, you must first disable SAML SSO and then reconfigure SAML SSO with the new settings.

Configuring SAML single sign-on for Enterprise Managed Users

To configure SAML SSO for your enterprise with managed users, you must configure an application on your IdP and then configure your enterprise on GitHub.com. After you configure SAML SSO, you can configure user provisioning.

To install and configure the GitHub Enterprise Managed User application on your IdP, you must have a tenant and administrative access on a supported IdP.

セットアップ ユーザーのパスワードをリセットする必要がある場合、GitHub Support ポータル から GitHub Support に問い合わせます。

  1. Configuring your identity provider
  2. Configuring your enterprise
  3. Enabling provisioning

Configuring your identity provider

To configure your IdP, follow the instructions they provide for configuring the GitHub Enterprise Managed User application on your IdP.

  1. To install the GitHub Enterprise Managed User application, click the link for your IdP below:

  2. To configure the GitHub Enterprise Managed User application and your IdP, click the link below and follow the instructions provided by your IdP:

  3. So you can test and configure your enterprise, assign yourself or the user that will be configuring SAML SSO on GitHub to the GitHub Enterprise Managed User application on your IdP.

  4. To enable you to continue configuring your enterprise on GitHub, locate and note the following information from the application you installed on your IdP:

    ValueOther namesDescription
    IdP Sign-On URLLogin URL, IdP URLApplication's URL on your IdP
    IdP Identifier URLIssuerIdP's identifier to service providers for SAML authentication
    Signing certificate, Base64-encodedPublic certificatePublic certificate that IdP uses to sign authentication requests

Configuring your enterprise

After you install and configure the GitHub Enterprise Managed User application on your identity provider, you can configure your enterprise.

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. GitHub.com の右上の自分のプロファイル写真をクリックし、 [自分の Enterprise] をクリックします。 GitHub Enterprise Cloud のプロファイル写真のドロップダウン メニューの [自分の Enterprise]

  3. Enterpriseのリストで、表示したいEnterpriseをクリックしてください。 自分の Enterprise のリストの Enterprise の名前

  4. エンタープライズ アカウントのサイドバーで、 [設定] をクリックします。 エンタープライズ アカウントのサイドバー内の [設定] タブ

  5. In the left sidebar, click Authentication security. Security tab in the enterprise account settings sidebar

  6. Under "SAML single sign-on", select Require SAML authentication. Checkbox for enabling SAML SSO

  7. Under Sign on URL, type the HTTPS endpoint of your IdP for single sign-on requests that you noted while configuring your IdP. Field for the URL that members will be forwarded to when signing in

  8. Under Issuer, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages. Field for the SAML issuer's name

  9. Under Public Certificate, paste the certificate that you noted while configuring your IdP, to verify SAML responses. Field for the public certificate from your identity provider

  10. To verify the integrity of the requests from your SAML issuer, click . Then, in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer. Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer

  11. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click Test SAML configuration. Button to test SAML configuration before enforcing

  12. Click Save.

    Note: When you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only managed user accounts provisioned by your IdP will have access to the enterprise.

  13. 将来的に ID プロバイダーが利用できなくなった場合でも Enterprise にアクセスできるようにするため、 [ダウンロード][印刷] 、または [コピー] をクリックして回復コードを保存します。 詳細については、「Enterprise アカウントのシングル サインオン回復用コードをダウンロードする」を参照してください。

    回復コードをダウンロード、印刷、またはコピーするボタンのスクリーンショット

Enabling provisioning

After you enable SAML SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for enterprise managed users."