Skip to main content

Configuring SCIM provisioning for Enterprise Managed Users

You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.

ID プロバイダーを使用して企業内のユーザーを管理するには、GitHub Enterprise Cloud で利用可能な Enterprise Managed Users が企業で有効になっている必要があります。 詳細については、「Enterprise Managed Users について」を参照してください。

About provisioning for Enterprise Managed Users

You must configure provisioning for Enterprise Managed Users to create, manage, and deactivate user accounts for your enterprise members.

After you configure provisioning for Enterprise Managed Users, users assigned to the GitHub Enterprise Managed User application in your identity provider are provisioned as new managed user accounts on GitHub via SCIM, and the managed user accounts are added to your enterprise. If you assign a group to the application, all users within the group will be provisioned as new managed user accounts.

When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the GitHub Enterprise Managed User application or deactivate a user's account on your IdP, your IdP will communicate with GitHub to invalidate any sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the GitHub Enterprise Managed User application or reactivate their account on your IdP, the managed user account on GitHub will be reactivated and username restored.

Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "Managing team memberships with identity provider groups."

Prerequisites

Before you can configure provisioning for Enterprise Managed Users, you must configure SAML or OIDC single-sign on.

Creating a personal access token

To configure provisioning for your enterprise with managed users, you need a personal access token (classic) with the admin:enterprise scope that belongs to the setup user.

Warning: If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. 任意のページで、右上隅にあるプロファイルの画像をクリックし、次に[設定]をクリックします。

    ユーザバーの [Settings(設定)] アイコン

  3. In the left sidebar, click Developer settings.

  4. In the left sidebar, click Personal access tokens. Personal access tokens

  5. [新しいトークンの生成] をクリックします。 [新しいトークンの生成] ボタン

  6. Under Note, give your token a descriptive name. Screenshot showing the token's name

  7. Select the Expiration drop-down menu, then click No expiration. Screenshot showing token expiration set to no expiration

  8. Select the admin:enterprise scope. Screenshot showing the admin:enterprise scope

  9. Click Generate token. Generate token button

  10. To copy the token to your clipboard, click the . Newly created token

  11. To save the token for use later, store the new token securely in a password manager.

Configuring provisioning for Enterprise Managed Users

After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.

注: GitHub Enterprise Cloud のレート制限を超えないようにするには、IdP アプリケーションに 1 時間あたり 1,000 人を超えるユーザーを割り当てないでください。 グループを使用して IdP アプリケーションにユーザーを割り当てる場合、1 時間あたり 100 人を超えるユーザーを各グループに追加しないでください。 これらのしきい値を超えると、ユーザーをプロビジョニングしようとすると、"レート制限" エラーが発生して失敗する可能性があります。

To configure provisioning, follow the appropriate link from the table below.

Identity providerSSO methodMore information
Azure ADOIDCTutorial: Configure GitHub Enterprise Managed User (OIDC) for automatic user provisioning in the Azure AD documentation
Azure ADSAMLTutorial: Configure GitHub Enterprise Managed User for automatic user provisioning in the Azure AD documentation
OktaSAMLConfiguring SCIM provisioning for Enterprise Managed Users with Okta

Note: Azure AD does not support provisioning nested groups. For more information, see How Application Provisioning works in Azure Active Directory.