Skip to main content

Migrating from SAML to OIDC

If you're using SAML to authenticate members in your enterprise with managed users, you can migrate to OpenID Connect (OIDC) and benefit from support for your IdP's Conditional Access Policy.

ID プロバイダーを使用して企業内のユーザーを管理するには、GitHub Enterprise Cloud で利用可能な Enterprise Managed Users が企業で有効になっている必要があります。 詳細については、「Enterprise Managed Users について」を参照してください。

メモ: Enterprise Managed Users に対する OpenID Connect (OIDC) と条件付きアクセス ポリシー (CAP) のサポートは、Azure AD でのみ使用できます。

About migrating your enterprise with managed users from SAML to OIDC

If your enterprise with managed users uses SAML SSO to authenticate with Azure Active Directory (Azure AD), you can migrate to OIDC. When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used.

When you migrate from SAML to OIDC, managed user accounts and groups that were previously provisioned for SAML but are not provisioned by the GitHub Enterprise Managed User (OIDC) application will have "(SAML)" appended to their display names.

If you're new to Enterprise Managed Users and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up OIDC single sign-on immediately. For more information, see "Configuring OIDC for Enterprise Managed Users."

Migrating your enterprise

Note: To sign in as the setup user, you will need a recovery code. If you do not already have your recovery codes, you can access the codes while signed in as an enterprise owner. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

  1. Before you begin the migration, sign in to Azure and disable provisioning in the existing GitHub Enterprise Managed User application.

  2. If you use Conditional Access (CA) network location policies in Azure AD, and you're currently using an IP allow list with your enterprise account or any of the organizations owned by the enterprise account on GitHub.com, disable the IP allow lists. For more information, see "Enforcing security settings in your enterprise" and "Managing allowed IP addresses for your organization."

  3. Sign into GitHub.com as the setup user for your enterprise with the username @SHORT-CODE_admin.

  4. When prompted to continue to your identity provider, click Use a recovery code and sign in using one of your enterprise's recovery codes.

  5. GitHub.com の右上の自分のプロファイル写真をクリックし、 [自分の Enterprise] をクリックします。 GitHub Enterprise Cloud のプロファイル写真のドロップダウン メニューの [自分の Enterprise]

  6. Enterpriseのリストで、表示したいEnterpriseをクリックしてください。 自分の Enterprise のリストの Enterprise の名前

  7. エンタープライズ アカウントのサイドバーで、 [設定] をクリックします。 エンタープライズ アカウントのサイドバー内の [設定] タブ

  8. In the left sidebar, click Authentication security. Security tab in the enterprise account settings sidebar

  9. At the bottom of the page, next to "Migrate to OpenID Connect single sign-on", click Configure with Azure.

    Warning: The migration can take up to an hour, and it is important that no users are provisioned during the migration. You can confirm if the migration is still in progress by returning to your enterprise's security settings page; if "Require SAML authentication" is still checked, the migration is still in progress.

    Screenshot showing the "Configure with Azure" button

  10. Read both warnings and click to continue.

  11. GitHub Enterprise Cloud によって IdP にリダイレクトされたら、サインインしてから指示に従って同意し、GitHub Enterprise Managed User (OIDC) アプリケーションをインストールします。 Azure AD によって OIDC での GitHub Enterprise Managed Users のアクセス許可が要求されたら、 [Organization の代理として同意する] を有効にして、 [同意する] をクリックします。

    警告: GitHub Enterprise Managed User (OIDC) アプリケーションのインストールに同意するには、グローバル管理者権限を持つユーザーとして Azure AD にサインインする必要があります。

  12. In a new tab or window, while signed in as the setup user on GitHub.com, create a personal access token (classic) with the admin:enterprise scope and no expiration and copy it to your clipboard. For more information about creating a new token, see "Creating a personal access token."

  13. In the settings for the GitHub Enterprise Managed User (OIDC) application in Azure Portal, under "Tenant URL", type https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE, replacing YOUR_ENTERPRISE with the name of your enterprise account.

    For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, the name of the enterprise account is octo-corp.

  14. Under "Secret token", paste the personal access token (classic) with the admin:enterprise scope that you created earlier.

  15. To test the configuration, click Test Connection.

  16. To save your changes, at the top of the form, click Save.

  17. In Azure Portal, copy the users and groups from the old GitHub Enterprise Managed User application to the new GitHub Enterprise Managed User (OIDC) application.

  18. Test your configuration by provisioning a single new user.

  19. If your test is successful, start provisioning for all users by clicking Start provisioning.