Skip to main content

Configuring SAML single sign-on for your enterprise

この記事では、次の項目が扱われます。

You can control and secure access to your GitHub Enterprise Server instance by configuring SAML single sign-on (SSO) through your identity provider (IdP).

Who can use this feature

Site administrators can configure SAML SSO for a GitHub Enterprise Server instance.

About SAML SSO

SAML SSO allows you to centrally control and secure access to your GitHub Enterprise Server instance from your SAML IdP. When an unauthenticated user visits your GitHub Enterprise Server instance in a browser, GitHub Enterprise Server will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your GitHub Enterprise Server instance. GitHub Enterprise Server validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for your GitHub Enterprise Server instance is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

IdP からユーザーを削除する場合は、ユーザーを手動で一時停止する必要もあります。 そうしないと、アカウントの所有者はアクセス トークンまたは SSH キーを使って引き続き認証を行うことができます。 詳細については、ユーザーの一時停止と一時停止解除に関するページを参照してください。

Supported identity providers

GitHub Enterprise Server は、SAML2.0 標準を実装し IdP を使用した SAML SSO をサポートします。 詳細については、OASIS の Web サイトの SAML Wiki を参照してください。

GitHub は、次の IdP を正式にサポートし、内部的にテストします。

  • Active Directory フェデレーション サービス (AD FS)
  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

Configuring SAML SSO

You can enable or disable SAML authentication for your GitHub Enterprise Server instance, or you can edit an existing configuration. You can view and edit authentication settings for GitHub Enterprise Server in the management console. For more information, see "Accessing the management console."

Note: GitHub strongly recommends that you verify any new configuration for authentication in a staging environment. An incorrect configuration could result in downtime for your GitHub Enterprise Server instance. For more information, see "Setting up a staging instance."

  1. GitHub Enterprise Server の管理アカウントから、任意のページの右上隅の をクリックします。

    サイト管理者設定にアクセスするための宇宙船アイコンのスクリーンショット

  2. [サイト管理者] ページにまだ表示されていない場合は、左上隅の [サイト管理者] をクリックします。

    [サイト管理者] リンクのスクリーンショット

  3. 左側のサイドバーで、 [Management Console] をクリックします。 左側のサイドバーの [[Management Console]] タブ

  4. 左サイドバーにある [Authentication](認証) をクリックします。 設定サイドバーの [Authentication](認証) タブ

  5. Select SAML.

    Screenshot of option to enable SAML authentication in management console

  6. 必要に応じて、外部認証システムのアカウントを持たないユーザーがビルトイン認証でサインインできるようにするには、 [Allow built-in authentication](ビルトイン認証を許可する) を選択します。 詳しくは、「プロバイダー外のユーザーのためのビルトイン認証の許可」を参照してください。

    Screenshot of option to enable built-in authentication outside of SAML IdP

  7. Optionally, to enable unsolicited response SSO, select IdP initiated SSO. By default, GitHub Enterprise Server will reply to an unsolicited Identity Provider (IdP) initiated request with an AuthnRequest back to the IdP.

    Screenshot of option to enable IdP-initiated unsolicited response

    Note: We recommend keeping this value unselected. You should enable this feature only in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by GitHub Enterprise サポート.

  8. Select Disable administrator demotion/promotion if you do not want your SAML provider to determine administrator rights for users on your GitHub Enterprise Server instance.

    Screenshot of option to enable option to respect the "administrator" attribute from the IdP to enable or disable administrative rights

  9. Optionally, to allow your GitHub Enterprise Server instance to receive encrypted assertions from your SAML IdP, select Require encrypted assertions. You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide your GitHub Enterprise Server instance's public certificate to your IdP. For more information, see "Enabling encrypted assertions."

    Screenshot of "Enable encrypted assertions" checkbox within management console's "Authentication" section

  10. In the Single sign-on URL field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to configure your GitHub Enterprise Server instance to use internal nameservers.

    Screenshot of text field for single sign-on URL

  11. Optionally, in the Issuer field, type your SAML issuer's name. This verifies the authenticity of messages sent to your GitHub Enterprise Server instance.

    Screenshot of text field for SAML issuer URL

  12. In the Signature Method and Digest Method drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from your GitHub Enterprise Server instance. Specify the format with the Name Identifier Format drop-down menu.

    Screenshot of drop-down menus to select signature and digest method

  13. Under Verification certificate, click Choose File and choose a certificate to validate SAML responses from the IdP.

    Screenshot of button for uploading validation certificate from IdP

  14. Modify the SAML attribute names to match your IdP if needed, or accept the default names.

    Screenshot of fields for entering additional SAML attributes

Further reading