Skip to main content
설명서에 자주 업데이트를 게시하며 이 페이지의 번역이 계속 진행 중일 수 있습니다. 최신 정보는 영어 설명서를 참조하세요.
All products
엔터프라이즈 관리자

Enterprise Managed Users에 대한 SCIM 프로비저닝 구성

이 문서의 내용

새 사용자를 프로비저닝하고 엔터프라이즈 및 팀의 멤버 자격을 관리하도록 ID 공급자를 구성할 수 있습니다.

ID 공급자를 사용하여 엔터프라이즈의 사용자를 관리하려면 GitHub Enterprise Cloud에서 사용할 수 있는 Enterprise Managed Users에 대해 엔터프라이즈를 사용하도록 설정해야 합니다. 자세한 내용은 "Enterprise Managed Users 정보"을 참조하세요.

About provisioning for Enterprise Managed Users

You must configure provisioning for Enterprise Managed Users to create, manage, and deactivate user accounts for your enterprise members.

After you configure provisioning for Enterprise Managed Users, users assigned to the GitHub Enterprise Managed User application in your identity provider are provisioned as new managed user accounts on GitHub via SCIM, and the managed user accounts are added to your enterprise. If you assign a group to the application, all users within the group will be provisioned as new managed user accounts.

When you update information associated with a user's identity on your IdP, your IdP will update the user's account on GitHub.com. When you unassign the user from the GitHub Enterprise Managed User application or deactivate a user's account on your IdP, your IdP will communicate with GitHub to invalidate any sessions and disable the member's account. The disabled account's information is maintained and their username is changed to a hash of their original username with the short code appended. If you reassign a user to the GitHub Enterprise Managed User application or reactivate their account on your IdP, the managed user account on GitHub will be reactivated and username restored.

Groups in your IdP can be used to manage team membership within your enterprise's organizations, allowing you to configure repository access and permissions through your IdP. For more information, see "Managing team memberships with identity provider groups."

Prerequisites

Before you can configure provisioning for Enterprise Managed Users, you must configure SAML or OIDC single-sign on.

Creating a personal access token

To configure provisioning for your enterprise with managed users, you need a personal access token (classic) with the admin:enterprise scope that belongs to the setup user.

Warning: If the token expires or a provisioned user creates the token, SCIM provisioning may unexpectedly stop working. Make sure that you create the token while signed in as the setup user and that the token expiration is set to "No expiration".

  1. Sign into GitHub.com as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. In the upper-right corner of any page, click your profile photo, then click Settings.

    Screenshot of GitHub's account menu showing options for users to view and edit their profile, content, and settings. The menu item "Settings" is outlined in dark orange.

  3. In the left sidebar, click Developer settings.

  4. In the left sidebar, click Personal access tokens.

  5. Click Generate new token.

  6. Under Note, give your token a descriptive name.

  7. Select the Expiration dropdown menu, then click No expiration.

  8. Select the admin:enterprise scope. Screenshot showing the admin:enterprise scope.

  9. Click Generate token.

  10. To copy the token to your clipboard, click .

    Screenshot of the "Personal access tokens" page. Next to a blurred-out token, an icon of two overlapping squares is outlined in orange.

  11. To save the token for use later, store the new token securely in a password manager.

Configuring provisioning for Enterprise Managed Users

After creating your personal access token and storing it securely, you can configure provisioning on your identity provider.

Note: To avoid exceeding the rate limit on GitHub Enterprise Cloud, do not assign more than 1,000 users per hour to the IdP application. If you use groups to assign users to the IdP application, do not add more than 1,000 users to each group per hour. If you exceed these thresholds, attempts to provision users may fail with a "rate limit" error. You can review your IdP logs to confirm if attempted SCIM provisioning or push operations failed due to a rate limit error. The response to a failed provisioning attempt will depend on the IdP. For more information, see "Troubleshooting identity and access management for your enterprise."

To configure provisioning, follow the appropriate link from the table below.

Identity providerSSO methodMore information
Azure ADOIDCTutorial: Configure GitHub Enterprise Managed User (OIDC) for automatic user provisioning in the Azure AD documentation
Azure ADSAMLTutorial: Configure GitHub Enterprise Managed User for automatic user provisioning in the Azure AD documentation
OktaSAMLConfiguring SCIM provisioning for Enterprise Managed Users with Okta
PingFederate (private beta)SAMLConfigure PingFederate for provisioning and SSO and Managing channels in the PingFederate documentation

Note: Support for PingFederate is currently in private beta and subject to change. To request access to the beta, contact GitHub's Sales team.

Note: Azure AD does not support provisioning nested groups. For more information, see How Application Provisioning works in Azure Active Directory.