Configuring SAML single sign-on for your enterprise

You can control and secure access to GitHub Enterprise Server ์ธ์Šคํ„ด์Šค by configuring SAML single sign-on (SSO) through your identity provider (IdP).

๋ˆ„๊ฐ€ ์ด ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ์žˆ๋‚˜์š”?

Site administrators can configure SAML SSO for a GitHub Enterprise Server instance.

์ด ๋ฌธ์„œ์˜ ๋‚ด์šฉ

About SAML SSO

SAML SSO allows you to centrally control and secure access to GitHub Enterprise Server ์ธ์Šคํ„ด์Šค from your SAML IdP. When an unauthenticated user visits GitHub Enterprise Server ์ธ์Šคํ„ด์Šค in a browser, GitHub Enterprise Server will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to GitHub Enterprise Server ์ธ์Šคํ„ด์Šค. GitHub Enterprise Server validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for GitHub Enterprise Server ์ธ์Šคํ„ด์Šค is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

JIT ํ”„๋กœ๋น„์ €๋‹์„ ์‚ฌ์šฉํ•˜๋ฉด์„œ IdP์—์„œ ์‚ฌ์šฉ์ž๋ฅผ ์ œ๊ฑฐํ•˜๋Š” ๊ฒฝ์šฐ GitHub Enterprise Server ์ธ์Šคํ„ด์Šค์—์„œ ์‚ฌ์šฉ์ž ๊ณ„์ •์„ ์ˆ˜๋™์œผ๋กœ ์ผ์‹œ ์ค‘๋‹จํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ์ง€ ์•Š์œผ๋ฉด ๊ณ„์ •์˜ ์†Œ์œ ์ž๋Š” ์•ก์„ธ์Šค ํ† ํฐ ๋˜๋Š” SSH ํ‚ค๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๊ณ„์† ์ธ์ฆํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ์ •๋ณด๋Š” "์‚ฌ์šฉ์ž ์ผ์‹œ ์ค‘๋‹จ ๋ฐ ์ผ์‹œ ์ค‘๋‹จ ์ทจ์†Œ"์„ ์ฐธ์กฐํ•˜์„ธ์š”.

Supported identity providers

GitHub Enterprise Server๋Š” SAML 2.0 ํ‘œ์ค€์„ ๊ตฌํ˜„ํ•˜๋Š” IdP๊ฐ€ ์žˆ๋Š” SAML SSO๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ OASIS ์›น ์‚ฌ์ดํŠธ์˜ SAML Wiki๋ฅผ ์ฐธ์กฐํ•˜์„ธ์š”.

GitHub๋Š” ๋‹ค์Œ IdP๋ฅผ ๊ณต์‹์ ์œผ๋กœ ์ง€์›ํ•˜๊ณ  ๋‚ด๋ถ€์ ์œผ๋กœ ํ…Œ์ŠคํŠธํ•ฉ๋‹ˆ๋‹ค.

  • Microsoft AD FS(Active Directory Federation Services)
  • Microsoft Entra ID(์ด์ „์˜ Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

For more information about connecting Entra ID to your enterprise, see Tutorial: Microsoft Entra SSO integration with GitHub Enterprise Server in Microsoft Docs.

Username considerations with SAML

GitHub Enterprise Server์—์„œ๋Š” ์™ธ๋ถ€ ์ธ์ฆ ๊ณต๊ธ‰์ž ๊ฐ’์„ ์ •๊ทœํ™”ํ•˜์—ฌ GitHub Enterprise Server ์ธ์Šคํ„ด์Šค์—์„œ ๊ฐ ์ƒˆ ๊ฐœ์ธ ๊ณ„์ •์˜ ์‚ฌ์šฉ์ž ์ด๋ฆ„์„ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. For more information, see "์™ธ๋ถ€ ์ธ์ฆ์— ๋Œ€ํ•œ ์‚ฌ์šฉ์ž ์ด๋ฆ„ ๊ณ ๋ ค ์‚ฌํ•ญ."

Configuring SAML SSO

You can enable or disable SAML authentication for GitHub Enterprise Server ์ธ์Šคํ„ด์Šค, or you can edit an existing configuration. You can view and edit authentication settings for GitHub Enterprise Server in the ๊ด€๋ฆฌ ์ฝ˜์†”. For more information, see "๊ด€๋ฆฌ ์›น UI์—์„œ ์ธ์Šคํ„ด์Šค ๋“ฑ๋ก."

Note: GitHub๋Š” ์Šคํ…Œ์ด์ง• ํ™˜๊ฒฝ์—์„œ ์ธ์ฆ์„ ์œ„ํ•œ ์ƒˆ ๊ตฌ์„ฑ์„ ํ™•์ธํ•˜๋Š” ๊ฒƒ์„ ๊ฐ•๋ ฅํ•˜๊ฒŒ ๊ถŒ์žฅํ•ฉ๋‹ˆ๋‹ค. ๊ตฌ์„ฑ์ด ์ž˜๋ชป๋˜๋ฉด GitHub Enterprise Server ์ธ์Šคํ„ด์Šค์— ๊ฐ€๋™ ์ค‘์ง€ ์‹œ๊ฐ„์ด ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ "์Šคํ…Œ์ด์ง• ์ธ์Šคํ„ด์Šค ์„ค์ •"์„(๋ฅผ) ์ฐธ์กฐํ•˜์„ธ์š”.

  1. ํŽ˜์ด์ง€์˜ ์˜ค๋ฅธ์ชฝ ์ƒ๋‹จ์— ์žˆ๋Š” GitHub Enterprise Server์˜ ๊ด€๋ฆฌ ๊ณ„์ •์—์„œ ์„ ํด๋ฆญํ•ฉ๋‹ˆ๋‹ค.

  2. โ€œSite adminโ€(์‚ฌ์ดํŠธ ๊ด€๋ฆฌ์ž) ํŽ˜์ด์ง€์— ์•„์ง ์—†๋Š” ๊ฒฝ์šฐ ์™ผ์ชฝ ์ƒ๋‹จ์—์„œ Site admin(์‚ฌ์ดํŠธ ๊ด€๋ฆฌ์ž)์„ ํด๋ฆญํ•ฉ๋‹ˆ๋‹ค.

  3. " ์‚ฌ์ดํŠธ ๊ด€๋ฆฌ์ž" ์‚ฌ์ด๋“œ๋ฐ”์—์„œ ๊ด€๋ฆฌ ์ฝ˜์†” ์„ ํด๋ฆญํ•ฉ๋‹ˆ๋‹ค.

  4. "์„ค์ •" ์‚ฌ์ด๋“œ๋ฐ”์—์„œ ์ธ์ฆ์„ ํด๋ฆญํ•ฉ๋‹ˆ๋‹ค.

  5. Under "Authentication", select SAML.

  6. ํ•„์š”์— ๋”ฐ๋ผ ์™ธ๋ถ€ ์ธ์ฆ ์‹œ์Šคํ…œ์— ๊ณ„์ •์ด ์—†๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ๊ธฐ๋ณธ ์ œ๊ณต ์ธ์ฆ์œผ๋กœ ๋กœ๊ทธ์ธํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋ ค๋ฉด ๊ธฐ๋ณธ ์ œ๊ณต ์ธ์ฆ ํ—ˆ์šฉ์„ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ "๊ณต๊ธ‰์ž ์™ธ๋ถ€ ์‚ฌ์šฉ์ž์—๊ฒŒ ๊ธฐ๋ณธ ์ œ๊ณต ์ธ์ฆ ํ—ˆ์šฉ"์„(๋ฅผ) ์ฐธ์กฐํ•˜์„ธ์š”.

  7. Optionally, to enable unsolicited response SSO, select IdP initiated SSO. By default, GitHub Enterprise Server will reply to an unsolicited Identity Provider (IdP) initiated request with an AuthnRequest back to the IdP.

    Note: We recommend keeping this value unselected. You should enable this feature only in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by GitHub Enterprise ์ง€์›.

  8. Optionally, if you do not want your SAML provider to determine administrator rights for users on GitHub Enterprise Server ์ธ์Šคํ„ด์Šค, select Disable administrator demotion/promotion

  9. Optionally, to allow GitHub Enterprise Server ์ธ์Šคํ„ด์Šค to receive encrypted assertions from your SAML IdP, select Require encrypted assertions.

    You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide GitHub Enterprise Server ์ธ์Šคํ„ด์Šค's public certificate to your IdP. For more information, see "์•”ํ˜ธํ™”๋œ ์–ด์„ค์…˜ ์‚ฌ์šฉ."

  10. Under "Single sign-on URL," type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to configure GitHub Enterprise Server ์ธ์Šคํ„ด์Šค to use internal nameservers.

  11. Optionally, in the Issuer field, type your SAML issuer's name. This verifies the authenticity of messages sent to GitHub Enterprise Server ์ธ์Šคํ„ด์Šค.

  12. Select the Signature Method and Digest Method dropdown menus, then click the hashing algorithm used by your SAML issuer to verify the integrity of the requests from GitHub Enterprise Server ์ธ์Šคํ„ด์Šค.

  13. Select the Name Identifier Format dropdown menu, then click a format.

  14. Under "Verification certificate," click Choose File, then choose a certificate to validate SAML responses from the IdP.

  15. Under "User attributes", modify the SAML attribute names to match your IdP if needed, or accept the default names.

Further reading