Skip to main content

Sobre o gerenciamento de identidades e acesso

Os administradores de GitHub Enterprise Cloud devem decidir como os usuários acessarão os recursos da empresa em GitHub.com.

About IAM for GitHub Enterprise Cloud

You can allow people to use a personal account on GitHub.com to access your enterprise's resources and optionally configure additional SAML access restriction, or you can provision and control the accounts for your enterprise using your identity provider (IdP) with Enterprise Managed Users.

After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see "Identifying the best authentication method for your enterprise."

Authentication methods

When you create an enterprise on GitHub Enterprise Cloud, you can decide how people authenticate to access your resources on GitHub.com, and who controls the user accounts.

Authentication through GitHub.com

With authentication solely through GitHub.com, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on GitHub.com. The member manages the account, and can contribute to other enterprises, organizations, and repositories on GitHub.com. For more information about personal accounts, see "Creating an account on GitHub."

Authentication through GitHub.com with additional SAML access restriction

If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on GitHub.com and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on GitHub.com using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see "About SAML for enterprise IAM."

You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see "Deciding whether to configure SAML for your enterprise or your organizations."

Authentication with Enterprise Managed Users and federation

If you need more control of the accounts for your enterprise members on GitHub.com, you can use Enterprise Managed Users. With Enterprise Managed Users, you provision and manage accounts for your enterprise members on GitHub.com using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions to the rest of GitHub.com are restricted. For more information, see "About Enterprise Managed Users."

About provisioning

If you use authentication through GitHub.com with additional SAML access restriction, people create personal accounts on GitHub.com, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts.

Alternatively, if you use Enterprise Managed Users, you must configure your IdP to provision user accounts within your enterprise on GitHub.com using System for Cross-domain Identity Management (SCIM). For more information, see "Provisioning user accounts for Enterprise Managed Users."

About supported IdPs

For SAML SSO, you can configure authentication with an IdP that adheres to the SAML 2.0 standard. GitHub also officially supports and tests some IdPs. For more information, see "Configuring SAML single sign-on for your enterprise."

GitHub partners with some developers of identity management systems to provide a "paved-path" integration with Enterprise Managed Users. If you use a partner IdP, you can configure one application on your IdP to provide authentication and provisioning. If you don't use a partner IdP, or if you only use a partner IdP for authentication, you can integrate IdPs that implement the SAML 2.0 and System for Cross-domain Identity Management (SCIM) 2.0 standards. For more information, see "About Enterprise Managed Users."

Further reading