Configurando a autenticação e o provisionamento com o Entra ID

Observação

SCIM support is in beta on this version of GitHub Enterprise Server. SCIM support is generally available on version 3.17 and later.

About authentication and user provisioning with Entra ID

Entra ID is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see What is Microsoft Entra ID? in the Microsoft Docs.

When you use an IdP for IAM on GitHub Enterprise Server, SAML SSO controls and secures access to enterprise resources like repositories, issues, and pull requests. SCIM automatically creates user accounts and manages access to your enterprise when you make changes on your IdP. You can also synchronize teams on GitHub with groups on your IdP.

For more information, see About user provisioning with SCIM on GitHub Enterprise Server.

Prerequisites

The general prerequisites for using SCIM on GitHub Enterprise Server apply. See the "Prerequisites" section in Configuring SCIM provisioning to manage users.

In addition:

To configure SCIM, you must have completed steps 1 to 4 in Configuring SCIM provisioning to manage users.
- You will need the personal access token (classic) created for the setup user to authenticate requests from Entra ID.
To configure authentication and user provisioning using Entra ID, you must have an Entra ID account and tenant. For more information, see the Entra ID website and Quickstart: Set up a tenant in the Microsoft Docs.

1. Configure SAML

Observação

Even if you have previously configured SAML on Entra ID, you will need to configure SAML and SCIM on a new application to enable SCIM provisioning.

Before starting this section, ensure you have followed steps 1 and 2 in Configuring SCIM provisioning to manage users.

In Entra ID

Create the "GitHub Enterprise Server" application in Entra ID. For instructions, see the "Adding GitHub Enterprise Server from the gallery" section in Microsoft's guide Tutorial: Microsoft Entra SSO integration with GitHub Enterprise Server.

Observação

Do not use the application labeled "(Legacy)."
In the "GitHub Enterprise Server" application settings, click Single sign-on in the left sidebar, then click SAML.
In the "Basic SAML Configuration" section, click Edit, then add the following details.
- "Identifier": your GitHub Enterprise Server host URL (https://HOSTNAME.com)
- "Reply URL": your host URL, followed by /saml/consume (https://HOSTNAME.com/saml/consume)
In the "SAML certificates" section, download the SAML certificate (Base64).
In the "Set up GitHub Enterprise Server" section, make a note of the Login URL and Microsoft Entra Identifier.

On GitHub Enterprise Server

Sign in to GitHub Enterprise Server as a user with access to the Management Console.
Configure SAML using the information you have gathered. See Configuring SAML single sign-on for your enterprise.

2. Configure SCIM

Before starting this section, ensure you have followed steps 1 to 4 in Configuring SCIM provisioning to manage users.

In the "GitHub Enterprise Server" application in Entra ID, click Provisioning in the left sidebar, then click Get started.
Select the "Automatic" provisioning mode.
In the "Admin Credentials" section, add the following details.
- "Tenant URL": your GitHub Enterprise Server host URL, followed by /api/v3/scim/v2 (https://HOSTNAME.com/api/v3/scim/v2)
- "Secret Token": the personal access token (classic) created for the setup user
Click Test Connection.
When the test is complete, click Save.
Navigate back to the "Overview" page.
To provision your EntraID users to your GitHub Enterprise Server appliance, Click Start provisioning.

When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See Configuring SCIM provisioning to manage users.