Skip to main content

Настройка единого входа SAML для управляемых пользователей GitHub Enterprise

Можно автоматически управлять доступом к корпоративной учетной записи на GitHub, настроив единый вход на основе языка разметки заявлений системы безопасности (SAML).

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which is available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

About SAML SSO for Enterprise Managed Users

With Enterprise Managed Users, access to your enterprise's resources on must be authenticated through your identity provider (IdP). Instead of signing in to GitHub with a GitHub username and password, members of your enterprise will sign in through your IdP.

After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your IdP is unavailable.

If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "Migrating from SAML to OIDC."


  • Ensure that you understand the integration requirements and level of support for your IdP. For more information, see "About Enterprise Managed Users."

  • Your IdP must adhere to the SAML 2.0 specification. For more information, see the SAML Wiki on the OASIS website.

  • To configure your IdP for SAML SSO with Enterprise Managed Users, you must have a tenant and administrative access on your IdP.

  • After you initially configure authentication and provisioning, GitHub does not recommend migration to a different platform for authentication or provisioning. If you need to migrate an existing enterprise to a different platform for authentication or provisioning, contact your account manager on GitHub's Sales team.

Configuring SAML SSO for Enterprise Managed Users

To configure SAML SSO for your enterprise with managed users, you must configure an application on your IdP, then configure your enterprise on After you configure SAML SSO, you can configure user provisioning.

  1. Configure your IdP
  2. Configure your enterprise
  3. Enable provisioning

Configuring your IdP

  1. If you use a partner IdP, to install the GitHub Enterprise Managed User application, click one of the following links.

  2. To configure SAML SSO for Enterprise Managed Users on your IdP, read the following documentation. If you don't use a partner IdP, you can use the SAML configuration reference for GitHub Enterprise Cloud to create and configure a generic SAML 2.0 application on your IdP.

  3. To test and configure your enterprise, assign yourself or the user that will configure SAML SSO for your enterprise on to the application you configured for Enterprise Managed Users on your IdP.

  4. To continue configuring your enterprise on, locate and note the following information from the application you installed on your IdP.

    ValueOther namesDescription
    IdP Sign-On URLLogin URL, IdP URLApplication's URL on your IdP
    IdP Identifier URLIssuerIdP's identifier to service providers for SAML authentication
    Signing certificate, Base64-encodedPublic certificatePublic certificate that IdP uses to sign authentication requests

Configuring your enterprise

After you configure SAML SSO for Enterprise Managed Users on your IdP, you can configure your enterprise on

After the initial configuration of SAML SSO, the only setting you can update on for your existing SAML configuration is the SAML certificate. If you need to update the sign-on URL or issuer URL, you must first disable SAML SSO, then reconfigure SAML SSO with the new settings. For more information, see "Disabling authentication for Enterprise Managed Users."

  1. Sign into as the setup user for your enterprise with the username @SHORT-CODE_admin, replacing SHORT-CODE with your enterprise's short code.

    Note: If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal.

  2. In the top-right corner of, click your profile photo, then click Your enterprises.

  3. In the list of enterprises, click the enterprise you want to view.

  4. In the enterprise account sidebar, click Settings.

  5. Under Settings, click Authentication security.

  6. Under "SAML single sign-on", select Require SAML authentication.

  7. Under Sign on URL, type the HTTPS endpoint of your IdP for SSO requests that you noted while configuring your IdP.

  8. Under Issuer, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.

  9. Under Public Certificate, paste the certificate that you noted while configuring your IdP, to verify SAML responses.

  10. Under your public certificate, to the right of the current signature and digest methods, click .

    Screenshot of the current signature method and digest method in the SAML settings. The pencil icon is highlighted with an orange outline.

  11. Select the Signature Method and Digest Method dropdown menus, then click the hashing algorithm used by your SAML issuer.

  12. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click Test SAML configuration. This test uses Service Provider initiated (SP-initiated) authentication and must be successful before you can save the SAML settings.

  13. Click Save.

    Note: After you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only managed user accounts provisioned by your IdP will have access to the enterprise.

  14. To ensure you can still access your enterprise on if your IdP is unavailable in the future, click Download, Print, or Copy to save your recovery codes. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

Enabling provisioning

After you enable SAML SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."

Enabling guest collaborators

If your enterprise uses Enterprise Managed Users, you can use the role of guest collaborator to grant limited access to vendors and contractors. Guest collaborators are provisioned by your IdP, and only have access to the specific repositories or organizations you add them to. Guest collaborators only have access to internal repositories within organizations where they are a member and private repositories they are expressly authorized to access. Guest collaborators will never see internal repositories in an organization they are not a member of. For more information, see "Roles in an enterprise."

If you use Azure AD or Okta for SAML authentication, you may need to update your IdP application to use guest collaborators.

Enabling guest collaborators if you use Azure AD

  1. Sign into the Azure Portal.

  2. Click Identity.

  3. Click Applications.

  4. Click Enterprise applications.

  5. Click All applications.

  6. View the details for your Enterprise Managed Users application

  7. In the left sidebar, click Users and Groups.

  8. View the application registration.

    • If the application registration displays the "Restricted User" or "Guest Collaborator" roles, you're ready to invite guest collaborators to your enterprise.
    • If the application registration does not display the roles, proceed to the next step.
  9. In the Azure Portal, click App registrations.

  10. Click All applications, then use the search bar to find your application for Enterprise Managed Users.

  11. Click your SAML application.

  12. In the left sidebar, click Manifest.

  13. Under "appRoles", add the following:

      "allowedMemberTypes": [
      "description": "Guest Collaborator",
      "displayName": "Guest Collaborator",
      "id": "1ebc4a02-e56c-43a6-92a5-02ee09b90824",
      "isEnabled": true,
      "lang": null,
      "origin": "Application",
      "value": "null"

    Note: The id value is critical. If another id value is present, the update will fail.

  14. Click Save.

Enabling guest collaborators for your enterprise with Okta

To add the guest collaborator role to your Okta application:

  1. Navigate to your application for Enterprise Managed Users on Okta.

  2. Click Provisioning.

  3. Click Go to Profile Editor.

  4. Find "Roles" at the bottom of the profile editor and click the edit icon.

  5. Add a new role.

    • For "Display name", type Guest Collaborator.
    • For "Value", type guest_collaborator.
  6. Click Save.

Adding guest collaborators to your enterprise

After you enable guest collaborators for your enterprise, you can add guest collaborators to your enterprise. For more information, see "Configuring SCIM provisioning for Enterprise Managed Users."