Migrating from OIDC to SAML

В этой статье

If you're using OpenID Connect (OIDC) to authenticate members in your корпоративный с управляемыми пользователями, you can migrate to SAML SSO.

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which is available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

About migration of an enterprise with managed users from OIDC to SAML

To migrate from OIDC to SAML, you will first disable OIDC, which will suspend all managed user accounts, remove all SCIM-provisioned external groups, and delete linked identities.

Then, you will configure SAML and SCIM. At this time, users, groups, and identities will be re-provisioned.

If you're new to Enterprise Managed Users and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up SAML single sign-on (SSO) immediately. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

Prerequisites

  • Your enterprise on GitHub.com must currently be configured to use OIDC for authentication. For more information, see "Configuring OIDC for Enterprise Managed Users."

  • You'll need to access both your enterprise on GitHub.com and your tenant on Azure Active Directory (AD).

    • To configure the GitHub Enterprise Managed User (OIDC) application on Azure AD, you must sign into the Azure AD tenant as a user with the Global Administrator role.
    • To sign in as the setup user for your enterprise on GitHub.com, you must use a recovery code for the enterprise. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

  • Schedule a time to migrate when people aren't actively using your enterprise's resources. During the migration, users cannot access your enterprise until after you configure the new application and users as re-provisioned.

Migrating your enterprise

  1. Sign into GitHub.com as the setup user for your enterprise with the username @SHORT-CODE_admin, replacing SHORT-CODE with your enterprise's short code.

  2. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  3. In the list of enterprises, click the enterprise you want to view.

  4. In the enterprise account sidebar, click Settings.

  5. When prompted to continue to your identity provider, click Use a recovery code and sign in using one of your enterprise's recovery codes.

    Note: You must use a recovery code for your enterprise, not your user account. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

  6. Under Settings, click Authentication security.

  7. Deselect Require OIDC single sign-on.

  8. Click Save.

  9. Configure SAML authentication and SCIM provisioning. For more information, see Tutorial: Azure Active Directory single sign-on (SSO) integration with GitHub Enterprise Managed User in Microsoft Learn.