Skip to main content

Настройка OIDC для Управляемых пользователей Enterprise

Вы можете автоматически управлять доступом к корпоративной учетной записи в GitHub, настроив единый вход OpenID Connect (OIDC) и включения поддержки политики условного доступа (CAP) поставщика удостоверений.

Чтобы управлять пользователями на предприятии с помощью поставщика удостоверений, для вашего предприятия должны быть включены Enterprise Managed Users, предоставляемые GitHub Enterprise Cloud. Дополнительные сведения см. в разделе Сведения о Enterprise Managed Users.

Note: OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for Enterprise Managed Users is only available for Azure AD.

About OIDC for Enterprise Managed Users

With Enterprise Managed Users, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your enterprise with managed users. Enabling OIDC SSO is a one-click setup process with certificates managed by GitHub and your IdP.

When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used. For more information, see "About support for your IdP's Conditional Access Policy."

You can adjust the lifetime of a session, and how often a managed user account needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for GitHub from your IdP. The default lifetime is one hour. For more information, see "Configurable token lifetimes in the Microsoft identity platform" in the Azure AD documentation.

If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "Migrating from SAML to OIDC."

Warning: If you use GitHub Enterprise Importer to migrate an organization from your GitHub Enterprise Server instance, make sure to use a service account that is exempt from Azure AD's CAP otherwise your migration may be blocked.

Identity provider support

Support for OIDC is available for customers using Azure Active Directory (Azure AD).

Each Azure AD tenant can support only one OIDC integration with Enterprise Managed Users. If you want to connect Azure AD to more than one enterprise on GitHub, use SAML instead. For more information, see "Configuring SAML single sign-on for Enterprise Managed Users."

Configuring OIDC for Enterprise Managed Users

  1. Sign into as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. In the top-right corner of, click your profile photo, then click Your enterprises. "Your enterprises" in drop-down menu for profile photo on GitHub Enterprise Cloud

  3. In the list of enterprises, click the enterprise you want to view. Name of an enterprise in list of your enterprises

  4. In the enterprise account sidebar, click Settings. Settings tab in the enterprise account sidebar

  5. In the left sidebar, click Authentication security. **Security** tab in the enterprise account settings sidebar

  6. Select Require OIDC single sign-on.
    Screenshot showing the "Require OIDC single sign-on" checkbox

  7. To continue setup and be redirected to Azure AD, click Save.

  8. After GitHub Enterprise Cloud redirects you to your IdP, sign in, then follow the instructions to give consent and install the GitHub Enterprise Managed User (OIDC) application. After Azure AD asks for permissions for GitHub Enterprise Managed Users with OIDC, enable Consent on behalf of your organization, then click Accept.

    Warning: You must sign in to Azure AD as a user with global admin rights in order to consent to the installation of the GitHub Enterprise Managed User (OIDC) application.

  9. To ensure you can still access your enterprise in the event that your identity provider is ever unavailable in the future, click Download, Print, or Copy to save your recovery codes. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

    Screenshot of the buttons to download, print, or copy your recovery codes

Enabling provisioning

After you enable OIDC SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for enterprise managed users."