Skip to main content

Выпуск GitHub AE сейчас ограничен.

Справочник по конфигурации SAML

You can see SAML metadata for your enterprise on GitHub AE, and you can learn more about available SAML attributes and response requirements.

About SAML configuration

To use SAML single sign-on (SSO) for authentication to GitHub AE, you must configure both your external SAML identity provider (IdP) and your enterprise on GitHub AE. In a SAML configuration, GitHub AE functions as a SAML service provider (SP). For more information about authentication for your enterprise, see "About identity and access management."

GitHub AE provides integration according to the SAML 2.0 specification. For more information, see the SAML Wiki on the OASIS website.

You must enter unique values from your SAML IdP when configuring SAML SSO for GitHub AE, and you must also enter unique values from GitHub AE on your IdP. For more information about authentication for

SAML metadata

The SP metadata for your enterprise on GitHub AE is available at https://HOSTNAME/saml/metadata, where HOSTNAME is the hostname for your enterprise on GitHub AE. GitHub AE uses the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding.

ValueOther namesDescriptionExample
SP Entity IDSP URL, audience restrictionYour top-level URL for GitHub AEhttps://HOSTNAME
SP Assertion Consumer Service (ACS) URLReply, recipient, or destination URLURL where IdP sends SAML responseshttps://HOSTNAME/saml/consume
SP Single Sign-On (SSO) URLURL where IdP begins SSOhttps://HOSTNAME/sso

SAML attributes

The following SAML attributes are available for GitHub AE.

NameIDA persistent user identifier. Any persistent name identifier format may be used. GitHub AE will normalize the NameID element to use as a username unless one of the alternative assertions is provided. For more information, see "Username considerations for external authentication."

Note: It's important to use a human-readable, persistent identifier. Using a transient identifier format like urn:oasis:names:tc:SAML:2.0:nameid-format:transient will result in re-linking of accounts on every sign-in, which can be detrimental to authorization management.
SessionNotOnOrAfterThe date that GitHub AE invalidates the associated session. After invalidation, the person must authenticate once again to access your enterprise's resources. For more information, see "Session duration and timeout."
administratorWhen the value is true, GitHub AE will automatically promote the user to be a enterprise owner. Setting this attribute to anything but true will result in demotion, as long as the value is not blank. Omitting this attribute or leaving the value blank will not change the role of the user.
usernameThe username for your enterprise.
full_nameThe full name of the user to display on the user's profile page.
emailsThe email addresses for the user. You can specify more than one address.
public_keysThe public SSH keys for the user. You can specify more than one key.
gpg_keysThe GPG keys for the user. You can specify more than one key.

To specify more than one value for an attribute, use multiple <saml2:AttributeValue> elements.

<saml2:Attribute FriendlyName="public_keys" Name="urn:oid:1.2.840.113549.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue>ssh-rsa LONG KEY</saml2:AttributeValue>
    <saml2:AttributeValue>ssh-rsa LONG KEY 2</saml2:AttributeValue>

SAML response requirements

GitHub AE requires that the response message from your IdP fulfill the following requirements.

  • Your IdP must provide the <Destination> element on the root response document and match the ACS URL only when the root response document is signed. If your IdP signs the assertion, GitHub AE will ignore the assertion.

  • Your IdP must always provide the <Audience> element as part of the <AudienceRestriction> element. The value must match your EntityId for GitHub AE. This value is the URL where you access your enterprise, such as,, or

  • Your IdP must protect each assertion in the response with a digital signature. You can accomplish this by signing each individual <Assertion> element or by signing the <Response> element.

  • Your IdP must provide a <NameID> element as part of the <Subject> element. You may use any persistent name identifier format.

  • Your IdP must include the Recipient attribute, which must be set to the ACS URL. The following example demonstrates the attribute.

    <samlp:Response ...>
      <saml:Assertion ...>
          <saml:NameID ...>...</saml:NameID>
          <saml:SubjectConfirmation ...>
            <saml:SubjectConfirmationData Recipient="" .../>
          <saml:Attribute FriendlyName="USERNAME-ATTRIBUTE" ...>

Session duration and timeout

To prevent a person from authenticating with your IdP and staying authorized indefinitely, GitHub AE periodically invalidates the session for each user account with access to your enterprise's resources. After invalidation, the person must authenticate with your IdP once again.

By default, if your IdP does not assert a value for the SessionNotOnOrAfter attribute, GitHub AE invalidates a session one week after successful authentication with your IdP.

GitHub AE will support a customized session duration if your IdP provides the option to configure a SessionNotOnOrAfter attribute and value.

If you define a customized session duration value less than 24 hours, GitHub AE may prompt people to authenticate every time GitHub AE initiates a redirect.


  • For Azure AD, the configurable lifetime policy for SAML tokens does not control session timeout for GitHub AE.
  • Okta does not currently send the SessionNotOnOrAfter attribute during SAML authentication with GitHub AE. For more information, contact Okta.