Skip to main content

About support for your IdP's Conditional Access Policy

When your enterprise uses OIDC SSO, GitHub can validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP).

谁可以使用此功能?

若要使用标识提供者管理企业中的用户,企业必须启用 Enterprise Managed Users,它适用于 GitHub Enterprise Cloud。 有关详细信息,请参阅“关于 Enterprise Managed Users”。

注意:**** 对 Enterprise Managed Users 的 OpenID Connect (OIDC) 和条件访问策略 (CAP) 支持仅适用于 Microsoft Entra ID(以前称为 Azure AD)。

About support for Conditional Access Policies

企业使用 OIDC SSO 时,GitHub 将自动使用 IdP 的条件访问策略 (CAP) IP 条件来验证用户与 GitHub 的交互,当成员更改 IP 地址时,每次使用 personal access token 或 SSH 密钥时都会验证。

GitHub Enterprise Cloud supports CAP for any 具有托管用户的企业 where OIDC SSO is enabled. GitHub Enterprise Cloud enforces your IdP's IP conditions but cannot enforce your device compliance conditions. Enterprise owners can choose to use this IP allow list configuration instead of GitHub Enterprise Cloud's IP allow list, and can do so once OIDC SSO is configured. For more information about IP allow lists, see "使用 IP 允许列表限制到企业的网络流量" and "管理组织允许的 IP 地址."

For more information about using OIDC with Enterprise Managed Users, see "为企业托管用户配置 OIDC" and "从 SAML 迁移到 OIDC."

Considerations for integrations and automations

GitHub sends the originating IP address to your IdP for validation against your CAP. To make sure actions and apps are not blocked by your IdP's CAP, you will need to make changes to your configuration.

警告:**** 如果使用 GitHub Enterprise Importer 从 你的 GitHub Enterprise Server 实例 迁移组织,请确保使用一个豁免于 Entra ID CAP 的服务帐户,否则迁移可能会被阻止。

GitHub Actions

Actions that use a personal access token will likely be blocked by your IdP's CAP. We recommend that personal access tokens are created by a service account which is then exempted from IP controls in your IdP's CAP.

If you're unable to use a service account, another option for unblocking actions that use personal access tokens is to allow the IP ranges used by GitHub Actions. For more information, see "关于 GitHub 的 IP 地址."

GitHub Codespaces

GitHub Codespaces may not be available if your enterprise uses OIDC SSO with CAP to restrict access by IP addresses. This is because codespaces are created with dynamic IP addresses which it's likely your IdP’s CAP will block. Other CAP policies may also affect GitHub Codespaces's availability, depending on the policy's specific setup.

GitHub Apps and OAuth apps

When GitHub Apps and OAuth apps sign a user in and make requests on that user's behalf, GitHub will send the IP address of the app's server to your IdP for validation. If the IP address of the app's server is not validated by your IdP's CAP, the request will fail.

When GitHub Apps call GitHub APIs acting either as the app itself or as an installation, these calls are not performed on behalf of a user. Since your IdP's CAP executes and applies policies to user accounts, these application requests cannot be validated against CAP and are always allowed through. For more information on GitHub Apps authenticating as themselves or as an installation, see "关于使用 GitHub 应用进行身份验证".

You can contact the owners of the apps you want to use, ask for their IP ranges, and configure your IdP's CAP to allow access from those IP ranges. If you're unable to contact the owners, you can review your IdP sign-in logs to review the IP addresses seen in the requests, then allow-list those addresses.

If you do not wish to allow all of the IP ranges for all of your enterprise's apps, you can also exempt installed GitHub Apps and authorized OAuth apps from the IdP allow list. If you do so, these apps will continue working regardless of the originating IP address. For more information, see "为企业中的安全设置实施策略."