About SAML SSO
SAML SSO allows you to centrally control and secure access to your enterprise from your SAML IdP. When an unauthenticated user visits your enterprise in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your enterprise. GitHub AE validates the response from your IdP, then grants access to the user.
After a user successfully authenticates on your IdP, the user's SAML session for your enterprise is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.
To make a person an enterprise owner, you must delegate access from your IdP. If you use Azure AD and SCIM, assign the enterprise owner role to the user. For other IdPs, include the administrator attribute in the SAML assertion for the user account on the IdP, with the value of true. For more information about enterprise owners, see "Roles in an enterprise." For more information about authentication and provisioning using Azure AD, see "Configuring authentication and provisioning for your enterprise using Azure AD."
By default, your IdP does not communicate with GitHub AE automatically when you assign or unassign the application. GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub AE, and you must manually deactivate the user account on GitHub AE during offboarding.
Alternatively, instead of SAML JIT provisioning, you can use SCIM to create or suspend user accounts and grant or deny access to your enterprise automatically after you assign or unassign the application on your IdP. For more information, see "Configuring user provisioning with SCIM for your enterprise."
Supported identity providers
GitHub AE supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.
GitHub officially supports and internally tests the following IdPs.
- Azure Active Directory (Azure AD)
- Okta (beta)
For more information about connecting Azure AD to your enterprise, see Tutorial: Azure Active Directory SSO integration with GitHub Enterprise Cloud - Enterprise Account in Microsoft Docs.
Username considerations with SAML
GitHub AE normalizes a value from your IdP to determine the username for each new personal account on GitHub AE. For more information, see "Username considerations for external authentication."
Enabling SAML SSO
You'll configure identity and access management for GitHub AE by entering the details for your SAML IdP during initialization. For more information, see "Initializing GitHub AE."
The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.
| IdP | More information |
|---|---|
| Azure AD | "Configuring authentication and provisioning for your enterprise using Azure AD" |
| Okta | "Configuring authentication and provisioning for your enterprise using Okta" |
During initialization for GitHub AE, you must configure GitHub AE as a SAML service provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP. For more information, see "SAML configuration reference."
Editing the SAML SSO configuration
If the details for your IdP change, you'll need to edit the SAML SSO configuration for your enterprise. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.
Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Contacting GitHub Support."
-
In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings.
-
In the enterprise account sidebar, click Settings.
-
Under Settings, click Authentication security.
-
Under "SAML single sign-on", type the new details for your IdP.
-
Under your public certificate, to the right of the current signature and digest methods, click .
-
Select the Signature Method and Digest Method dropdown menus, then click the hashing algorithm used by your SAML issuer.
-
To ensure that the information you've entered is correct, click Test SAML configuration.
-
Click Save.
-
Optionally, to automatically provision and deprovision user accounts for your enterprise, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning with SCIM for your enterprise."
Disabling SAML SSO
Warning: If you disable SAML SSO for your enterprise, users without existing SAML SSO sessions cannot sign into your enterprise. SAML SSO sessions on your enterprise end after 24 hours.
Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Contacting GitHub Support."
-
In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings.
-
In the enterprise account sidebar, click Settings.
-
Under Settings, click Authentication security.
-
Under "SAML single sign-on", deselect Enable SAML authentication.
-
To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save.