Skip to main content

GitHub AE 目前处于受限版。

为企业配置 SAML 单点登录

你可以通过配置通过身份提供商 (IdP) 的 SAML 单一登录 (SSO),控制和保护对你在 GitHub AE 上的企业的访问。

谁可以使用此功能

Enterprise owners can configure SAML SSO for an enterprise on GitHub AE.

About SAML SSO

SAML SSO allows you to centrally control and secure access to your enterprise from your SAML IdP. When an unauthenticated user visits your enterprise in a browser, GitHub AE will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your enterprise. GitHub AE validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for your enterprise is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

To make a person an enterprise owner, you must delegate access from your IdP. If you use Azure AD and SCIM, assign the enterprise owner role to the user. For other IdPs, include the administrator attribute in the SAML assertion for the user account on the IdP, with the value of true. For more information about enterprise owners, see "Roles in an enterprise." For more information about authentication and provisioning using Azure AD, see "Configuring authentication and provisioning for your enterprise using Azure AD."

By default, your IdP does not communicate with GitHub AE automatically when you assign or unassign the application. GitHub AE creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to GitHub AE and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to GitHub AE, and you must manually deactivate the user account on GitHub AE during offboarding.

Alternatively, instead of SAML JIT provisioning, you can use SCIM to create or suspend user accounts and grant or deny access to your enterprise automatically after you assign or unassign the application on your IdP. For more information, see "Configuring user provisioning with SCIM for your enterprise."

Supported identity providers

GitHub AE supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

GitHub officially supports and internally tests the following IdPs.

  • Azure Active Directory (Azure AD)
  • Okta (beta)

For more information about connecting Azure AD to your enterprise, see Tutorial: Azure Active Directory SSO integration with GitHub Enterprise Cloud - Enterprise Account in Microsoft Docs.

Username considerations with SAML

GitHub AE normalizes a value from your IdP to determine the username for each new personal account on GitHub AE. For more information, see "Username considerations for external authentication."

Enabling SAML SSO

You'll configure identity and access management for GitHub AE by entering the details for your SAML IdP during initialization. For more information, see "Initializing GitHub AE."

The following IdPs provide documentation about configuring SAML SSO for GitHub AE. If your IdP isn't listed, please contact your IdP to request support for GitHub AE.

IdPMore information
Azure AD"Configuring authentication and provisioning for your enterprise using Azure AD"
Okta"Configuring authentication and provisioning for your enterprise using Okta"

During initialization for GitHub AE, you must configure GitHub AE as a SAML service provider (SP) on your IdP. You must enter several unique values on your IdP to configure GitHub AE as a valid SP. For more information, see "SAML configuration reference."

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for your enterprise. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Contacting GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. In the enterprise account sidebar, click Settings.

  3. Under Settings, click Authentication security.

  4. Under "SAML single sign-on", type the new details for your IdP.

  5. Under your public certificate, to the right of the current signature and digest methods, click .

    Screenshot of the current signature method and digest method in the SAML settings. The pencil icon is highlighted with an orange outline.

  6. Select the Signature Method and Digest Method dropdown menus, then click the hashing algorithm used by your SAML issuer.

  7. To ensure that the information you've entered is correct, click Test SAML configuration.

  8. Click Save.

  9. Optionally, to automatically provision and deprovision user accounts for your enterprise, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning with SCIM for your enterprise."

Disabling SAML SSO

Warning: If you disable SAML SSO for your enterprise, users without existing SAML SSO sessions cannot sign into your enterprise. SAML SSO sessions on your enterprise end after 24 hours.

Note: If you can't sign into your enterprise because GitHub AE can't communicate with your SAML IdP, you can contact GitHub Support, who can help you access GitHub AE to update the SAML SSO configuration. For more information, see "Contacting GitHub Support."

  1. In the top-right corner of GitHub AE, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. In the enterprise account sidebar, click Settings.

  3. Under Settings, click Authentication security.

  4. Under "SAML single sign-on", deselect Enable SAML authentication.

  5. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save.