Configuring SAML single sign-on and SCIM for your enterprise account using Okta

You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your enterprise account on GitHub.

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

Note: User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, contact our account management team.

Über SAML und SCIM mit Okta

You can control access to your enterprise account in GitHub and other web applications from one central interface by configuring the enterprise account to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to organizations owned by your enterprise account when you make changes in Okta. Weiter Informationen findest Du unter „Sicherheitseinstellungen für Dein Enterprise-Konto erzwingen."

Nachdem Du SCIM aktiviert hast, stehen Dir folgende Bereitstellungsfunktionen für alle Benutzer zur Verfügung, denen Du Deine GitHub Enterprise Cloud-Anwendung in Okta zuweist.

Funktion	Beschreibung
Push neuer Benutzer	New users created in Okta will gain access to enterprise account resources, and can optionally be automatically invited to any of the organizations owned by the enterprise account
Push Benutzer-Deaktivierung	Deactivating a user in Okta will revoke the user's access to the enterprise account resources and remove the user from all organizations owned by the enterprise account
Push Profil-Aktualisierungen	Updates made to the user's profile in Okta will be pushed to the user’s enterprise account metadata
Benutzer reaktivieren	Reactivating the user in Okta will re-enable the user's access to the enterprise account and will optionally send email invitations for the user to rejoin any of the organizations owned by the enterprise account that the user was previously a member of

Vorrausetzungen

You must use the "Classic UI" in Okta. Weitere Informationen findest Du unter „Organisierte Navigation auf dem Okta Blog.

Wähle "Classic UI" aus der Okta UI Stilauswahl über dem Dashboard

Die GitHub Enterprise Cloud-Anwendung in Okta hinzufügen

In Okta, in the upper-right corner, click Admin.
Klicke im Okta-Dashboard auf Applications (Anwendungen).
Klicke auf Add application (Anwendung hinzufügen).
Gib im Suchfeld „GitHub Enterprise Cloud" ein.
Click "GitHub Enterprise Cloud - Enterprise Accounts".
Klicke auf Add (Hinzufügen).
Optionally, to the right of "Application label", type a descriptive name for the application.
To the right of "GitHub Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, type octo-corp.
Klicke auf Done (Fertig).

SAML SSO aktivieren und testen

In Okta, in the upper-right corner, click Admin.
Klicke im Okta-Dashboard auf Applications (Anwendungen).
Click the label for the application you created for your enterprise account.
Assign the application to your user in Okta. For more information, see Assign applications to users in the Okta documentation.
Under the name of the application, click Sign on.
To the right of Settings, click Edit.
Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select Matches regex.
To the right of the drop-down menu, type .*.*.
Klicke auf Save (Speichern).
Klicke unter „SIGN ON METHODS" (Anmeldemethoden) auf View Setup Instructions (Setup-Anweisungen anzeigen).
Enable SAML for your enterprise account using the information in the setup instructions. Weitere Informationen findest Du unter „SAML Single Sign-On für Organisationen in Deinem Enterprise-Konto aktivieren."

Creating groups in Okta

In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is https://github.com/octo-org, name the group octo-org.
Assign the application you created for your enterprise account to each group. GitHub will receive all groups data for each user.
Add users to groups based on the organizations you'd like users to belong to.

Configuring user provisioning with SCIM in Okta

If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in GitHub. You can use provisioning to manage organization membership by configuring SCIM in your IdP.

To configure user provisioning with SCIM in Okta, you must authorize an OAuth application to create a token that Okta can use to authenticate to GitHub on your behalf. The okta-oauth application is created by Okta in partnership with GitHub.

In Okta, in the upper-right corner, click Admin.
Klicke im Okta-Dashboard auf Applications (Anwendungen).
Click the label for the application you created for your enterprise account.
Under the name of the application, click Provisioning.
Klicke auf Configure API Integration (API-Integration konfigurieren).
Wähle Enable API integration (API-Integration aktivieren).
Click Authenticate with Github Enterprise Cloud - Enterprise Accounts.
To the right of your enterprise account's name, click Grant.
Click Authorize okta-oauth.
Klicke auf Save (Speichern).
Klicke rechts neben „Provisioning to App" (Für die App bereitstellen) auf Edit (Bearbeiten).
Wähle rechts neben „Create Users" (Benutzer erstellen) die Option Enable (Aktivieren).
Wähle rechts neben „Update User Attributes" (Benutzerattribute aktualisieren) die Option Enable (Aktivieren).
Wähle rechts neben "Deactivate Users" (Benutzer deaktivieren) die Option Enable (Aktivieren).
Klicke auf Save (Speichern).
Under the name of the application, click Push Groups.
Use the Push Groups drop-down menu, and select Find groups by name.
Add a push group for each organization in your enterprise account that you want to enable user provisioning for.
- Under "PUSH GROUPS BY NAME", search for a group that corresponds to an organization owned by your enterprise account, then click the group in the search results.
- To the right of the group name, in the "Match results & push action" drop-down menu, verify that Create Group is selected.
- Klicke auf Save (Speichern).
- Repeat for each organization.
Under the name of your application, click Assignments.
If you see Provision users, users who were a member of an Okta group before you added a push group for that group have not been provisioned. To send SCIM data to GitHub for these users, click Provision users.

Enabling SAML user provisioning

After you enable SCIM provisioning and deprovisioning, you can optionally enable SAML user provisioning and deprovisioning.

In the top-right corner of GitHub, click your profile photo, then click Your enterprises.
In the list of enterprises, click the enterprise you want to view.
Klicke in der Seitenleiste des Enterprise-Kontos auf Settings (Einstellungen).
Klicken Sie auf der linken Seitenleiste auf Security (Sicherheit).
Under "SAML User Provisioning", select Enable SAML user provisioning.
Klicke auf Save (Speichern).
Optionally, enable SAML user deprovisioning.
- Select Enable SAML user deprovisioning, then click Save.
- Read the warning, then click Enable SAML deprovisioning.

Jun	JUL	Aug
	09
2020	2021	2022

Nach Produkt erkunden