8.5 KiB
title, shortTitle, intro, versions, contentType, redirect_from, topics
| title | shortTitle | intro | versions | contentType | redirect_from | topics | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Identity and access management fundamentals | Fundamentals | Administrators must decide how users will access the enterprise's resources on {% data variables.product.github %}. |
|
concepts |
|
|
What is IAM for {% data variables.product.github %}?
{% ifversion ghec %}
{% data reusables.enterprise-accounts.about-enterprise-types %}
After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see AUTOTITLE.
{% elsif ghes %}
Administrators who configure a {% data variables.product.prodname_ghe_server %} instance can use local accounts and built-in authentication on the instance. Alternatively, to centralize identity and access for an enterprise's web applications, administrators can configure an external authentication method. If you use SAML, you can optionally provision user accounts on the instance from your identity provider (IdP) using System for Cross-domain Identity Management (SCIM).
{% endif %}
Which authentication method are available to me?
{% ifversion ghec %}
When you create an enterprise on {% data variables.product.github %}, you can decide how people authenticate to access your resources and who controls the user accounts.
- Authentication through {% data variables.location.product_location %}
- Authentication through {% data variables.location.product_location %} with additional SAML access restriction
- Authentication with {% data variables.product.prodname_emus %} and federation
Authentication through {% data variables.location.product_location %}
With authentication solely through {% data variables.location.product_location %}, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on {% data variables.location.product_location %}. The member manages the account, and can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %}. For more information about personal accounts, see AUTOTITLE.
Authentication through {% data variables.location.product_location %} with additional SAML access restriction
If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on {% data variables.location.product_location %}. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on {% data variables.location.product_location %} and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on {% data variables.location.product_location %} using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see AUTOTITLE.
You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see AUTOTITLE.
Authentication with {% data variables.product.prodname_emus %} and federation
If you need more control of the accounts for your enterprise members on {% data variables.product.github %}, you can use {% data variables.product.prodname_emus %}. With {% data variables.product.prodname_emus %}, you provision and manage accounts for your enterprise members on {% data variables.product.github %} using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see AUTOTITLE.
{% elsif ghes %}
The following authentication methods are available for {% data variables.product.prodname_ghe_server %}.
Built-in authentication
{% data reusables.enterprise_user_management.built-in-authentication-new-accounts %} To access your instance, people authenticate with the credentials for the account. For more information, see AUTOTITLE.
External authentication
If you use an external directory or identity provider (IdP) to centralize access to multiple web applications, you may be able to configure external authentication for {% data variables.location.product_location %}. For more information, see the following articles.
{% data reusables.enterprise.saml-or-ldap %}
If you choose to use external authentication, you can also configure fallback authentication for people who don't have an account on your external authentication provider. For example, you may want to grant access to a contractor or machine user. For more information, see AUTOTITLE.
{% endif %}
How does provisioning work?
{% ifversion ghec %}
If you use authentication through {% data variables.location.product_location %} with additional SAML access restriction, people create personal accounts on {% data variables.product.prodname_dotcom_the_website %}, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts.
Alternatively, if you use {% data variables.product.prodname_emus %}, you must configure your IdP to provision user accounts within your enterprise on {% data variables.location.product_location %} using System for Cross-domain Identity Management (SCIM). For more information, see AUTOTITLE.
{% elsif ghes %}
If you configure built-in authentication, CAS, LDAP, or SAML, {% data variables.product.prodname_ghe_server %} creates a user account when an authorized person signs into the instance, or "just in time" (JIT). Optionally, if you use SAML, you can provision user accounts from your identity provider (IdP) using SCIM. For more information, see AUTOTITLE.
{% endif %}
{% ifversion emu-public-scim-schema %}
Which IdPs are supported?
{% data reusables.enterprise_user_management.ghec-supported-idps %}
{% endif %}