7.6 KiB
title, shortTitle, intro, product, redirect_from, versions, type, topics
| title | shortTitle | intro | product | redirect_from | versions | type | topics | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring SAML single sign-on for Enterprise Managed Users | SAML for managed users | You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO). | {% data reusables.gated-features.emus %} |
|
|
tutorial |
|
About SAML single sign-on for {% data variables.product.prodname_emus %}
With {% data variables.product.prodname_emus %}, your enterprise uses SAML SSO to authenticate all members. Instead of signing in to {% data variables.product.prodname_dotcom %} with a {% data variables.product.prodname_dotcom %} username and password, members of your enterprise will sign in through your IdP.
{% data variables.product.prodname_emus %} supports the following IdPs:
{% data reusables.enterprise-accounts.emu-supported-idps %}
After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable.
{% note %}
Note: When SAML SSO is enabled, the only setting you can update on {% data variables.product.prodname_dotcom %} for your existing SAML configuration is the SAML certificate. If you need to update the Sign on URL or Issuer, you must first disable SAML SSO and then reconfigure SAML SSO with the new settings.
{% endnote %}
Configuring SAML single sign-on for {% data variables.product.prodname_emus %}
To configure SAML SSO for your {% data variables.product.prodname_emu_enterprise %}, you must configure an application on your IdP and then configure your enterprise on GitHub.com. After you configure SAML SSO, you can configure user provisioning.
To install and configure the {% data variables.product.prodname_emu_idp_application %} application on your IdP, you must have a tenant and administrative access on a supported IdP.
{% note %}
{% data reusables.enterprise-accounts.emu-password-reset-session %}
{% endnote %}
Configuring your identity provider
To configure your IdP, follow the instructions they provide for configuring the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
-
To install the {% data variables.product.prodname_emu_idp_application %} application, click the link for your IdP below:
-
To configure the {% data variables.product.prodname_emu_idp_application %} application and your IdP, click the link below and follow the instructions provided by your IdP:
-
So you can test and configure your enterprise, assign yourself or the user that will be configuring SAML SSO on {% data variables.product.prodname_dotcom %} to the {% data variables.product.prodname_emu_idp_application %} application on your IdP.
-
To enable you to continue configuring your enterprise on {% data variables.product.prodname_dotcom %}, locate and note the following information from the application you installed on your IdP:
Value Other names Description IdP Sign-On URL Login URL, IdP URL Application's URL on your IdP IdP Identifier URL Issuer IdP's identifier to service providers for SAML authentication Signing certificate, Base64-encoded Public certificate Public certificate that IdP uses to sign authentication requests
Configuring your enterprise
After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise.
- Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username @SHORT-CODE_admin.
{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}
-
Under "SAML single sign-on", select Require SAML authentication.
-
Under Sign on URL, type the HTTPS endpoint of your IdP for single sign-on requests that you noted while configuring your IdP.
-
Under Issuer, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
-
Under Public Certificate, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
-
To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then, in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer.
-
Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click Test SAML configuration.
-
Click Save.
{% note %}
Note: When you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only {% data variables.product.prodname_managed_users %} provisioned by your IdP will have access to the enterprise.
{% endnote %}
{% data reusables.enterprise-accounts.download-recovery-codes %}
Enabling provisioning
After you enable SAML SSO, enable provisioning. For more information, see "Configuring SCIM provisioning for enterprise managed users."