75f3cce197
Co-authored-by: isaacmbrown <isaacmbrown@github.com> Co-authored-by: Hector Alfaro <hectorsector@github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Christopher Nguyen <91625426+nguyen-dows@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Andrew Eisenberg <aeisenberg@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: David Staheli <1767415+davidstaheli@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: sunbrye <sunbrye@github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Jules Porter <jules-p@users.noreply.github.com> Co-authored-by: Devraj Mehta <devm33@github.com> Co-authored-by: Kate Studwell <katestud@github.com> Co-authored-by: Katherine Oelsner <49968061+octokatherine@users.noreply.github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: Tim Rogers <me@timrogers.co.uk> Co-authored-by: Arfon Smith <arfon@users.noreply.github.com>
14 KiB
title, shortTitle, intro, versions, type, topics, redirect_from
| title | shortTitle | intro | versions | type | topics | redirect_from | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Username considerations for external authentication | Username considerations | {% ifversion ghes or ghec %}When you use {% ifversion ghes %}CAS, LDAP, or SAML for authentication{% elsif ghec %}{% data variables.product.prodname_emus %}{% endif %}, {% endif %}{% data variables.product.product_name %} follows certain rules to determine the username for each user account {% ifversion ghec %}in your enterprise{% elsif ghes %}on your instance{% endif %}. |
|
reference |
|
|
{% ifversion ghec %} {% note %}
Note: This article only applies to {% data variables.product.prodname_emus %}. If you use {% data variables.product.prodname_ghe_cloud %} without {% data variables.product.prodname_emus %}, usernames are created by users, not {% data variables.product.prodname_dotcom %}.
{% endnote %} {% endif %}
About usernames with external authentication
{% ifversion ghes %}
You can configure external authentication for {% data variables.product.product_name %} using CAS, LDAP, or SAML. For more information, see "AUTOTITLE."
When you use external authentication, {% data variables.location.product_location %} automatically creates a username for each person when the person signs into {% data variables.location.product_location %} through your external authentication system for the first time.
{% elsif ghec %}
If you use an enterprise with {% data variables.product.prodname_emus %}, members of your enterprise authenticate to access {% data variables.product.prodname_dotcom %} through your SAML identity provider (IdP). For more information, see "AUTOTITLE" and "AUTOTITLE."
{% data variables.product.github %} automatically creates a username for each person when their user account is provisioned via SCIM.
- To create the username, {% data variables.product.github %} normalizes an identifier provided by your IdP.
- On {% data variables.product.prodname_dotcom_the_website %}, {% data variables.product.github %} also adds an underscore and your enterprise's shortcode to the end of each username.
If multiple identifiers are normalized into the same username, a username conflict occurs, and only the first user account is created. You can resolve username problems by making a change in your IdP so that the normalized usernames will be unique and within the 39-character limit.
{% data reusables.enterprise-accounts.emu-only-emails-within-the-enterprise-can-conflict %}
{% endif %}
{% ifversion ghec %}
About shortcodes for {% data variables.enterprise.prodname_managed_users %}
Each enterprise that uses {% data variables.enterprise.prodname_managed_users %} is associated with a shortcode, which is an alphanumeric string between three and eight characters.
Shortcodes on {% data variables.product.prodname_dotcom_the_website %}
When you create an {% data variables.enterprise.prodname_emu_enterprise %} on {% data variables.product.prodname_dotcom_the_website %}, you choose a shortcode that will be used as the suffix for all your enterprise members' usernames.
- The short code must be unique to your enterprise and contain no special characters.
- Choose carefully, because it is not possible to modify the shortcode after your {% data variables.enterprise.prodname_emu_enterprise %} has been created.
The setup user who configures SAML SSO has a username in the format of SHORT-CODE_admin. For example, if your enterprise's shortcode is "octo", the setup user will be "octo_admin."
When you provision a new user from your identity provider, the new {% data variables.enterprise.prodname_managed_user %} will have a {% data variables.product.prodname_dotcom %} username in the format of @IDP-USERNAME_SHORT-CODE (for example, "mona-cat_octo").
Shortcodes on {% data variables.enterprise.data_residency_site %}
If you use {% data variables.enterprise.data_residency %}, when you create an {% data variables.enterprise.prodname_emu_enterprise %} on {% data variables.enterprise.data_residency_site %}, your enterprise's shortcode is randomly generated.
- The shortcode is not used as a suffix in the usernames of provisioned users.
- The only place you are likely to see the shortcode is in the username of the setup admin, which will look like
2abvd19d_admin.
About normalized usernames
Usernames are formed by normalizing the SCIM userName attribute value sent from the IdP.
| Identity provider | {% data variables.product.prodname_dotcom %} username |
|---|---|
| Microsoft Entra ID (previously known as Azure AD) | IDP-USERNAME is formed by normalizing the characters preceding the @ character in the UPN (User Principal Name), which does not include the #EXT# for guest accounts. |
| Okta | IDP-USERNAME is the normalized username attribute provided by the IdP. |
These rules may result in your IdP providing the same IDP-USERNAME for multiple users. For example, for Entra ID, the following UPNs will result in the same username:
bob@contoso.combob@fabrikam.combob#EXT#fabrikamcom@contoso.combob_example#EXT#fabrikamcom@contoso.combob_example.com#EXT#fabrikamcom@contoso.com
This will cause a username conflict, and only the first user will be provisioned. For more information, see "Resolving username problems." {% endif %}
Usernames{% ifversion ghec %}, including underscore and short code,{% endif %} must not exceed 39 characters.
About username normalization
Usernames for user accounts on {% data variables.product.prodname_dotcom %} can only contain alphanumeric characters and dashes (-).
{% ifversion ghec %}
When you configure SAML authentication, {% data variables.product.product_name %} uses the SCIM userName attribute value sent from the IdP to determine the username for the corresponding user account on {% data variables.product.prodname_dotcom %}. If this value includes unsupported characters, {% data variables.product.product_name %} will normalize the username per the following rules.
{% elsif ghes %}
When you configure CAS, LDAP, or SAML authentication, {% data variables.product.product_name %} uses an identifier from the user account on your external authentication provider to determine the username for the corresponding user account on {% data variables.product.product_name %}. If the identifier includes unsupported characters, {% data variables.product.product_name %} will normalize the username per the following rules.
{% endif %}
-
{% data variables.product.product_name %} will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of
mona.the.octocatwill be normalized tomona-the-octocat. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes. -
Usernames created from email addresses are created from the normalized characters that precede the
@character. -
Usernames created from domain accounts are created from the normalized characters after the
\\separator. -
If multiple accounts are normalized into the same {% data variables.product.product_name %} username, only the first user account is created. Subsequent users with the same username won't be able to sign in. {% ifversion ghec %}For more information, see "Resolving username problems."{% endif %}
Examples of username normalization
| Identifier on provider | Normalized username on {% data variables.product.prodname_dotcom_the_website %} | Result |
|---|---|---|
| The.Octocat | the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is created successfully. |
| !The.Octocat | -the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created, because it starts with a dash. |
| The.Octocat! | the-octocat-{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created, because it ends with a dash. |
| The!!Octocat | the--octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created, because it contains two consecutive dashes. |
| The!Octocat | the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created. Although the normalized username is valid, it already exists. |
The.Octocat@example.com |
the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created. Although the normalized username is valid, it already exists. |
internal\\The.Octocat |
the-octocat{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created. Although the normalized username is valid, it already exists. |
mona.lisa.the.octocat.from.github.united.states@example.com |
mona-lisa-the-octocat-from-github-united-states{% ifversion ghec %}_SHORT-CODE{% endif %} |
This username is not created, because it exceeds the 39-character limit. |
{% ifversion not ghec %}
About username normalization with SAML
{% ifversion ghes %}If you configure SAML authentication for {% data variables.location.product_location %}, {% endif %}{% data variables.product.product_name %} determines each person's username by one of the following assertions in the SAML response, ordered by descending priority.
- The custom
usernameattribute, if defined and present - An
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameassertion, if present - An
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressassertion, if present - The
NameIDelement
{% data variables.product.product_name %} requires the NameID element even if other attributes are present. For more information, see "AUTOTITLE."
{% data variables.product.product_name %} creates a mapping between the NameID from the IdP and the username on {% data variables.location.product_location %}, so the NameID should be persistent, unique, and not subject to change for the lifecycle of the user.
{% ifversion ghes %} {% note %}
Note: If the NameID for a user does change on the IdP, the person will see an error message when signing in to {% data variables.location.product_location %}. To restore the person's access, you'll need to update the user account's NameID mapping. For more information, see "AUTOTITLE."
{% endnote %} {% endif %} {% endif %}
{% ifversion ghec %}
Resolving username problems
When a new user is being provisioned, if the username is longer than 39 characters (including underscore and short code), or conflicts with an existing user in the enterprise, the provisioning attempt will fail with a 409 error.
To resolve this problem, you must make one of the following changes in your IdP so that all normalized usernames will be within the character limit and unique.
- Change the
userNameattribute value for individual users that are causing problems - Change the
userNameattribute mapping for all users - Configure a custom
userNameattribute for all users
When you change the attribute mapping, usernames of existing {% data variables.enterprise.prodname_managed_users %} will be updated, but nothing else about the accounts will change, including activity history.
{% note %}
Note: {% data variables.contact.github_support %} cannot provide assistance with customizing attribute mappings or configuring custom expressions. You can contact your IdP with any questions.
{% endnote %}
Resolving username problems with Entra ID
To resolve username problems in Entra ID, either modify the User Principal Name value for the conflicting user or modify the attribute mapping for the userName attribute. If you modify the attribute mapping, you can choose an existing attribute or use an expression to ensure that all provisioned users have a unique normalized alias.
- In Entra ID, open the {% data variables.product.prodname_emu_idp_application %} application.
- In the left sidebar, click Provisioning.
- Click Edit Provisioning.
- Expand Mappings, then click Provision Entra ID Users.
- Click the {% data variables.product.prodname_dotcom %}
userNameattribute mapping. - Change the attribute mapping.
- To map an existing attribute in Entra ID to the
userNameattribute in {% data variables.product.prodname_dotcom %}, click your desired attribute field. Then, save and wait for a provisioning cycle to occur within about 40 minutes. - To use an expression instead of an existing attribute, change the Mapping type to "Expression", then add a custom expression that will make this value unique for all users. For example, you could use
[FIRST NAME]-[LAST NAME]-[EMPLOYEE ID]. For more information, see Reference for writing expressions for attribute mappings in Microsoft Entra ID on Microsoft Learn.
- To map an existing attribute in Entra ID to the
Resolving username problems with Okta
To resolve username problems in Okta, update the attribute mapping settings for the {% data variables.product.prodname_emu_idp_application %} application.
- In Okta, open the {% data variables.product.prodname_emu_idp_application %} application.
- Click Sign On.
- In the "Settings" section, click Edit.
- Update the "Application username format." {% endif %}