jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-25 02:17:36 -05:00
Code Issues Projects Releases Wiki Activity
Files
8df035ab4b4354eb5794e78f88021a019a90c75c
docs/content/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise.md
Laura Coursen a3e1733aa1 GitHub AE (GHAE) (#16090)
2020-11-02 15:12:44 -06:00

6.0 KiB
Raw Blame History

title, shortTitle, intro, product, permissions, versions
title shortTitle intro product permissions versions
Configuring SAML single sign-on for your enterprise Configuring SAML SSO You can configure SAML single sign-on (SSO) for your enterprise, which allows you to centrally control authentication for {% data variables.product.product_location %} using your identity provider (IdP). {% data reusables.gated-features.saml-sso %} Enterprise owners can configure SAML SSO for an enterprise on {% data variables.product.product_name %}.
github-ae
*

About SAML SSO

{% if currentVersion == "github-ae@latest" %}

SAML SSO allows you to centrally control and secure access to {% data variables.product.product_location %} from your SAML IdP. When an unauthenticated user visits {% data variables.product.product_location %} in a browser, {% data variables.product.product_name %} will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to {% data variables.product.product_location %}. {% data variables.product.product_name %} validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for {% data variables.product.product_location %} is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

{% data reusables.saml.assert-the-administrator-attribute %}

{% data reusables.scim.after-you-configure-saml %} For more information, see "Configuring user provisioning for your enterprise."

{% endif %}

Supported identity providers

{% data variables.product.product_name %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

{% data variables.product.company_short %} has tested SAML SSO for {% data variables.product.product_name %} with the following IdPs.

{% if currentVersion == "github-ae@latest" %}

  • Azure AD {% endif %}

Enabling SAML SSO

{% if currentVersion == "github-ae@latest" %}

{% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}

During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.

Value Other names Description Example
SP Entity ID SP URL Your top-level URL for {% data variables.product.prodname_ghe_managed %} https://YOUR-GITHUB-AE-HOSTNAME
SP Assertion Consumer Service (ACS) URL Reply URL URL where IdP sends SAML responses https://YOUR-GITHUB-AE-HOSTNAME/saml/consume
SP Single Sign-On (SSO) URL URL where IdP begins SSO https://YOUR-GITHUB-AE-HOSTNAME/sso

{% endif %}

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

{% if currentVersion == "github-ae@latest" %}

{% note %}

Note: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}

{% endnote %}

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}

  1. Under "SAML single sign-on", type the new details for your IdP. Text entry fields with IdP details for SAML SSO configuration for an enterprise

  2. Optionally, click {% octicon "pencil" aria-label="The edit icon" %} to configure a new signature or digest method. Edit icon for changing signature and digest method

    • Use the drop-down menus and choose the new signature or digest method. Drop-down menus for choosing a new signature or digest method

  3. To ensure that the information you've entered is correct, click Test SAML configuration. "Test SAML configuration" button

  4. Click Save. "Save" button for SAML SSO configuration

  5. Optionally, to automatically provision and deprovision user accounts for {% data variables.product.product_location %}, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

{% endif %}

Disabling SAML SSO

{% if currentVersion == "github-ae@latest" %}

{% warning %}

Warning: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.

{% endwarning %}

{% note %}

Note: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}

{% endnote %}

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}

  1. Under "SAML single sign-on", unselect Enable SAML authentication. Checkbox for "Enable SAML authentication"
  2. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save. "Save" button for SAML SSO configuration

{% endif %}

Reference in New Issue View Git Blame Copy Permalink