jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-23 21:07:12 -05:00
Code Issues Projects Releases Wiki Activity
Files
dac4144086eeaf1ec6130426a3d438153453c7ab
docs/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md
Sarah Edwards dac4144086 PAT v2 beta (#31013) 
Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Co-authored-by: Jovel Crisostomo <jovel@github.com>
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
Co-authored-by: Vanessa <vgrl@github.com>
2022-10-18 15:11:04 +00:00

8.3 KiB
Raw Blame History

title, shortTitle, intro, permissions, versions, redirect_from, type, topics, miniTocMaxHeadingLevel
title shortTitle intro permissions versions redirect_from type topics miniTocMaxHeadingLevel
Configuring authentication and provisioning for your enterprise using Okta Configure with Okta You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for {% data variables.product.prodname_ghe_managed %}. Enterprise owners can configure authentication and provisioning for {% data variables.product.prodname_ghe_managed %}.
ghae
*
/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta
/admin/identity-and-access-management/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta
how_to
Accounts
Authentication
Enterprise
Identity
SSO
3

{% data reusables.saml.okta-ae-sso-beta %}

About SAML and SCIM with Okta

You can use Okta as an Identity Provider (IdP) for {% data variables.product.prodname_ghe_managed %}, which allows your Okta users to sign in to {% data variables.product.prodname_ghe_managed %} using their Okta credentials.

To use Okta as your IdP for {% data variables.product.prodname_ghe_managed %}, you can add the {% data variables.product.prodname_ghe_managed %} app to Okta, configure Okta as your IdP in {% data variables.product.prodname_ghe_managed %}, and provision access for your Okta users and groups.

The following provisioning features are available for all Okta users that you assign to your {% data variables.product.prodname_ghe_managed %} application.

Feature Description
Push New Users When you create a new user in Okta, the user is added to {% data variables.product.prodname_ghe_managed %}.
Push User Deactivation When you deactivate a user in Okta, it will suspend the user from your enterprise on {% data variables.product.prodname_ghe_managed %}.
Push Profile Updates When you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on {% data variables.product.prodname_ghe_managed %}.
Reactivate Users When you reactivate a user in Okta, it will unsuspend the user in your enterprise on {% data variables.product.prodname_ghe_managed %}.

Adding the {% data variables.product.prodname_ghe_managed %} application in Okta

{% data reusables.saml.okta-ae-applications-menu %}

  1. Click Browse App Catalog

"Browse App Catalog"

  1. In the search field, type "GitHub AE", then click GitHub AE in the results.

"Search result"

  1. Click Add.

"Add GitHub AE app"

  1. For "Base URL", type the URL of your enterprise on {% data variables.product.prodname_ghe_managed %}.

"Configure Base URL"

  1. Click Done.

Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}

To enable single sign-on (SSO) for {% data variables.product.prodname_ghe_managed %}, you must configure {% data variables.product.prodname_ghe_managed %} to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find locate these details in the "GitHub AE" app.

{% data reusables.saml.okta-ae-applications-menu %} {% data reusables.saml.okta-ae-configure-app %}

  1. Click Sign On.

Sign On tab

  1. Click View Setup Instructions.

Sign On tab

  1. Take note of the "Sign on URL", "Issuer", and "Public certificate" details.
  2. Use the details to enable SAML SSO for your enterprise on {% data variables.product.prodname_ghe_managed %}. For more information, see "Configuring SAML single sign-on for your enterprise."

{% note %}

Note: To test your SAML configuration from {% data variables.product.prodname_ghe_managed %}, your Okta user account must be assigned to the {% data variables.product.prodname_ghe_managed %} app.

{% endnote %}

Enabling API integration

The "GitHub AE" app in Okta uses the {% data variables.product.product_name %} API to interact with your enterprise for SCIM and SSO. This procedure explains how to enable and test access to the API by configuring Okta with a {% data variables.product.pat_generic %} for {% data variables.product.prodname_ghe_managed %}.

  1. In {% data variables.product.prodname_ghe_managed %}, generate a {% data variables.product.pat_v1 %} with the admin:enterprise scope. For more information, see "Creating a {% data variables.product.pat_generic %}". {% data reusables.saml.okta-ae-applications-menu %} {% data reusables.saml.okta-ae-configure-app %} {% data reusables.saml.okta-ae-provisioning-tab %}

  2. Click Configure API Integration.

  3. Select Enable API integration.

Enable API integration

  1. For "API Token", type the {% data variables.product.prodname_ghe_managed %} {% data variables.product.pat_generic %} you generated previously.

  2. Click Test API Credentials.

{% note %}

Note: If you see Error authenticating: No results for users returned, confirm that you have enabled SSO for {% data variables.product.prodname_ghe_managed %}. For more information see "Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}."

{% endnote %}

Configuring SCIM provisioning settings

This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to {% data variables.product.prodname_ghe_managed %}.

{% data reusables.saml.okta-ae-applications-menu %} {% data reusables.saml.okta-ae-configure-app %} {% data reusables.saml.okta-ae-provisioning-tab %}

  1. Under "Settings", click To App.

"To App" settings

  1. To the right of "Provisioning to App", click Edit.
  2. To the right of "Create Users", select Enable.
  3. To the right of "Update User Attributes", select Enable.
  4. To the right of "Deactivate Users", select Enable.
  5. Click Save.

Allowing Okta users and groups to access {% data variables.product.prodname_ghe_managed %}

You can provision access to {% data variables.product.product_name %} for your individual Okta users, or for entire groups.

Provisioning access for Okta users

Before your Okta users can use their credentials to sign in to {% data variables.product.prodname_ghe_managed %}, you must assign the users to the "GitHub AE" app in Okta.

{% data reusables.saml.okta-ae-applications-menu %} {% data reusables.saml.okta-ae-configure-app %}

  1. Click Assignments.

Assignments tab

  1. Select the Assign drop-down menu and click Assign to People.

"Assign to People" button

  1. To the right of the required user account, click Assign.

List of users

  1. To the right of "Role", click a role for the user, then click Save and go back.

Role selection

  1. Click Done.

Provisioning access for Okta groups

You can map your Okta group to a team in {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will then automatically become members of the mapped {% data variables.product.prodname_ghe_managed %} team. For more information, see "Mapping Okta groups to teams."

Further reading

Reference in New Issue View Git Blame Copy Permalink