Skip to main content

Настройка подготовки SCIM для управления пользователями

Вы можете управлять жизненным циклом учетных записей пользователей предприятия из поставщика удостоверений (IdP) с помощью системы управления междоменной идентификацией (SCIM).

Кто может использовать эту функцию?

Site administrators

To create, manage, and deactivate user accounts for your enterprise members on GitHub, your IdP can implement SCIM for communication with GitHub. SCIM is an open specification for management of user identities between systems. Different IdPs provide different experiences for the configuration of SCIM provisioning.

If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to GitHub's REST API for SCIM. For more information, see About user provisioning with SCIM on GitHub Enterprise Server.

Who needs to follow these instructions?

Even if your instance already uses SAML authentication, or if you were enrolled in the SCIM private preview on a previous GitHub Enterprise Server version, you must ensure you have followed all instructions in this guide to enable SCIM in version 3.14 and later.

This guide applies in any of the following situations.

  • You're setting up SAML and SCIM for the first time: you'll follow these instructions to get started.
  • You already use SAML authentication: you'll need to enable SCIM on your instance, plus either reconfigure SAML with an IdP application that supports automated provisioning or set up a SCIM integration with the REST API.
  • You were enrolled in the SCIM private preview: you'll need to reenable SCIM on your instance and, if you're using a partner IdP, reconfigure your settings on an updated IdP application.

Prerequisites

  • SCIM is a server-to-server protocol. Your instance's REST API endpoints must be accessible to your SCIM provider.
  • For authentication, your instance must use SAML SSO, or a mix of SAML and built-in authentication.
    • You cannot mix SCIM with other external authentication methods. If you use CAS or LDAP, you will need to migrate to SAML before using SCIM.
    • After you have configured SCIM, you must keep SAML authentication enabled to continue using SCIM.
  • You must have administrative access on your IdP.
  • You must have access to the Management Console on GitHub Enterprise Server.
  • If you are configuring SCIM on an instance with existing users, ensure you have understood how SCIM will identify and update these users. See About user provisioning with SCIM on GitHub Enterprise Server.

1. Create a built-in setup user

To ensure you can continue to sign in and configure settings when SCIM is enabled, you'll create an enterprise owner using built-in authentication.

  1. Sign in to GitHub Enterprise Server as a user with access to the Management Console.

  2. If you have already enabled SAML authentication, ensure your settings allow you to create and promote a built-in authentication user. Go to the "Authentication" section of the Management Console and enable the following settings:

    • Select Allow creation of accounts with built-in authentication, so you can create the user.
    • Select Disable administrator demotion/promotion, so admin permissions can be granted outside of your SAML provider.

    For help finding these settings, see Configuring SAML single sign-on for your enterprise.

  3. Create a built-in user account with the username scim-admin to perform provisioning actions on your instance. See Allowing built-in authentication for users outside your provider.

    Ensure the user's email and username are different from any user you plan on provisioning through SCIM. If your email provider supports it, you can modify an email address by adding +admin, for example johndoe+admin@example.com.

    You can use any username for your setup user, but we recommend using scim-admin. Although the scim-admin user consumes a license when first created, the license is freed once SCIM is enabled. With any other username, the user will continue to consume a license after SCIM is enabled.

  4. Copy the password reset link after creating the user, and open it in a private browser window. Set a password for this user.

    Внимание

    As this user will act as a break-glass account, ensure you store the password securely in a password manager. Otherwise you risk losing access to this account.

  5. Promote the user to an enterprise owner. See Promoting or demoting a site administrator.

2. Create a personal access token

  1. Sign in to your instance as the built-in setup user you created in the previous section.

  2. Create a personal access token (classic). For instructions, see Managing your personal access tokens.

    • The token must have the scim:enterprise scope.
    • The token must have no expiration. If you specify an expiration date, SCIM will no longer function after the expiration date passes.
  3. Store the token securely in a password manager until you need the token again later in the setup process. You'll need the token to configure SCIM on your IdP.

3. Enable SAML on your instance

Примечание.

Complete this section if either of the following situations applies:

  • If you have not already enabled SAML authentication, you will need to do so before you can enable SCIM.
  • If you already use SAML authentication and want to use a partner IdP for both authentication and provisioning, or if you're upgrading from the SCIM private preview, you must reconfigure SAML using a new application.
  1. Sign in to your instance as a user with access to the Management Console.

  2. Go to the "Authentication" section of the Management Console. For instructions, see Configuring SAML single sign-on for your enterprise.

  3. Select SAML.

  4. Configure the SAML settings according to your requirements and the IdP you're using.

  5. Optionally, complete configuration of the SAML settings within the application in your IdP. Alternatively, you can leave this step until later.

4. Enable SCIM on your instance

  1. Sign in to your instance as the built-in setup user you created earlier.
  2. In the top-right corner of GitHub, click your profile picture, then click Enterprise.
  3. At the top of the page, click Settings.
  4. Under Settings, click Authentication security.
  5. Under "SCIM Configuration", select Enable SCIM configuration.

You can confirm that SCIM is now enabled by checking your instance's audit logs. You should expect to see a "business.enable_open_scim" event, indicating that GitHub's SCIM REST API has been enabled on your instance.

5. Configure your identity provider

After completing the setup on GitHub, you can configure provisioning on your IdP. The instructions you should follow differ depending on whether you use a partner IdP's application for both authentication and provisioning.

Configuring provisioning if you use a partner IdP's application

To use a partner IdP's application for both authentication and provisioning, review the instructions that are linked below. Complete the steps for enabling SCIM, plus any SAML configuration that you haven't already performed.

Configuring provisioning for other identity management systems

If you don't use a partner IdP, or if you only use a partner IdP for authentication, you can manage the lifecycle of user accounts using GitHub's REST API endpoints for SCIM provisioning. See Provisioning users and groups with SCIM using the REST API.

GitHub does not expressly support mixing partner IdPs for authentication and provisioning and does not test all identity management systems. GitHub's support team may not be able to assist you with issues related to mixed or untested systems. If you need help, you must consult the system's documentation, support team, or other resources.

Внимание

The combination of Okta and Entra ID for SSO and SCIM (in either order) is explicitly not supported. GitHub's SCIM API will return an error to the identity provider on provisioning attempts if this combination is configured.

6. Update settings

After you have finished the configuration process, you should disable the following setting in the Management Console:

  • Disable administrator demotion/promotion: Disable this setting to allow assignment of the enterprise owner role via SCIM. If this setting remains enabled, you will not be able to provision enterprise owners via SCIM.

Optionally, you can disable the following setting in the Management Console as well:

  • Allow creation of accounts with built-in authentication: Disable this setting if you want all users to be provisioned from your IdP.

7. Assign users and groups

After you have configured authentication and provisioning, you will be able to provision new users on GitHub by assigning users or groups to the relevant application in your IdP.

When assigning users, you can use the "Roles" attribute in the application on your IdP to set a user's role in your enterprise. For more information about the roles available to assign, see Abilities of roles in an enterprise.

Entra ID does not support provisioning nested groups. For more information, see How Application Provisioning works in Microsoft Entra ID on Microsoft Learn.