What are Enterprise Managed Users in GitHub?
With Enterprise Managed Users, you manage the lifecycle and authentication of your users on GitHub.com or GHE.com from an external identity management system, or IdP:
- Your IdP provisions new user accounts on GitHub, with access to your enterprise.
- Users must authenticate on your IdP to access your enterprise's resources on GitHub.
- You control usernames, profile data, organization membership, and repository access from your IdP.
- If your enterprise uses OIDC SSO, GitHub will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP). See 关于对 IdP 的条件访问策略的支持.
- 托管用户帐户 cannot create public content or collaborate outside your enterprise. See 托管用户帐户的功能和限制.
注意
Enterprise Managed Users is not the best solution for every customer. To determine whether it's right for your enterprise, see Enterprise types for GitHub Enterprise Cloud.
How does EMUs integrate with identity management systems?
GitHub 合作伙伴与身份管理系统的一些开发人员合作,提供与 Enterprise Managed Users 的“铺好道路”集成。 为了简化配置并确保获得全面支持,请使用单个合作伙伴 IdP 进行身份验证和预配。****
What are partner identity providers?
Partner IdPs provide authentication using SAML or OIDC, and provide provisioning with System for Cross-domain Identity Management (SCIM).
| Partner IdP | SAML | OIDC | SCIM |
|---|---|---|---|
| Entra ID | |||
| Okta | |||
| PingFederate |
When you use a single partner IdP for both authentication and provisioning, GitHub provides support for the application on the partner IdP and the IdP's integration with GitHub.
Can I use identity management systems other than the supported partners?
If you cannot use a single partner IdP for both authentication and provisioning, you can use another identity management system or combination of systems. The system must:
- Adhere to GitHub's integration guidelines
- Provide authentication using SAML, adhering to SAML 2.0 specification
- Provide user lifecycle management using SCIM, adhering to the SCIM 2.0 specification and communicating with GitHub's REST API (see 使用 REST API 通过 SCIM 预配用户和组)
GitHub 没有明确支持混合合作伙伴 IdP 来进行身份验证和预配,而且未测试所有身份管理系统。 GitHub 的支持团队可能无法协助你解决与混合或未测试的系统相关的问题。 如果需要帮助,必须咨询系统的文档、支持团队或其他资源。
重要
用于 SSO 和 SCIM 的 Okta 与 Entra ID 的组合显式不受支持********。 如果配置这种组合,GitHub的 SCIM API 将在预配尝试时向标识提供者返回错误。
How are usernames and profile information managed for EMUs?
GitHub automatically creates a username for each developer by normalizing an identifier provided by your IdP. If the unique parts of the identifier are removed during normalization, a conflict may occur. See 外部身份验证的用户名注意事项.
The profile name and email address of a 托管用户帐户 is provided by the IdP:
- 托管用户帐户 cannot change their profile name or email address on GitHub.
- The IdP can only provide one email address.
- Changing a user's email address in your IdP will unlink the user from the contribution history associated with the old email address.
How are roles and access managed for EMUs?
In your IdP, you can give each 托管用户帐户 a role in your enterprise, such as member, owner, or guest collaborator. See Abilities of roles in an enterprise.
Organization memberships (and repository access) can be managed manually, or you can update memberships automatically using IdP groups. See 使用标识提供者组管理团队成员身份.
How do 托管用户帐户 authenticate to GitHub?
The locations where 托管用户帐户 can authenticate to GitHub depends on how you configure authentication (SAML or OIDC). See Enterprise Managed Users 身份验证.
By default, when an unauthenticated user attempts to access your enterprise, GitHub displays a 404 error. You can optionally enable automatic redirects to single sign-on (SSO) instead. See 为企业中的安全设置实施策略.