Before your developers can use GitHub Enterprise Cloud with Enterprise Managed Users, you must follow a series of configuration steps.
Create a new enterprise account
To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled.
Start a free 30-day trial of GitHub Enterprise Cloud, and choose Enterprise with managed users. See "Setting up a trial of GitHub Enterprise Cloud."
Create the setup user
After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is your enterprise's shortcode suffixed with _admin, for example fabrikam_admin.
Using an incognito or private browsing window:
- Set the user's password.
- Save the user's recovery codes.
- Enable two-factor authentication. See "Configuring two-factor authentication."
If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal. The usual password reset option by providing your email address will not work.
Create a personal access token
Next, create a personal access token that you can use to configure provisioning.
- You must be signed in as the setup user when you create the token.
- The token must have admin:enterprise scope.
- The token must have no expiration.
To learn how to create a personal access token (classic), see "Managing your personal access tokens."
Configure authentication
Next, configure how your members will authenticate.
If you're using Entra ID as your IdP, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).
- We recommend OIDC, which includes support for Conditional Access Policies (CAP).
- If you require multiple enterprises provisioned from one tenant, you must use SAML for each enterprise after the first.
If you're using another IdP, like Okta or PingFederate, you must use SAML to authenticate your members.
To get started, read the guide for your chosen authentication method.
- "Configuring OIDC for Enterprise Managed Users"
- "Configuring SAML single sign-on for Enterprise Managed Users"
Configure provisioning
After you configure authentication, you can configure SCIM provisioning, which is how your IdP will create managed user accounts on GitHub. See "Configuring SCIM provisioning for Enterprise Managed Users."
Manage organization membership
After authentication and provisioning are configured, you can start managing organization membership for your managed user accounts by synchronizing IdP groups with teams. See "Managing team memberships with identity provider groups."
Support developers with multiple user accounts
Developers may need to maintain separate, personal accounts for their work outside of your enterprise with managed users. You can help them manage multiple accounts by providing the following resources:
- On the command line, developers can configure Git to simplify the process of using multiple accounts. See "Managing multiple accounts."
- In the web interface, developers can switch between accounts without always needing to re-authenticate. See "Switching between accounts."