Before your developers can use GitHub Enterprise Cloud with Enterprise Managed Users, you must follow a series of configuration steps.
Create a new enterprise account
To use Enterprise Managed Users, you need a separate type of enterprise account with Enterprise Managed Users enabled.
- To create an enterprise on GitHub.com, start a free 30-day trial of GitHub Enterprise Cloud, and choose Enterprise with managed users. See "Setting up a trial of GitHub Enterprise Cloud."
- If you require data residency, contact GitHub's Sales team.
Understand where your enterprise is hosted
Enterprise Managed Users are available on GitHub.com or, if you use data residency, on your own subdomain of GHE.com.
The setup process for the environments is similar. However, you will need to pay attention to where your enterprise is hosted as you follow the process. For example, there may be differences in the application you need to use in your identity provider, or the configuration values you need to provide.
Create the setup user
After we create your enterprise, you will receive an email inviting you to choose a password for the setup user, which is used to configure authentication and provisioning. The username is your enterprise's shortcode (chosen by you or randomly generated), suffixed with _admin
. For example: fabrikam_admin
.
Using an incognito or private browsing window:
- Set the user's password.
- Save the user's recovery codes.
- Enable two-factor authentication. See "Configuring two-factor authentication."
If you need to reset the password for your setup user, contact GitHub Support through the GitHub Support portal. The usual password reset option by providing your email address will not work.
Create a personal access token
Next, create a personal access token that you can use to configure provisioning.
- You must be signed in as the setup user when you create the token.
- The token must have at least the scim:enterprise scope.
- The token must have no expiration.
To learn how to create a personal access token (classic), see "Managing your personal access tokens."
Configure authentication
Next, configure how your members will authenticate.
If you're using Entra ID as your IdP, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).
- We recommend OIDC, which includes support for Conditional Access Policies (CAP).
- If you require multiple enterprises provisioned from one tenant, you can use SAML or OIDC for the first enterprise, but must use SAML for each additional enterprise.
If you're using another IdP, like Okta or PingFederate, you must use SAML to authenticate your members.
To get started, read the guide for your chosen authentication method.
- "Configuring OIDC for Enterprise Managed Users"
- "Configuring SAML single sign-on for Enterprise Managed Users"
GitHub offers a "paved-path" integration and full support if you use a partner IdP for both authentication and provisioning. Alternatively, you can use any system, or combination of systems, that conforms to SAML 2.0 and SCIM 2.0. However, support for resolving problems with these systems may be limited. For more details, see "About Enterprise Managed Users."
Configure provisioning
After you configure authentication, you can configure SCIM provisioning, which is how your IdP will create managed user accounts on GitHub. See "Configuring SCIM provisioning for Enterprise Managed Users."
Manage organization membership
After authentication and provisioning are configured, you can start managing organization membership for your managed user accounts by synchronizing IdP groups with teams. See "Managing team memberships with identity provider groups."
Support developers with multiple user accounts
Developers may need to maintain separate, personal accounts for their work outside of your enterprise with managed users. You can help them manage multiple accounts by providing the following resources:
- On the command line, developers can configure Git to simplify the process of using multiple accounts. See "Managing multiple accounts."
- In the web interface, developers can switch between accounts without always needing to re-authenticate. See "Switching between accounts."