Configuring authentication and provisioning with Entra ID

You can use a tenant in Microsoft Entra ID (previously known as Azure AD) as an identity provider (IdP) to centrally manage authentication and user provisioning for your GitHub Enterprise Server instance.

Who can use this feature?

Site administrators with admin access to the IdP

About authentication and user provisioning with Entra ID

Entra ID is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see What is Microsoft Entra ID? in the Microsoft Docs.

When you use an IdP for IAM on GitHub Enterprise Server, SAML SSO controls and secures access to enterprise resources like repositories, issues, and pull requests. SCIM automatically creates user accounts and manages access to your GitHub Enterprise Server instance when you make changes on your IdP. You can also synchronize teams on GitHub Enterprise Server with groups on your IdP.

For more information, see "About user provisioning with SCIM on GitHub Enterprise Server."

Prerequisites

The general prerequisites for using SCIM on GitHub Enterprise Server apply. See the "Prerequisites" section in "Configuring SCIM provisioning to manage users."

In addition:

To configure SCIM, you must have completed steps 1 to 4 in "Configuring SCIM provisioning to manage users."
- You will need the personal access token (classic) created for the setup user to authenticate requests from Entra ID.
To configure authentication and user provisioning for GitHub Enterprise Server using Entra ID, you must have an Entra ID account and tenant. For more information, see the Entra ID website and Quickstart: Set up a tenant in the Microsoft Docs.

1. Configure SAML

Note

Even if you have previously configured SAML on Entra ID, you will need to configure SAML and SCIM on a new application to enable SCIM provisioning.

Before starting this section, ensure you have followed steps 1 and 2 in "Configuring SCIM provisioning to manage users."

In Entra ID

Create the "GitHub Enterprise Server" application in Entra ID. For instructions, see the "Adding GitHub Enterprise Server from the gallery" section in Microsoft's guide Tutorial: Microsoft Entra SSO integration with GitHub Enterprise Server.

Note

Do not use the application labeled "(Legacy)."
In the "GitHub Enterprise Server" application settings, click Single sign-on in the left sidebar, then click SAML.
In the "Basic SAML Configuration" section, click Edit, then add the following details.
- "Identifier": your GitHub Enterprise Server host URL (https://HOSTNAME.com)
- "Reply URL": your host URL, followed by /saml/consume (https://HOSTNAME.com/saml/consume)
In the "SAML certificates" section, download the SAML certificate (Base64).
In the "Set up GitHub Enterprise Server" section, make a note of the Login URL and Microsoft Entra Identifier.

On GitHub Enterprise Server

Sign in to your GitHub Enterprise Server instance as a user with access to the Management Console.
Configure SAML using the information you have gathered. See "Configuring SAML single sign-on for your enterprise."

2. Configure SCIM

Before starting this section, ensure you have followed steps 1 to 4 in "Configuring SCIM provisioning to manage users."

In the "GitHub Enterprise Server" application in Entra ID, click Provisioning in the left sidebar, then click Get started.
Select the "Automatic" provisioning mode.
In the "Admin Credentials" section, add the following details.
- "Tenant URL": your GitHub Enterprise Server host URL, followed by /api/v3/scim/v2 (https://HOSTNAME.com/api/v3/scim/v2)
- "Secret Token": the personal access token (classic) created for the setup user
Click Test Connection.
When the test is complete, click Save.

When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See "Configuring SCIM provisioning to manage users."