You can use GitHub Enterprise's built-in authentication, or choose between GitHub OAuth, CAS, LDAP, or SAML to integrate your existing accounts and centrally manage user access to your GitHub Enterprise instance.
Single sign-on to an identity provider with CAS, SAML, or OAuth
CAS, SAML and OAuth provide single sign-on (SSO) behavior by redirecting and authenticating to an external identity provider and then redirecting back to GitHub Enterprise with a response describing the authenticated user. With these methods, you can enforce authentication requirements including 2FA, password policies, and VPN access.
Using CAS
CAS is a single sign-on (SSO) protocol for multiple web applications. A CAS user account does not take up a license seat until the user signs in to your Enterprise instance.
Using SAML
SAML is an XML-based standard for authentication and authorization. GitHub Enterprise can act as a service provider (SP) with your internal SAML identity provider (IdP).
Using GitHub OAuth
GitHub OAuth uses GitHub.com organization membership to grant and control access to your GitHub Enterprise instance.
Note: User authentication using GitHub OAuth is deprecated and can not be used for new installations.
Authentication against internal LDAP directories
When LDAP authentication is configured, GitHub Enterprise validates credentials externally against users in your centrally managed LDAP directory service.
Using LDAP
LDAP lets you authenticate GitHub Enterprise against your existing accounts and centrally manage repository access.
Authentication on GitHub Enterprise
Built-in GitHub Enterprise authentication accepts instance-specific account credentials that aren't shared or connected to external identity providers or authentication services. Admins can manage these accounts through the web interface or programmatically through the API.
Using built-in authentication
When you use the default authentication method, all authentication details are stored within your GitHub Enterprise instance. Built-in authentication is the default method if you don’t already have an established authentication provider, such as LDAP, SAML, or CAS.
Changing authentication methods
You can change the way GitHub Enterprise authenticates with your existing accounts at any time.