About SAML SSO
SAML SSO allows you to centrally control and secure access to your GitHub Enterprise Server instance from your SAML IdP. When an unauthenticated user visits your GitHub Enterprise Server instance in a browser, GitHub Enterprise Server will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to your GitHub Enterprise Server instance. GitHub Enterprise Server validates the response from your IdP, then grants access to the user.
After a user successfully authenticates on your IdP, the user's SAML session for your GitHub Enterprise Server instance is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.
Se você remover um usuário do seu IdP, também deverá suspendê-lo manualmente. Caso contrário, o proprietário da conta poderá continuar fazendo autenticação usando tokens de acesso ou chaves SSH. Para obter mais informações, confira "Como suspender e cancelar a suspensão de usuários".
Supported identity providers
GitHub Enterprise Server é compatível com o SAML SSO, com IdPs que implementam o padrão SAML 2.0. Para obter mais informações, confira o wiki do SAML no site do OASIS.
Oficialmente, o GitHub dá suporte aos IdPs a seguir e testa-os internamente.
- Serviços de Federação do Active Directory (AD FS)
- Active Directory do Azure (Azure AD)
- Okta
- OneLogin
- PingOne
- Shibboleth
Configuring SAML SSO
You can enable or disable SAML authentication for your GitHub Enterprise Server instance, or you can edit an existing configuration. You can view and edit authentication settings for GitHub Enterprise Server in the management console. For more information, see "Accessing the management console."
Note: GitHub strongly recommends that you verify any new configuration for authentication in a staging environment. An incorrect configuration could result in downtime for your GitHub Enterprise Server instance. For more information, see "Setting up a staging instance."
-
Em uma conta administrativa no GitHub Enterprise Server, no canto superior direito de qualquer página, clique em .
-
Se você ainda não estiver na página "Administração do site", no canto superior esquerdo, clique em Administração do site.
-
Na barra lateral � esquerda, clique em Console de Gerenciamento .
-
Na barra lateral esquerda, clique em Autenticação.
-
Select SAML.
-
Opcionalmente, para permitir que pessoas sem uma conta em seu sistema de autenticação externa entrem com autenticação interna, selecione Permitir autenticação interna. Para obter mais informações, confira "Como permitir a autenticação interna para usuários fora do seu provedor".
-
Optionally, to enable unsolicited response SSO, select IdP initiated SSO. By default, GitHub Enterprise Server will reply to an unsolicited Identity Provider (IdP) initiated request with an
AuthnRequest
back to the IdP.Note: We recommend keeping this value unselected. You should enable this feature only in the rare instance that your SAML implementation does not support service provider initiated SSO, and when advised by Suporte do GitHub Enterprise.
-
Select Disable administrator demotion/promotion if you do not want your SAML provider to determine administrator rights for users on your GitHub Enterprise Server instance.
-
In the Single sign-on URL field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to configure your GitHub Enterprise Server instance to use internal nameservers.
-
Optionally, in the Issuer field, type your SAML issuer's name. This verifies the authenticity of messages sent to your GitHub Enterprise Server instance.
-
In the Signature Method and Digest Method drop-down menus, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests from your GitHub Enterprise Server instance. Specify the format with the Name Identifier Format drop-down menu.
-
Under Verification certificate, click Choose File and choose a certificate to validate SAML responses from the IdP.
-
Modify the SAML attribute names to match your IdP if needed, or accept the default names.