| title | shortTitle | intro | versions | type | topics | redirect_from | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
About SAML for enterprise IAM |
About SAML for IAM |
You can use SAML single sign-on (SSO) to centrally manage access {% ifversion ghec %}to organizations owned by your enterprise on {% data variables.product.prodname_dotcom_the_website %}{% elsif ghes %}to {% data variables.location.product_location %}{% endif %}. |
|
overview |
|
|
About SAML SSO for {% ifversion ghec %}your enterprise on {% endif %}{% ifversion ghec or ghes %}{% data variables.location.product_location %}{% endif %}
{% ifversion ghec %}
If your enterprise members manage their own user accounts on {% data variables.location.product_location %}, you can configure SAML authentication as an additional access restriction for your enterprise or organization. {% data reusables.saml.dotcom-saml-explanation %}
{% data reusables.saml.saml-accounts %}
{% data reusables.saml.about-saml-enterprise-accounts %} For more information, see "AUTOTITLE" and "AUTOTITLE."
Alternatively, you can provision and manage the accounts of your enterprise members with {% data variables.product.prodname_emus %}. To help you determine whether SAML SSO or {% data variables.product.prodname_emus %} is better for your enterprise, see "AUTOTITLE."
{% data reusables.enterprise-accounts.about-recovery-codes %} For more information, see "AUTOTITLE."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
{% data reusables.saml.no-scim-for-enterprises %}
If you use Microsoft Entra ID (previously known as Azure AD) as your IdP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "AUTOTITLE."
{% data reusables.saml.switching-from-org-to-enterprise %} For more information, see "AUTOTITLE."
{% elsif ghes %}
SAML SSO allows people to authenticate and access {% data variables.location.product_location %} through an external system for identity management.
SAML is an XML-based standard for authentication and authorization. When you configure SAML for {% data variables.location.product_location %}, the external system for authentication is called an identity provider (IdP). Your instance acts as a SAML service provider (SP). For more information about the SAML standard, see Security Assertion Markup Language on Wikipedia.
{% data reusables.enterprise.saml-or-ldap %}
{% endif %}
{% ifversion ghes %}
{% data reusables.enterprise_user_management.external_auth_disables_2fa %}
After you configure SAML, people who use {% data variables.location.product_location %} must use a {% data variables.product.pat_generic %} to authenticate API requests. For more information, see "AUTOTITLE."
{% data reusables.enterprise_user_management.built-in-authentication %}
{% endif %}
For more information about the configuration of SAML SSO on {% data variables.product.product_name %}, see "AUTOTITLE."{% ifversion ghec or scim-for-ghes %} To learn how to configure both authentication and {% ifversion ghes %}user {% endif %}provisioning for {% data variables.location.product_location %}, see the articles for individual IdPs in "AUTOTITLE."{% endif %}
{% ifversion scim-for-ghes %}
{% data reusables.scim.after-you-configure-saml %} For more information, see "AUTOTITLE."
{% data reusables.saml.saml-ghes-account-revocation %}
{% endif %}
{% ifversion ghec %}
We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.
| IdP | SAML | Team synchronization |
|---|---|---|
| Active Directory Federation Services (AD FS) | {% octicon "check" aria-label= "Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Entra ID | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| Okta | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| OneLogin | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| PingOne | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
| Shibboleth | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
{% elsif ghes %}
{% data reusables.saml.saml-supported-idps %}
{% ifversion ghes %}
If your IdP supports encrypted assertions, you can configure encrypted assertions on {% data variables.product.product_name %} for increased security during the authentication process.
{% endif %}
{% data reusables.saml.saml-single-logout-not-supported %}
{% endif %}
- "AUTOTITLE"
- SAML Wiki on the OASIS website {%- ifversion scim-for-ghes %}
- System for Cross-domain Identity Management: Protocol (RFC 7644) on the IETF website {%- endif %}