Skip to main content

Configuring OIDC for Enterprise Managed Users

Learn how to automatically manage access to your enterprise account on GitHub by configuring OpenID Connect (OIDC) single sign-on (SSO) and enabling support for your IdP's Conditional Access Policy (CAP).

Who can use this feature?

Enterprise Managed Users is available for new enterprise accounts on GitHub Enterprise Cloud. See "About Enterprise Managed Users."

Note

OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for Enterprise Managed Users is only available for Microsoft Entra ID (previously known as Azure AD).

About OIDC for Enterprise Managed Users

With Enterprise Managed Users, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your enterprise with managed users. Enabling OIDC SSO is a one-click setup process with certificates managed by GitHub and your IdP.

When your enterprise uses OIDC SSO, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate interactions with GitHub when members use the web UI or change IP addresses, and for each authentication with a personal access token or SSH key associated with a user account. See "About support for your IdP's Conditional Access Policy."

Note

CAP protection for web sessions is currently in public preview and may change.

New enterprises that enable IdP CAP support after November 5th, 2024, will have protection for web sessions enabled by default.

Existing enterprises that already enabled IdP CAP support can opt into extended protection for web sessions from their enterprise's "Authentication security" settings.

You can adjust the lifetime of a session, and how often a managed user account needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for GitHub from your IdP. The default lifetime is one hour. See "Configure token lifetime policies" in the Microsoft documentation.

To change the lifetime policy property, you will need the object ID associated with your Enterprise Managed Users OIDC. See "Finding the object ID for your Entra OIDC application."

Note

If you need assistance configuring the OIDC session lifetime, contact Microsoft Support.

If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "Migrating from SAML to OIDC."

Warning

If you use GitHub Enterprise Importer to migrate an organization from your GitHub Enterprise Server instance, make sure to use a service account that is exempt from Entra ID's CAP otherwise your migration may be blocked.

Identity provider support

Support for OIDC is available for customers using Entra ID.

Each Entra ID tenant can support only one OIDC integration with Enterprise Managed Users. If you want to connect Entra ID to more than one enterprise on GitHub, use SAML instead. See "Configuring SAML single sign-on for Enterprise Managed Users."

OIDC does not support IdP-initiated authentication.

Configuring OIDC for Enterprise Managed Users

  1. Sign into GitHub as the setup user for your new enterprise with the username @SHORT-CODE_admin.

  2. In the top-right corner of GitHub, click your profile photo, then click Your enterprise.

  3. On the left side of the page, in the enterprise account sidebar, click Identity provider.

  4. Under Identity Provider, click Single sign-on configuration.

  5. Under "OIDC single sign-on", select Enable OIDC configuration.

  6. To continue setup and be redirected to Entra ID, click Save.

  7. After GitHub Enterprise Cloud redirects you to your IdP, sign in, then follow the instructions to give consent and install the GitHub Enterprise Managed User (OIDC) application. After Entra ID asks for permissions for GitHub Enterprise Managed Users with OIDC, enable Consent on behalf of your organization, then click Accept.

    Warning

    You must sign in to Entra ID as a user with global admin rights in order to consent to the installation of the GitHub Enterprise Managed User (OIDC) application.

  8. To ensure you can still access your enterprise on GitHub if your IdP is unavailable in the future, click Download, Print, or Copy to save your recovery codes. For more information, see "Downloading your enterprise account's single sign-on recovery codes."

  9. Click Enable OIDC Authentication.

Enabling provisioning

After you enable OIDC SSO, enable provisioning. See "Configuring SCIM provisioning for Enterprise Managed Users."

Enabling guest collaborators

You can use the role of guest collaborator to grant limited access to vendors and contractors in your enterprise. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member.

To use guest collaborators with OIDC authentication, you may need to update your settings in Entra ID. See "Enabling guest collaborators."