{"id":750,"date":"2025-02-04T02:48:00","date_gmt":"2025-02-04T02:48:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/all-things-azure\/?p=750"},"modified":"2025-02-04T03:12:12","modified_gmt":"2025-02-04T03:12:12","slug":"step-by-step-guide-user-provisioning-with-saml","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/all-things-azure\/step-by-step-guide-user-provisioning-with-saml\/","title":{"rendered":"Step-by-Step Guide: User Provisioning with SAML Authentication in GitHub Enterprise"},"content":{"rendered":"<p><span data-contrast=\"auto\">This guide demonstrates how to seamlessly set up user access in GitHub Enterprise using Security Assertion Markup Language (SAML) authentication. The process connects a user&#8217;s GitHub account with your organization&#8217;s identity provider (such as Microsoft Entra ID or Okta), enabling secure and streamlined access management.<\/span><span data-ccp-props=\"{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><em><span style=\"font-size: 10pt;\">\u00a0\u00a0<\/span><\/em><a href=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/Allthingsazure-images-1.png\"><img decoding=\"async\" class=\"size-full wp-image-770 alignleft\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/Allthingsazure-images-1.png\" alt=\"Diagram of login process with IDP with SAML SSO\u00a0 \u00a0 \" width=\"720\" height=\"405\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/Allthingsazure-images-1.png 720w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/Allthingsazure-images-1-300x169.png 300w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><\/a><\/p>\n<p><span data-contrast=\"auto\">The diagram above describes the process when a user access GitHub Enterprise when SAML authentication, the critical piece here is the link with Single Sign-On (SSO) identity.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Assuming the following steps before starting:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">You have <\/span><a href=\"https:\/\/docs.github.com\/en\/enterprise-cloud@latest\/admin\/managing-your-enterprise-account\/creating-an-enterprise-account\"><span data-contrast=\"none\">created your <\/span><span data-contrast=\"none\">GitHub Enterprise<\/span><\/a><\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:1440,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">This GitHub Enterprise is not an <\/span><a href=\"https:\/\/docs.github.com\/en\/enterprise-cloud@latest\/admin\/managing-iam\/understanding-iam-for-enterprises\/about-enterprise-managed-users\"><span data-contrast=\"none\">Enterprise Managed Users<\/span><\/a><span data-contrast=\"auto\"> (EMU) instance<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">You have created an Enterprise Application with your Identity Provider (IDP) and configured SAML. This establishes the security connection between GitHub and the IDP of choice.<\/span><span data-ccp-props=\"{}\"> Here&#8217;s an example guide done with Microsoft Entra ID as the IDP: <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/saas-apps\/github-tutorial\">Tutorial: Microsoft Entra SSO integration with a GitHub Enterprise Cloud Organization<\/a><\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">You have assigned users access to the GitHub application in your IDP<\/span><\/li>\n<\/ul>\n<h3>Step by step Guide<\/h3>\n<p>Note: There will be up to 3 <strong>[personas]<\/strong> in this process.<\/p>\n<p><span data-contrast=\"auto\">Step 1 <strong>[as Owner of the GitHub Organization]<\/strong>: Invite the new user\u2019s personal GitHub Account handle to the intended Organization within the GitHub Enterprise. <\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><figure id=\"attachment_752\" aria-labelledby=\"figcaption_attachment_752\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-752 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2-1024x559.png\" alt=\"Screenshot of inviting a member to GHE\" width=\"1024\" height=\"559\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2-1024x559.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2-300x164.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2-768x420.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2-1536x839.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/2.png 1673w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_752\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of inviting a member to GitHub Enterprise<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><span data-contrast=\"auto\">Step 2 <strong>[as &#8216;Cloud Application Administrator&#8217; of Microsoft Entra ID Enterprise Application for GitHub Enterprise]:<\/strong> Add the account that you want linked to the new user\u2019s GitHub personal account by assigning the \u2018Default Access\u2019 role in the Enterprise Application in Entra ID.\u00a0<\/span><\/p>\n<p><figure id=\"attachment_753\" aria-labelledby=\"figcaption_attachment_753\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-753 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3-1024x818.png\" alt=\"Screenshot of adding an assignment to existing user on Microsoft Entra ID\" width=\"1024\" height=\"818\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3-1024x818.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3-300x240.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3-768x613.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3-1536x1227.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/3.png 1684w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_753\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of adding an assignment to existing user on Microsoft Entra ID<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><span data-contrast=\"auto\">Step 3 <strong>[as the new user]<\/strong>: Accept the invitation from the email address that is associated with the personal account.<\/span><span data-contrast=\"auto\">\u00a0\u00a0<\/span><\/p>\n<p><figure id=\"attachment_754\" aria-labelledby=\"figcaption_attachment_754\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-754 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4-1024x880.png\" alt=\"Screenshot of email invite received by new user being provisioned\" width=\"1024\" height=\"880\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4-1024x880.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4-300x258.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4-768x660.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4-1536x1320.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/4.png 1689w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_754\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of email invite the new provisioned user will receive<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><span data-contrast=\"auto\">Step 4 <strong>[as the new user]<\/strong>: GitHub will prompt the new user to authenticate with the SAML IDP to join the organization. This is where the linking happens. The new user will need to sign in to the IDP used for SAML. Going forward, the new user will login to GitHub.com with the personal account, then go through SAML SSO login when navigating to the specific organization of the Enterprise.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><figure id=\"attachment_755\" aria-labelledby=\"figcaption_attachment_755\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-755\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5-1024x479.png\" alt=\"Screenshot of accepting the invite via GitHub Enterprise from the email invite received by new user being provisioned\" width=\"716\" height=\"335\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5-1024x479.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5-300x140.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5-768x359.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5-1536x718.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/5.png 1690w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><figcaption id=\"figcaption_attachment_755\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of accepting the invite via GitHub Enterprise from the email the new provisioned user will receive<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><figure id=\"attachment_756\" aria-labelledby=\"figcaption_attachment_756\" class=\"wp-caption alignleft\" ><img decoding=\"async\" class=\"wp-image-756 size-medium\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/6-215x300.png\" alt=\"Screenshot of accepting authenticating to Microsoft Entra ID for the first time by new user being provisioned to link the two accounts together\" width=\"215\" height=\"300\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/6-215x300.png 215w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/6.png 690w\" sizes=\"(max-width: 215px) 100vw, 215px\" \/><figcaption id=\"figcaption_attachment_756\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of accepting authenticating to Microsoft Entra ID for the first time<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><span data-contrast=\"auto\">Step 5 <strong>[as the new user]<\/strong>: The new user can then join the organization after authentication.<\/span><\/p>\n<p><figure id=\"attachment_757\" aria-labelledby=\"figcaption_attachment_757\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-757 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7-1024x491.png\" alt=\"Screenshot of joining the organization within the GitHub Enterprise by new user being provisioned\" width=\"1024\" height=\"491\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7-1024x491.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7-300x144.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7-768x368.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7-1536x736.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/7.png 1676w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_757\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of joining the organization within the GitHub Enterprise by the new provisioned user<\/span><\/em><\/figcaption><\/figure><\/p>\n<p><figure id=\"attachment_758\" aria-labelledby=\"figcaption_attachment_758\" class=\"wp-caption alignnone\" ><img decoding=\"async\" class=\"wp-image-758 size-large\" src=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8-1024x814.png\" alt=\"Screenshot of having access to the new organization within the GitHub Enterprise by the new user being provisioned\" width=\"1024\" height=\"814\" srcset=\"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8-1024x814.png 1024w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8-300x238.png 300w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8-768x611.png 768w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8-1536x1221.png 1536w, https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-content\/uploads\/sites\/83\/2025\/02\/8.png 1707w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"figcaption_attachment_758\" class=\"wp-caption-text\"><em><span style=\"font-size: 10pt;\">Screenshot of having access to the new organization within the GitHub Enterprise by the new provisioned user\u00a0<\/span><\/em><\/figcaption><\/figure><\/p>\n<h3>Conclusion<\/h3>\n<p><span data-contrast=\"auto\">Great, the new user is now a member of the Organization that is a part of the non-EMU enterprise! Finally, to access the resources of this organization, the new user will first login through a personal account through GitHub.com first and then single signed-on through the configured IDP of the enterprise.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In conclusion, by following these steps, you ensure a secure and efficient user provisioning process with SAML authentication in GitHub Enterprise. Altogether, this setup not only simplifies user access but also enhances security by leveraging your organization&#8217;s identity provider. Implementing SAML SSO allows for seamless integration and better management of user identities across your enterprise.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><em>Content adapted from <a href=\"https:\/\/www.youtube.com\/watch?v=m6CrrijoapA\">SAML SSO Guide Part I: SAML SSO &amp; IP Protection within GitHub Enterprise Cloud &#8211; YouTube<\/a>\u00a0<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide demonstrates how to seamlessly set up user access in GitHub Enterprise using Security Assertion Markup Language (SAML) authentication. The process connects a user&#8217;s GitHub account with your organization&#8217;s identity provider (such as Microsoft Entra ID or Okta), enabling secure and streamlined access management.\u00a0 \u00a0\u00a0 The diagram above describes the process when a user [&hellip;]<\/p>\n","protected":false},"author":174022,"featured_media":770,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1,20],"tags":[26,18,54],"class_list":["post-750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-developer-productivity","tag-ghe","tag-saml","tag-user-provisioning"],"acf":[],"blog_post_summary":"<p>This guide demonstrates how to seamlessly set up user access in GitHub Enterprise using Security Assertion Markup Language (SAML) authentication. The process connects a user&#8217;s GitHub account with your organization&#8217;s identity provider (such as Microsoft Entra ID or Okta), enabling secure and streamlined access management.\u00a0 \u00a0\u00a0 The diagram above describes the process when a user [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts\/750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/users\/174022"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/comments?post=750"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/posts\/750\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/media\/770"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/media?parent=750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/categories?post=750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/all-things-azure\/wp-json\/wp\/v2\/tags?post=750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}