What is IAM for GitHub?
为了控制对你的企业资源的访问,你可以允许用户在 GitHub.com 上使用个人帐户,并且有选择地配置其他 SAML 访问限制,也可以通过 Enterprise Managed Users 使用标识提供者 (IdP) 来预配和控制你的企业的帐户。
After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see Enterprise types for GitHub Enterprise Cloud.
Which authentication method are available to me?
When you create an enterprise on GitHub, you can decide how people authenticate to access your resources and who controls the user accounts.
- Authentication through GitHub.com
- Authentication through GitHub.com with additional SAML access restriction
- Authentication with Enterprise Managed Users and federation
Authentication through GitHub.com
With authentication solely through GitHub.com, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on GitHub.com. The member manages the account, and can contribute to other enterprises, organizations, and repositories on GitHub.com. For more information about personal accounts, see 在 GitHub 上创建帐户.
Authentication through GitHub.com with additional SAML access restriction
If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on GitHub.com and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on GitHub.com using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see 关于企业 IAM 的 SAML.
You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see 决定是为企业还是组织配置 SAML.
Authentication with Enterprise Managed Users and federation
If you need more control of the accounts for your enterprise members on GitHub, you can use Enterprise Managed Users. With Enterprise Managed Users, you provision and manage accounts for your enterprise members on GitHub using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see About Enterprise Managed Users.
How does provisioning work?
If you use authentication through GitHub.com with additional SAML access restriction, people create personal accounts on GitHub.com, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts.
Alternatively, if you use Enterprise Managed Users, you must configure your IdP to provision user accounts within your enterprise on GitHub.com using System for Cross-domain Identity Management (SCIM). For more information, see Identity and access management fundamentals.
Which IdPs are supported?
如果选择使用 GitHub.com 上的个人帐户来创建企业,则可以使用符合 SAML 2.0 标准的外部身份管理系统,配置其他的身份验证。 此外,GitHub 还正式支持一些身份管理系统,并进行了相关测试。 有关详细信息,请参阅“为企业配置 SAML 单点登录”。
GitHub 合作伙伴与身份管理系统的一些开发人员合作,提供与 Enterprise Managed Users 的“铺好道路”集成。 为了简化配置并确保获得全面支持,请使用单个合作伙伴 IdP 进行身份验证和预配。****如果使用合作伙伴标识提供程序 (IdP),则可在 IdP 上配置一个应用程序,以提供身份验证和预配。 IdP 必须支持 SAML 2.0 标准。 或者,如果使用 Entra ID(以前称为 Azure AD),则可配置 OpenID Connect (OIDC) 身份验证。 如果不使用合作伙伴 IdP,或者仅使用合作伙伴 IdP 进行身份验证,则可以集成实施 SAML 2.0 和跨域身份管理系统 (SCIM) 2.0 标准的 IdP。 有关详细信息,请参阅“About Enterprise Managed Users”。