GitHub Enterprise Cloud - Azure Single Sign-On (SSO) Integration Guide

After successfully enabling and configuring SSO and SCIM, existing members of the organization will be prompted to authenticate through SSO upon accessing the organization. It's imperative that all members comply with this requirement to link their GitHub account to their IDP account, ensuring that access is not lost when SSO is fully enforced. For further details refer to [Enabling and testing SAML single sign-on for your organization - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization)

Hands-on Keyboard or dedication session assistance is only offered to customers under our Premium Support Plan or customers who have opted for a white-glove Professional Service engagement . If you are interested in learning more about our Premium Support Plan or Professional Services please reach out to your GitHub Account Manager for pricing details. For Enterprise Customers without a Premium Support Plan or Professional Services engagement, please reach out to our GitHub Enterprise Support Team for assistance using the following [LINK](https://support.github.com/).

For details please refer to [Adding organizations to your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise)

Enforcing SAML means that all members of the organization will need to authenticate against your IDP to access the organization and its resources, Excluding outside collaborators , [Adding outside collaborators to repositories in your organization - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-user-access-to-your-organizations-repositories/adding-outside-collaborators-to-repositories-in-your-organization) . It's crucial to note that enforcing SAML will have an impact on all SSH keys, PATs, and OAuth applications that were created, integrated, or configured before SSO was enabled. As well its important to highlight: - Users who did not link their GitHub account with your IDP will be automatically removed from the organization, hence will lose access to all resources and would need to be provisioned again. - Any CI/CD task that depends on a Personal Access Token that has not been authenticated against SSO will fail due to authentication failure. Hence causing your automation/pipeline to break. [Authorizing a personal access token for use with SAML single sign-on - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on) - Developers who use SSH keys to access resources via the GitHub CLI will not be able to access resources until their SSH keys are authenticated. [Authorizing an SSH key for use with SAML single sign-on - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on) - 0Auth applications/Integration will break until they are reauthorized against SSO. [Authorizing OAuth Apps - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps) - Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed when you enforce SAML SSO. For more details please refer to [Managing bots and service accounts with SAML single sign-on - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/organizations/granting-access-to-your-organization-with-saml-single-sign-on/managing-bots-and-service-accounts-with-saml-single-sign-on) For more details please review our official documentation on [Enforcing SAML single sign-on for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization) Note: The above impact will be the same when configuring SSO at the Enterprise Level

Once your users have been informed and they have proceeded on linking their GitHub account with your IDP. You can download a report to validate which users have completed this step and which ones have not. It's important that you do this before enforcing SSO, as users who have not linked their account once SSO is enforced their user account will be removed from the organization: - A. Access your GitHub Organization, please ensure you are the owner or admin otherwise you will not be able to see this report. - B. Within the organization access the “People” tab - C. Within the People tab click on Export and choose CSV. - D. A CSV report will be generated and downloaded. After it has downloaded, open the report. - E. In the report there are only 2 columns you should focus on, “Login” and “Saml_name_id”. The login column will display the users GitHub handle/username and the Saml_name_id will display their @companydomain.com email only if they have linked their GitHub account with your IDP. if they have not the Saml_name_id will not display For further information feel free to review our documentation on [Preparing to enforce SAML single sign-on in your organization - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization)

Team Sync is a feature that allows you to sync your IDP group to a GitHub team. Think about it as a 1-1 mapping 1 IDP group per GitHub Team. For more information on its capabilities feel free to review our documentation on [Synchronizing a team with an identity provider group - GitHub Enterprise Cloud Docs](https://docs.github.com/en/enterprise-cloud@latest/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group) As per its limitation it important to highlight the following: - Nested groups are not supported by Team Sync. Parent teams cannot synchronize with IdP groups. If the team you want to connect to an IdP group is a parent team, we recommend creating a new team or removing the nested relationships that make your team a parent team IDP groups with more than 5,000 members are not supported. - Maximum number of members in a GitHub organization: 10,000 - Maximum number of teams in a GitHub organization: 1,500 - Once a GitHub team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on GitHub Enterprise Cloud or using the API. - By default, team synchronization does not invite non-members to join organizations, which means that a user will only be successfully added to a team if they are already an organization member. - The person has already logged in with their personal account on GitHub Enterprise Cloud and authenticated to the organization via SAML single sign-on at least once to link their account. - Only IDP members with linked accounts are able to be provisioned

User/Group provisioning is done on a fixed Hard-Coded interval of 40 Minutes. If you need to provision a user/group immediately you can do so by clicking on Provision on demand within the provisioning Overview panel in Azure AD.

``` AADSTS650056: Misconfigured application. This could be due to one of the § following: the client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, the admin has not consented in the tenant. Or, check the application identifier in the request to ensure it matches the configured client application identifier. Or, check the certificate in the request to ensure it's valid. Please contact your admin to fix the ``` If you are receiving the error message above, it means that either:

• You may encounter an error if you don't have Global Admin rights to the Azure tenant where you are integrating. Please review the requirements at the start of the guide to resolve this issue.


• Double-check your configuration on step 2.4 to ensure that you have inputted the correct values:
• Identifier (Entity ID) = https://github.com/enterprises/Your_Enterprise_Name
• Reply URL = https://github.com/enterprises/Your_Enterprise_Name/saml/consume
• Sign on URL = https://github.com/enterprises/Your_Enterprise_Name/sso


• At a GitHub level, you are not using the correct URLs under Single Sign-On. Please revisit in the guide Step 5.2 to ensure you are mapping the values correctly.
• Sign on URL = Login URL (on Azure)
• Issuer = Azure AD Identifier (on Azure)
• Public Certificate = Base64 Certificate (on Azure)

Please reach out to our support team at [GitHub Enterprise Support](https://support.github.com/) and provide them with: - Screenshot of the issue or error message. - Screenshot of your Azure AD SAML configuration. - Screenshot of your GitHub SSO configuration. - Screenshot of the application you selected during our setting. - Let them know if you are integrating SSO at the organizational level or the Enterprise level.