GitHub Identity and Access Management (IAM) Options Overview
Single Sign-On (SSO) gives organization owners and enterprise owners using GitHub Enterprise Cloud a way to control and secure access to organization resources like repositories, issues, and pull requests.
GitHub supports 2 different user management models that influence the way SSO is implemented.
- "Bring Your Own Account" User Model (BYOA)
- Enterprise Managed User Model (EMU) (Docs)
Both models are fully supported features of GitHub Enterprise Cloud with no difference in cost.
GitHub Docs: Decide whether Enterprise Managed Users is right for your enterprise
Brief Summary of Differences between BYOA and EMU
In the "Bring Your Own Account" user model: SAML/SCIM will not create or delete new accounts for users. Instead, users are required to associate their existing GitHub account (or create a new one) with a SAML identity before they are able to gain access to the organization's resources.
In the "Enterprise Managed User" model: All users for a company organization are specifically created and maintained by the identity provider. These users follow a standardized syntax such as "jane_doe_companyName". These users (unlike BYOA model) only exist within the EMU enabled GitHub Enterprise and are not usable on the public GitHub.com or any other organizations. The main limitation of EMU model is that an EMU GitHub Enterprise does not support the creation of public repos (full limitation list).
IdP Support Feature Matrix
| User Model | SAML Support | OIDC Support | SCIM Support | Team Sync Support |
|---|---|---|---|---|
| Bring Your Own Account | Any SAML 2.0 Provider (Officially Supported List) | Not Supported | Entra ID (Azure AD), Okta, OneLogin (implemented per GitHub Org not Enterprise) | Entra ID (Azure AD) (implemented at GitHub Enterprise or Org), Okta (implemented at GitHub Org, SCIM PreReq) |
| Enterprise Managed Users | Entra ID (Azure AD), Okta, Ping Federate, Other | Entra ID (Azure AD) | Entra ID (Azure AD), Okta, Ping Federate, SCIM API for Other (REQUIRED: implemented per GitHub Enterprise not Org) | Entra ID (Azure AD), Okta, Ping Federate |
IAM/SSO Feature Glossary
SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. In this case GitHub is the service provider and users must authenticate through an identity provider (ex. Entra ID, Okta) in order to access company GitHub resources.
OIDC: When using OpenID Connect as an alternative SSO option to SAML, GitHub will automatically use your IdP's conditional access policy (CAP) IP conditions to validate user interactions with GitHub, when members change IP addresses, and each time a personal access token or SSH key is used. OIDC is only supported through EMU model for Entra ID IdP (Docs).
SCIM: System for Cross-domain Identity Management (SCIM). Administrators can automate the exchange of user identity information between systems. This allows for automatic provisioning/deprovisioning of users in GitHub from the identity provider source of truth.
Team Synchronization: You can enable team synchronization between an identity provider (IdP) and GitHub Enterprise Cloud to allow organizations owned by your enterprise account to manage GitHub Team membership through IdP groups.
Migration Between Models
Either BYOA or EMU must be chosen at Enterprise creation there is no hybrid option. Switching between the two requires a full migration into a newly provisioned enterprise. This migration can be facilitated self-serve or with professional services utilizing the GitHub Enterprise Importer.