What is IAM for GitHub?
Para controlar el acceso a los recursos de tu empresa, puedes permitir que los usuarios usen una cuenta personal en GitHub.com y, opcionalmente, configurar restricciones de acceso SAML adicionales, o puedes aprovisionar y controlar las cuentas de tu empresa mediante tu proveedor de identidades (IdP) con Enterprise Managed Users.
After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see Enterprise types for GitHub Enterprise Cloud.
Which authentication method are available to me?
When you create an enterprise on GitHub, you can decide how people authenticate to access your resources and who controls the user accounts.
- Authentication through GitHub.com
- Authentication through GitHub.com with additional SAML access restriction
- Authentication with Enterprise Managed Users and federation
Authentication through GitHub.com
With authentication solely through GitHub.com, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on GitHub.com. The member manages the account, and can contribute to other enterprises, organizations, and repositories on GitHub.com. For more information about personal accounts, see Creación de una cuenta en GitHub.
Authentication through GitHub.com with additional SAML access restriction
If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on GitHub.com and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on GitHub.com using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see Acerca de SAML para IAM empresarial.
You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see Decisión de configurar, o no, SAML en una empresa u organización.
Authentication with Enterprise Managed Users and federation
If you need more control of the accounts for your enterprise members on GitHub, you can use Enterprise Managed Users. With Enterprise Managed Users, you provision and manage accounts for your enterprise members on GitHub using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see About Enterprise Managed Users.
How does provisioning work?
If you use authentication through GitHub.com with additional SAML access restriction, people create personal accounts on GitHub.com, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts.
Alternatively, if you use Enterprise Managed Users, you must configure your IdP to provision user accounts within your enterprise on GitHub.com using System for Cross-domain Identity Management (SCIM). For more information, see Aprovisionamiento de cuentas para usuarios administrados de empresa.
Which IdPs are supported?
Si decides crear una empresa que use cuentas personales en GitHub.com, puedes configurar la autenticación adicional con un sistema de administración de identidades externo que cumpla el estándar SAML 2.0. GitHub es oficialmente compatible con algunos sistemas de administración de identidades y los prueba. Para más información, consulta Configurar el inicio de sesión único de SAML para tu empresa.
GitHub se asocia con algunos desarrolladores de sistemas de administración de identidades para proporcionar una integración de tipo "paved-path" con Enterprise Managed Users. A fin de simplificar la configuración y garantizar la compatibilidad completa, utiliza un IdP de asociado único para la autenticación y el aprovisionamiento. Si usas un proveedor de identidad (IdP) de asociado, puedes configurar una aplicación en tu IdP para proporcionar autenticación y aprovisionamiento. El IdP debe admitir el estándar SAML 2.0. Como alternativa, si usas Entra ID (anteriormente conocido como Azure AD), puedes configurar la autenticación de OpenID Connect (OIDC). Si no usas un IdP de asociado o solo usas un IdP de asociado para la autenticación, puedes integrar idP que implementen los estándares SAML 2.0 y System for Cross-domain Identity Management (SCIM) 2.0. Para más información, consulta About Enterprise Managed Users.