| title | shortTitle | intro | redirect_from | versions | type | topics | allowTitleToDifferFromFilename | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
About {% data variables.product.prodname_emus %} |
About managed users |
Learn how your enterprise can manage the lifecycle and authentication of users on {% data variables.product.prodname_dotcom %} from your identity provider (IdP). |
|
|
overview |
|
true |
With {% data variables.product.prodname_emus %}, you manage the lifecycle and authentication of your users on {% data variables.product.prodname_dotcom %} from an external identity management system, or IdP:
- Your IdP provisions new user accounts on {% data variables.product.prodname_dotcom %}, with access to your enterprise.
- Users must authenticate on your IdP to access your enterprise's resources on {% data variables.product.prodname_dotcom %}.
- You control usernames, profile data, organization membership, and repository access from your IdP.
- If your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP). See "AUTOTITLE."
- {% data variables.enterprise.prodname_managed_users_caps %} cannot create public content or collaborate outside your enterprise. See "AUTOTITLE."
[!NOTE] {% data variables.product.prodname_emus %} is not the best solution for every customer. To determine whether it's right for your enterprise, see "AUTOTITLE."
{% data reusables.enterprise_user_management.emu-paved-path-iam-integrations %}
Partner IdPs provide authentication using SAML or OIDC, and provide provisioning with System for Cross-domain Identity Management (SCIM).
{% rowheaders %}
| Partner IdP | SAML | OIDC | SCIM |
|---|---|---|---|
| Entra ID | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} |
| Okta | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} |
| PingFederate | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} |
{% endrowheaders %}
When you use a single partner IdP for both authentication and provisioning, {% data variables.product.company_short %} provides support for the application on the partner IdP and the IdP's integration with {% data variables.product.prodname_dotcom %}.
If you cannot use a single partner IdP for both authentication and provisioning, you can use another identity management system or combination of systems. The system must:
- Adhere to {% data variables.product.company_short %}'s integration guidelines
- Provide authentication using SAML, adhering to SAML 2.0 specification
- Provide user lifecycle management using SCIM, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see "AUTOTITLE")
[!NOTE] {% data reusables.scim.ghec-open-scim-release-phase %}
{% data variables.product.company_short %} does not expressly support mixing and matching partner IdPs for authentication and provisioning and does not test all identity management systems. {% data variables.product.company_short %}'s support team may not be able to assist you with issues related to mixed or untested systems. If you need help, you must consult the system's documentation, support team, or other resources.
{% data variables.product.prodname_dotcom %} automatically creates a username for each developer by normalizing an identifier provided by your IdP. If the unique parts of the identifier are removed during normalization, a conflict may occur. See "AUTOTITLE."
The profile name and email address of a {% data variables.enterprise.prodname_managed_user %} is provided by the IdP:
- {% data variables.enterprise.prodname_managed_users_caps %} cannot change their profile name or email address on {% data variables.product.prodname_dotcom %}.
- The IdP can only provide one email address.
- Changing a user's email address in your IdP will delink the user from the contribution history associated with the old email address.
In your IdP, you can give each {% data variables.enterprise.prodname_managed_user %} a role in your enterprise, such as member, owner, or guest collaborator. See "AUTOTITLE."
Organization memberships (and repository access) can be managed manually, or you can update memberships automatically using IdP groups. See "AUTOTITLE."
The locations where {% data variables.enterprise.prodname_managed_users %} can authenticate to {% data variables.product.prodname_dotcom %} depends on how you configure authentication (SAML or OIDC). See "AUTOTITLE."
By default, when an unauthenticated user attempts to access your enterprise, {% data variables.product.company_short %} displays a 404 error. You can optionally enable automatic redirects to single sign-on (SSO) instead. See "AUTOTITLE."