docs/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md

title	shortTitle	intro	product	permissions	versions	type	topics	redirect_from
Configuring SAML single sign-on for your enterprise	Configuring SAML SSO	You can configure SAML single sign-on (SSO) for your enterprise, which allows you to centrally control authentication for {% data variables.product.product_location %} using your identity provider (IdP).	{% data reusables.gated-features.saml-sso %}	Enterprise owners can configure SAML SSO for an enterprise on {% data variables.product.product_name %}.	[{github-ae *}]	how_to	[Accounts Authentication Enterprise Identity SSO]	[/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise]

About SAML SSO

{% if currentVersion == "github-ae@latest" %}

SAML SSO allows you to centrally control and secure access to {% data variables.product.product_location %} from your SAML IdP. When an unauthenticated user visits {% data variables.product.product_location %} in a browser, {% data variables.product.product_name %} will redirect the user to your SAML IdP to authenticate. After the user successfully authenticates with an account on the IdP, the IdP redirects the user back to {% data variables.product.product_location %}. {% data variables.product.product_name %} validates the response from your IdP, then grants access to the user.

After a user successfully authenticates on your IdP, the user's SAML session for {% data variables.product.product_location %} is active in the browser for 24 hours. After 24 hours, the user must authenticate again with your IdP.

{% data reusables.saml.assert-the-administrator-attribute %}

{% data reusables.scim.after-you-configure-saml %} For more information, see "Configuring user provisioning for your enterprise."

{% endif %}

Supported identity providers

{% data variables.product.product_name %} supports SAML SSO with IdPs that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.

{% data variables.product.company_short %} has tested SAML SSO for {% data variables.product.product_name %} with the following IdPs.

{% if currentVersion == "github-ae@latest" %}

• Azure AD {% endif %}

Enabling SAML SSO

{% if currentVersion == "github-ae@latest" %}

{% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}

The following IdPs provide documentation about configuring SAML SSO for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.

IdP	More information
Azure AD	Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %} in the Microsoft Docs

During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.

Value	Other names	Description	Example
SP Entity ID	SP URL	Your top-level URL for {% data variables.product.prodname_ghe_managed %}	https://YOUR-GITHUB-AE-HOSTNAME
SP Assertion Consumer Service (ACS) URL	Reply URL	URL where IdP sends SAML responses	https://YOUR-GITHUB-AE-HOSTNAME/saml/consume
SP Single Sign-On (SSO) URL		URL where IdP begins SSO	https://YOUR-GITHUB-AE-HOSTNAME/sso

{% endif %}

Editing the SAML SSO configuration

If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.

{% if currentVersion == "github-ae@latest" %}

{% note %}

Note: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}

{% endnote %}

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}

1. Under "SAML single sign-on", type the new details for your IdP.

2. Optionally, click {% octicon "pencil" aria-label="The edit icon" %} to configure a new signature or digest method.

   • Use the drop-down menus and choose the new signature or digest method.

3. To ensure that the information you've entered is correct, click Test SAML configuration.

4. Click Save.

5. Optionally, to automatically provision and deprovision user accounts for {% data variables.product.product_location %}, reconfigure user provisioning with SCIM. For more information, see "Configuring user provisioning for your enterprise."

{% endif %}

Disabling SAML SSO

{% if currentVersion == "github-ae@latest" %}

{% warning %}

Warning: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.

{% endwarning %}

{% note %}

Note: {% data reusables.saml.contact-support-if-your-idp-is-unavailable %}

{% endnote %}

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}

1. Under "SAML single sign-on", unselect Enable SAML authentication.
2. To disable SAML SSO and require signing in with the built-in user account you created during initialization, click Save.

{% endif %}