docs/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md

title	intro	product	redirect_from	versions	topics
Configuring SAML single sign-on and SCIM for your enterprise account using Okta	You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your enterprise account on {% data variables.product.product_name %}.	{% data reusables.gated-features.enterprise-accounts %}	[/github/setting-up-and-managing-your-enterprise/configuring-single-sign-on-and-scim-for-your-enterprise-account-using-okta /github/setting-up-and-managing-your-enterprise-account/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta /github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta]	[{free-pro-team *}]	[Enterprise]

{% data reusables.enterprise-accounts.user-provisioning-release-stage %}

About SAML and SCIM with Okta

You can control access to your enterprise account in {% data variables.product.product_name %} and other web applications from one central interface by configuring the enterprise account to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).

SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to organizations owned by your enterprise account when you make changes in Okta. For more information, see "Enforcing security settings in your enterprise account."

After you enable SCIM, the following provisioning features are available for any users that you assign your {% data variables.product.prodname_ghe_cloud %} application to in Okta.

Feature	Description
Push New Users	New users created in Okta will gain access to enterprise account resources, and can optionally be automatically invited to any of the organizations owned by the enterprise account
Push User Deactivation	Deactivating a user in Okta will revoke the user's access to the enterprise account resources and remove the user from all organizations owned by the enterprise account
Push Profile Updates	Updates made to the user's profile in Okta will be pushed to the user’s enterprise account metadata
Reactivate Users	Reactivating the user in Okta will re-enable the user's access to the enterprise account and will optionally send email invitations for the user to rejoin any of the organizations owned by the enterprise account that the user was previously a member of

Prerequisites

{% data reusables.saml.use-classic-ui %}

Adding the {% data variables.product.prodname_ghe_cloud %} application in Okta

{% data reusables.saml.okta-admin-button %} {% data reusables.saml.okta-dashboard-click-applications %} {% data reusables.saml.add-okta-application %} {% data reusables.saml.search-ghec-okta %}

1. Click "{% data variables.product.prodname_ghe_cloud %} - Enterprise Accounts".
2. Click Add.
3. Optionally, to the right of "Application label", type a descriptive name for the application.
4. To the right of "{% data variables.product.prodname_dotcom %} Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is https://github.com/enterprises/octo-corp, type octo-corp.
5. Click Done.

Enabling and testing SAML SSO

{% data reusables.saml.okta-admin-button %} {% data reusables.saml.okta-dashboard-click-applications %} {% data reusables.saml.click-enterprise-account-application %} {% data reusables.saml.assign-yourself-to-okta %} {% data reusables.saml.okta-sign-on-tab %}

1. To the right of Settings, click Edit.
2. Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select Matches regex.
3. To the right of the drop-down menu, type .*.*.
4. Click Save. {% data reusables.saml.okta-view-setup-instructions %}
5. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "Enabling SAML single sign-on for organizations in your enterprise account."

Creating groups in Okta

1. In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is https://github.com/octo-org, name the group octo-org.
2. Assign the application you created for your enterprise account to each group. {% data variables.product.prodname_dotcom %} will receive all groups data for each user.
3. Add users to groups based on the organizations you'd like users to belong to.

Configuring user provisioning with SCIM in Okta

{% data reusables.scim.enterprise-account-scim %}

To configure user provisioning with SCIM in Okta, you must authorize an OAuth application to create a token that Okta can use to authenticate to {% data variables.product.product_name %} on your behalf. The okta-oauth application is created by Okta in partnership with {% data variables.product.prodname_dotcom %}.

{% data reusables.saml.okta-admin-button %} {% data reusables.saml.okta-dashboard-click-applications %} {% data reusables.saml.click-enterprise-account-application %} {% data reusables.saml.okta-provisioning-tab %} {% data reusables.saml.okta-configure-api-integration %} {% data reusables.saml.okta-enable-api-integration %}

1. Click Authenticate with Github Enterprise Cloud - Enterprise Accounts.
2. To the right of your enterprise account's name, click Grant.
3. Click Authorize okta-oauth. {% data reusables.saml.okta-save-provisioning %} {% data reusables.saml.okta-edit-provisioning %}
4. Under the name of the application, click Push Groups.
5. Use the Push Groups drop-down menu, and select Find groups by name.
6. Add a push group for each organization in your enterprise account that you want to enable user provisioning for.
   • Under "PUSH GROUPS BY NAME", search for a group that corresponds to an organization owned by your enterprise account, then click the group in the search results.
   • To the right of the group name, in the "Match results & push action" drop-down menu, verify that Create Group is selected.
   • Click Save.
   • Repeat for each organization.
7. Under the name of your application, click Assignments.
8. If you see Provision users, users who were a member of an Okta group before you added a push group for that group have not been provisioned. To send SCIM data to {% data variables.product.product_name %} for these users, click Provision users.

Enabling SAML user provisioning

After you enable SCIM provisioning and deprovisioning, you can optionally enable SAML user provisioning and deprovisioning.

{% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %}

1. Under "SAML User Provisioning", select Enable SAML user provisioning.
2. Click Save.
3. Optionally, enable SAML user deprovisioning.
   • Select Enable SAML user deprovisioning, then click Save.
   • Read the warning, then click Enable SAML deprovisioning.