Knowledge Base Article: Setting Up SCIM and SSO for GitHub Enterprise

Summary

This guide provides step-by-step instructions for configuring SCIM and SSO for GitHub Enterprise using Azure AD.

---

Steps to Configure SCIM and SSO

1. Create a Token in GitHub:
   • Log in as the admin account that created the GitHub Enterprise account.
   • Navigate to the Personal Access Tokens page.
   • Generate a new token with the required SCIM permissions.
     • Set the token to never expire per GitHub’s recommendation to prevent SCIM disruptions.
   • Save this token securely (e.g., in SecretServer) as it will be used during provisioning setup.
2. Choose the Correct Azure AD Application:
   • Use the Enterprise Managed User application in Azure AD.
   • Avoid using the Enterprise Account application, as it does not support provisioning.
3. Enable and Configure SCIM Provisioning:
   • Go to the Provisioning section in the Azure AD Enterprise Managed User application.
   • Set the Provisioning Mode to Automatic.
   • Use the personal token generated earlier as the authentication key.
   • Scope the synchronization to only the two SSO groups assigned to the application:
     • Admins Group
     • Users Group
4. Set Up Single Sign-On (SSO):
   • In the Azure AD Enterprise Managed User application, configure the SSO settings.
   • Follow GitHub’s SCIM documentation for mapping attributes correctly between Azure and GitHub.
   • Test the SSO setup to ensure users can log in successfully.
   • If needed, see the documentation here: https://learn.microsoft.com/en-us/entra/identity/saas-apps/github-enterprise-managed-user-tutorial?source=recommendations
5. Test and Confirm the Setup:
   • Validate provisioning by confirming that users in the assigned SSO groups are correctly synchronized to GitHub.
   • Verify logins to ensure both admins and users can authenticate through SSO.

---

Best Practices and Recommendations

• Token Configuration: Use a token with no expiration to avoid disruptions.
• Group Management: Explicitly assign only the required SSO groups (Admins and Users) to the application to maintain control over synchronization.
• Provisioning Scope: Ensure the Provisioning Mode is set to Automatic to streamline user and group synchronization.

---

Common Issues and Resolutions

• Provisioning Errors: Double-check the token permissions and ensure it’s stored correctly in the provisioning settings.
• User Sync Issues: Verify that the correct SSO groups are assigned to the application in Azure AD.