What is IAM for GitHub?
企業のリソースへのアクセスを管理するには、ユーザーがGitHub.comで個人用アカウントを使用できるようにし、必要に応じて追加の SAML アクセス制限を構成するか、Enterprise Managed Usersと一緒に ID プロバイダー(IdP)を使用して企業のアカウントをプロビジョニングと管理することができます。
After learning more about authentication and provisioning for each of these options, to determine which method is best for your enterprise, see Enterprise types for GitHub Enterprise Cloud.
Which authentication method are available to me?
When you create an enterprise on GitHub, you can decide how people authenticate to access your resources and who controls the user accounts.
- Authentication through GitHub.com
- Authentication through GitHub.com with additional SAML access restriction
- Authentication with Enterprise Managed Users and federation
Authentication through GitHub.com
With authentication solely through GitHub.com, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources after signing into the account on GitHub.com. The member manages the account, and can contribute to other enterprises, organizations, and repositories on GitHub.com. For more information about personal accounts, see GitHub でのアカウントの作成.
Authentication through GitHub.com with additional SAML access restriction
If you configure additional SAML access restriction, each person you want to grant access to your enterprise must create and manage a personal account on GitHub.com. After you grant access to your enterprise, the member can access your enterprise's resources only after authenticating successfully for both the account on GitHub.com and for an account on your SAML identity provider (IdP). The member can contribute to other enterprises, organizations, and repositories on GitHub.com using their personal account. For more information about requiring SAML authentication for all access your enterprise's resources, see エンタープライズ IAM の SAML について.
You can choose between configuring SAML at the enterprise level, which applies the same SAML configuration to all organizations within the enterprise, and configuring SAML separately for individual organizations. For more information, see エンタープライズと組織のどちらに SAML を構成するかを決定する.
Authentication with Enterprise Managed Users and federation
If you need more control of the accounts for your enterprise members on GitHub, you can use Enterprise Managed Users. With Enterprise Managed Users, you provision and manage accounts for your enterprise members on GitHub using your IdP. Each member signs into an account that you create, and your enterprise manages the account. Contributions outside the enterprise are restricted. For more information, see About Enterprise Managed Users.
How does provisioning work?
If you use authentication through GitHub.com with additional SAML access restriction, people create personal accounts on GitHub.com, and you can grant those personal accounts access to resources in your enterprise. You do not provision accounts.
Alternatively, if you use Enterprise Managed Users, you must configure your IdP to provision user accounts within your enterprise on GitHub.com using System for Cross-domain Identity Management (SCIM). For more information, see Identity and access management fundamentals.
Which IdPs are supported?
GitHub.comで個人用アカウントを使用する Enterprise を作成する場合、SAML 2.0 規格に準拠する外部 ID 管理システムで追加の認証を構成できます。 GitHubは、一部の ID 管理システムも正式にサポートしてテストします。 詳しくは、「Enterprise 向けの SAML シングルサインオンを設定する」をご覧ください。
GitHub は、ID 管理システムの一部の開発者と提携し、Enterprise Managed Users との「舗装されたパス」統合を提供します。 構成を簡略化して完全なサポートを確保するため、**認証とプロビジョニングの両方に単一のパートナー IdP を使用します。**パートナー ID プロバイダー(IdP)を使用する場合、IdP に 1 つのアプリケーションを構成して認証とプロビジョニングを提供できます。 IdP は SAML 2.0 規格をサポートする必要があります。 または、Entra ID(旧称 Azure AD)を使用する場合、OpenID Connect(OIDC)認証を構成できます。 パートナー IdP を使用しない場合、または認証にパートナー IdP のみ使用する場合は、SAML 2.0 と System for Cross-domain Identity Management (SCIM) 2.0 標準を実装する IdP を統合できます。 詳しくは、「About Enterprise Managed Users」をご覧ください。