| title | intro | redirect_from | permissions | versions | topics | shortTitle | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Synchronizing a team with an identity provider group |
You can synchronize a {% data variables.product.github %} team with a supported identity provider (IdP) group to automatically add and remove team members. |
|
Organization owners can synchronize a {% data variables.product.github %} team with an IdP group. |
|
|
Synchronize with an IdP |
{% data reusables.enterprise-accounts.emu-scim-note %}
{% data reusables.identity-and-permissions.about-team-sync %} {% ifversion ghec %}For more information, see AUTOTITLE and AUTOTITLE.{% endif %}
{% ifversion ghec %}You can connect up to five IdP groups to a {% data variables.product.github %} team.{% endif %} You can assign an IdP group to multiple {% data variables.product.github %} teams.
{% ifversion ghec %}Team synchronization does not support IdP groups with more than 5000 members.{% endif %}
Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.github %}{% ifversion ghec %} or using the API{% endif %}.
{% ifversion ghec %}{% data reusables.enterprise-accounts.team-sync-override %}{% endif %}
{% ifversion team-sync-manage-org-invites %} {% data reusables.identity-and-permissions.team-sync-org-invites %} For more information, see AUTOTITLE and AUTOTITLE. {% endif %}
{% ifversion ghec %} All team membership changes made through your IdP will appear in the audit log on {% data variables.product.github %} as changes made by the team synchronization bot. Team synchronization will fetch group information from your IdP at least once every hour, and reflect any changes in IdP group membership into {% data variables.product.github %}. Connecting a team to an IdP group may remove some team members. For more information, see Requirements for members of synchronized teams. {% endif %}
Parent teams cannot synchronize with IdP groups. If the team you want to connect to an IdP group is a parent team, we recommend creating a new team or removing the nested relationships that make your team a parent team. For more information, see AUTOTITLE, AUTOTITLE, and AUTOTITLE.
To manage repository access for any {% data variables.product.github %} team, including teams connected to an IdP group, you must make changes with {% data variables.product.github %}. For more information, see AUTOTITLE and AUTOTITLE.
{% ifversion ghec %}You can also manage team synchronization with the API. For more information, see AUTOTITLE.{% endif %}
{% ifversion ghec %}
After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.github %} only if:
{%- ifversion team-sync-manage-org-invites %}
- If team synchronization is not allowed to invite non-members to your organization, the person is already a member of the organization on {% data variables.product.github %}. {%- endif %}
- The person has already logged in with their personal account on {% data variables.product.github %} and authenticated to the organization or enterprise account via SAML single sign-on at least once.
- The person's SSO identity is a member of the IdP group.
Existing teams or group members who do not meet these criteria will be automatically removed from the team on {% data variables.product.github %} and lose access to repositories. Revoking a user's linked identity will also remove the user from any teams mapped to IdP groups. For more information, see AUTOTITLE and AUTOTITLE.
A removed team member can be added back to a team automatically once they have authenticated to the organization or enterprise account using SSO and are moved to the connected IdP group.
To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see AUTOTITLE and AUTOTITLE.
{% endif %}
{% data reusables.identity-and-permissions.team-and-idp-group %}
{% ifversion ghec %} Before you can connect a {% data variables.product.github %} team with an IdP group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see AUTOTITLE and AUTOTITLE.
To avoid unintentionally removing team members, visit the administrative portal for your IdP and confirm that each current team member is also in the IdP groups that you want to connect to this team. If you don't have this access to your identity provider, you can reach out to your IdP administrator.
You must authenticate using SAML SSO. For more information, see AUTOTITLE.
{% elsif ghes %} You must configure user provisioning with SCIM for {% data variables.location.product_location %}. For more information, see AUTOTITLE.
{% data reusables.scim.ghes-beta-note %} {% endif %}
When you connect an IdP group to a {% data variables.product.github %} team, all users in the group are automatically added to the team.
{% data reusables.profile.access_org %} {% data reusables.user-settings.access_org %} {% data reusables.organizations.specific_team %} {% data reusables.organizations.team_settings %} {%- ifversion ghec %}
- Under "Identity Provider Groups", select the Select Groups dropdown menu, and click up to 5 identity provider groups. {%- endif %}
- Click Save changes.
{% data reusables.profile.access_org %} {% data reusables.user-settings.access_org %} {% data reusables.organizations.specific_team %} {% data reusables.organizations.team_settings %} {%- ifversion ghec %}
- Under "Identity Provider Groups", to the right of the IdP group you want to disconnect, click {% octicon "x" aria-label="Remove group" %}. {%- endif %}
- Click Save changes.