Integrations · SAML 2.0

GitHub Enterprise SSO

Configure SAML 2.0 SSO for GitHub Enterprise Server and GitHub Enterprise Cloud (organization-level SAML). Covers SCIM provisioning for automatic team and membership sync.

Two products, same guide: GitHub Enterprise Server (GHES) and GitHub Enterprise Cloud (GHEC) both use SAML 2.0 for SSO but configure it in different panels. Sections below are labelled accordingly.

Prerequisites

GitHub Enterprise Server ≥ 3.0 or GitHub Enterprise Cloud organization with SSO enabled
GitHub organization owner or Enterprise admin role
Clavex at https://id.acme.eu, org slug acme

Step 1 — Clavex SAML Metadata

Parameter	Value
IdP Entity ID	`https://id.acme.eu/acme/saml`
SSO URL	`https://id.acme.eu/acme/saml/sso`
Certificate	`https://id.acme.eu/acme/saml/idp/metadata` → X509Certificate

Step 2a — GitHub Enterprise Server Configuration

Go to Site Admin → Management Console → Authentication
Select SAML

Fill in:

Field	Value
Single sign-on URL	`https://id.acme.eu/acme/saml/sso`
Issuer	`https://id.acme.eu/acme/saml`
Signature method	`RSA-SHA256`
Digest method	`SHA256`
Name identifier format	`Persistent`
Certificate	Paste Base64 from Clavex metadata

Under Attribute statements, map:

GitHub attribute SAML attribute

username preferred_username

email email

full_name name

keys (optional) ssh_keys
Click Save settings and then Test SAML configuration

GitHub attribute	SAML attribute
`username`	`preferred_username`
`email`	`email`
`full_name`	`name`
`keys`	(optional) `ssh_keys`

Step 2b — GitHub Enterprise Cloud (Organization)

Go to your GitHub Organization → Settings → Authentication security
Check Enable SAML authentication

Fill in:

Field	Value
Sign-on URL	`https://id.acme.eu/acme/saml/sso`
Issuer	`https://id.acme.eu/acme/saml`
Public certificate	Paste full PEM certificate from Clavex metadata
Signature method	`RSA-SHA256`
Digest method	`SHA256`

Click Test SAML configuration before saving

Step 3 — Register GitHub as SP in Clavex

Admin API (curl)

# GitHub Enterprise Server $ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "entity_id": "https://github.acme.eu", "acs_url": "https://github.acme.eu/saml/consume", "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "sign_assertions": true }'
# GitHub Enterprise Cloud $ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "entity_id": "https://github.com/orgs/acme-corp", "acs_url": "https://github.com/orgs/acme-corp/saml/consume", "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "sign_assertions": true }'

Step 4 — SCIM Provisioning (optional)

GitHub Enterprise Cloud supports SCIM for automatic user and team provisioning. Enable it in Clavex Admin → Provisioning → add a SCIM target pointing at:

Field	Value
SCIM base URL	`https://api.github.com/scim/v2/organizations/acme-corp`
Authentication	Bearer token (GitHub personal access token with `admin:org`)
Supported operations	Create, Update, Deactivate users; Sync groups as teams

Troubleshooting

Symptom	Cause	Fix
`SAML response was not valid`	Certificate mismatch or assertion expired	Verify certificate in GitHub matches Clavex IdP cert; check clock sync
Username attribute missing	`preferred_username` not in assertion	Add custom attribute mapper in Clavex for the `preferred_username` claim
SCIM not syncing	PAT expired or wrong scope	Regenerate GitHub PAT with `admin:org` and `read:user` scopes
Members still see personal login	SAML not enforced yet	Enable Require SAML SSO in GitHub Org Settings → Authentication Security