Note: These instructions are intended for GitHub Team or greater.
This guide provides the steps required to configure Provisioning for GitHub (Team or greater).
The following provisioning features are supported:
Import New Users
New users created in the third party application will be downloaded and turned in to new AppUser objects, for matching against existing OKTA users.
Push New Users
New users created through OKTA will also be created in the third party application.
Push Profile Updates
Updates made to the user's profile through OKTA will be pushed to the third party application.
Push User Deactivation
Deactivating the user through OKTA will remove the user from the organization and all teams in the third party application.
Reactivate Users
Reactivating the user through OKTA will add the user back to the organization and selected teams in the third party application.
GitHub Team does not support creation of new users through its API. You cannot assign GitHub Team through Okta to a user who does not already exist on the GitHub Team side. When assigning a user to the GitHub Team app, ensure that the user already has a GitHub Team account. Okta will only add the existing GitHub Team user to the selected Organization and Teams managed by Okta.
GitHub Team does not support changes to a user's profile other than team memberships. Changing the username of a user can cause problems such as org/team unassignment.
When assigning a user to GitHub Team through Okta who is part of GitHub Team but not a member of the organization, the user will receive an invitation to join the org. Until the user accepts the invitation, they will be in pending status. Pending users will not show up during user imports nor can their profiles be updated.
Before you configure provisioning for GitHub Team, make sure you have configured the following:
Under General Settings for the GitHub Team app, enter an Application label and your GitHub Team Organization:
Select your Sign-on Options options for the GitHub Team app. The Okta username format is typically set to the email address, which is not the same as the GitHub Team application username as a GitHub Team username cannot be in an email format. To resolve this conflict when importing users and pushing profile updates, you must change the application username format, which is set by default to the Okta username, to either a Custom, email prefix, username prefix or (None):
Once you have configured/confirmed your General Settings and Sign-on Options, click Next to take you back to the Provisioning tab (see below).
Configure your Provisioning settings for GitHub Team as follows:
Check the Enable API Integration box, then click Authenticate with GitHub:
Authenticate with GitHub Team as follows:
You are prompted to login your GitHub Team account:
In you have Multifactor Authentication (MFA) enabled, you are prompted to input the code:
Select Admin access and proceed:
Select To App in the left panel, then select the Provisioning Features you want to enable:
Click Save.
You can now assign people to the app, if needed.
Setting the application username format to the default of email address causes problems when pushing profile updates. Make sure it is set to a custom format to match the username imported from GitHub Team or to None.
If you try to assign a user to GitHub Team through Okta, who does not already exist in GitHub Team, a task is generated informing you that the provisioning failed. You can view this task by going to Dashboard > Tasks.
When assigning a user to GitHub Team through Okta, who is part of GitHub Team but not a member of the organization, the user receives an invitation to join the org. Until the user accepts the invitation, they will be in a pending status. Pending users do not show up during user imports nor can their profiles be updated.