English
No results found.

Explore by product

GitHub
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    • In this article

    Managing team memberships with identity provider groups

    You can manage team membership on GitHub through your identity provider (IdP) by connecting IdP groups with your enterprise with managed users.

    To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which are available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

    About team management with Enterprise Managed Users

    With Enterprise Managed Users, you can manage team membership within your enterprise through your IdP. When you connect a team in one of your enterprise's organizations to an IdP group, changes to membership from the IdP group are reflected in your enterprise automatically, reducing the need for manual updates and custom scripts.

    When a change to an IdP group or a new team connection results in a managed user joining a team in an organization they were not already a member of, the managed user will automatically be added to the organization. Organization owners can also manage organization membership manually. When you disconnect a group from a team, users who became members of the organization via team membership are removed from the organization if they are not assigned membership in the organization by any other means.

    You can connect a team in your enterprise to one IdP group. You can assign the same IdP group to multiple teams in your enterprise.

    If you are connecting an existing team to an IdP group, you must first remove any members that were added manually. After you connect a team in your enterprise to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on GitHub.com.

    When group membership changes on your IdP, your IdP sends a SCIM request with the changes to GitHub.com according to the schedule determined by your IdP, so change may not be immediate. Any requests that change team or organization membership will register in the audit log as changes made by the account used to configure user provisioning.

    Teams connected to IdP groups cannot be parents of other teams nor a child of another team. If the team you want to connect to an IdP group is a parent or child team, we recommend creating a new team or removing the nested relationships that make your team a parent team.

    To manage repository access for any team in your enterprise, including teams connected to an IdP group, you must make changes on GitHub.com. For more information, see "Managing team access to an organization repository".

    Creating a new team connected to an IdP group

    Any member of an organization can create a new team and connect the team to an IdP group.

    1. In the top right corner of GitHub, click your profile photo, then click Your organizations. Your organizations in the profile menu

    2. Click the name of your organization. Organization name in list of organizations

    3. Under your organization name, click Teams.

      Teams tab

    4. On the right side of the Teams tab, click New team. New team button

    5. Under "Create new team", type the name for your new team. Team name field

    6. Optionally, in the "Description" field, type a description of the team. Team description field

    7. To connect a team, select the "Identity Provider Groups" drop-down menu and click the team you want to connect. Drop-down menu to choose identity provider groups

    8. Decide whether the team will be visible or secret. Options for visibility including visible and secret

    9. Click Create team.

    Managing the connection between an existing team and an IdP group

    Organization owners and team maintainers can manage the existing connection between an IdP group and a team.

    Note: Before you connect an existing team on GitHub.com to an IdP group for the first time, all members of the team on GitHub.com must first be removed. For more information, see "Removing organization members from a team."

    1. In the top right corner of GitHub, click your profile photo, then click Your profile. Profile photo

    2. In the top right corner of GitHub, click your profile photo, then click Your organizations. Your organizations in the profile menu

    3. Under your organization name, click Teams.

      Teams tab

    4. On the Teams tab, click the name of the team. List of the organization's teams

    5. At the top of the team page, click Settings. Team settings tab

    6. Optionally, under "Identity Provider Group", to the right of the IdP group you want to disconnect, click . Unselect a connected IdP group from the GitHub team

    7. To connect an IdP group, under "Identity Provider Group", select the drop-down menu, and click an identity provider group from the list. Drop-down menu to choose identity provider group

    8. Click Save changes.

    Viewing IdP groups and connected teams

    You can review a list of IdP groups, any teams connected to an IdP group, and see the membership of each IdP group on GitHub. You must edit the membership for a group on your IdP.

    1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises. "Your enterprises" in drop-down menu for profile photo on GitHub

    2. In the list of enterprises, click the enterprise you want to view. Name of an enterprise in list of your enterprises

    3. Under your business account's name, click Identity provider. "Identity provider" tab in enterprise sidebar

    4. Under "Identity Provider (IdP) Groups", review the list of IdP groups.

    Did this doc help you?

    Privacy policy

    Help us make these docs great!

    All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

    Make a contribution

    Or, learn how to contribute.