Everything You Need To Know About GitHub EMU Migration
GitHub is a full-featured development environment for scaling, creating, and distributing secure software. Our product line is used by businesses to support the full software development lifecycle, speeding up development and enhancing code quality.
Developers can use problems and projects to plan and keep track of their work while storing and version controlling your source code in repositories.
When reviewing each other’s code changes via pull requests, they can use code security measures to keep trade secrets and vulnerabilities out of your codebase. They can code in the cloud-hosted development environment known as GitHub Codespaces.
Finally, you may host software packages with GitHub Packages and automate your build, test, and deployment workflow using GitHub Actions.
What is GitHub Enterprise?
GitHub Enterprise is a high ROI solution for businesses. It saves developers time and reduces onboarding/training. With an enterprise account, you can streamline administration, manage billing/settings, enforce policy, and audit resource access.
It includes both GitHub Enterprise Server & GitHub Enterprise Cloud. Cloud allows personal or managed user accounts, while Server can integrate with GitHub.com for added features like Dependabot alerts.
About GitHub Enterprises Managed Users
GitHub Enterprises Managed Users allows you to control user accounts for your enterprise members through your identity provider (IdP). You have control over usernames, profile data, team membership, and repository access.
Managed users can own organisations and add other users to them. GitHub EMU Migration validates user interactions based on your IdP’s conditions. Managed users can access and contribute to repositories but can’t create public content or collaborate with other users.
Usernames and profile info are set by the IdP and can’t be changed by users. Enterprise owners can audit all user actions. It requires a specific enterprise account type with Managed Users enabled.
SMAL for Managed Users
With Enterprise Managed Users, your company authenticates each employee using your corporate identity provider. Members of your company will log in via your IdP rather than using a GitHub username and password.
The following IdPs are supported by Enterprise Managed Users:
- Okta
- Azure Active Directory (Azure AD)
- Public beta of PingFederate
We advise keeping your recovery codes after configuring SAML SSO so you may regain access to your company in the event that your identity provider is down.
You can follow an EMU Migration path if you now use SAML SSO for authentication and would rather utilise OIDC and gain from CAP support.
OIDC For Managed Users
Enterprise Managed Users authenticate through an identity provider (IdP). OIDC enables streamlined authentication for managed users, with one-click setup and certificate management by GitHub and your IdP.
GitHub validates user interactions based on your IdP’s conditional access policy (CAP) IP conditions, ensuring security when IP addresses change or access tokens/SSH keys are used.
You can customise session duration and reauthentication frequency by adjusting the ID token lifetime policy. The default lifetime is one hour.
SCIM provisioning configuration for enterprise-managed users
To enable SCIM provisioning for Enterprise Managed Users, configure it to create, manage, and deactivate user accounts for your enterprise members. Users assigned to the GitHub Enterprise Managed User application in your identity provider will be provisioned as managed user accounts on GitHub via SCIM.
Updating user information on your IdP syncs with their GitHub account, and unassigning or deactivating a user in the IdP invalidates sessions and disables their GitHub account while reassigning or reactivating reactivates the GitHub account.
IdP groups can manage team members’ access and permissions in your enterprise’s organisations.
Managed Teams with Your IDP
You can efficiently manage team and organisation membership in your enterprise using Enterprise Managed Users. By linking GitHub teams with IdP groups, you can seamlessly handle membership changes.
When an IdP group is connected to a team within your enterprise’s organisation, any modifications to membership in the IdP group automatically reflect in your enterprise. This eliminates the need for manual updates and custom scripts.
If a change in an IdP group or a new team connection result in a managed user account joining a team in an organisation where they were not previously a member, the managed user account will be automatically added to the organisation.
In contrast, if you separate a group from a team, all users who joined the organisation exclusively through team membership will be expelled until they are given membership by another method.
Whenever there are group membership changes in your IdP, your IdP sends a SCIM request with the updates to GitHub.com based on the predetermined schedule. It’s important to note that the changes may not take effect immediately.
Requests that modify team or organisation membership will be recorded in the audit log as changes made by the account responsible for configuring user provisioning. Additionally, GitHub EMU Migration scans each mapped team daily and synchronises its membership with the corresponding group in your IdP.
GitHub will automatically add a user to the organisation that houses the team if they are not already a member.
It’s worth mentioning that teams connected to IdP groups cannot be parents or children of other teams. If you want to connect a team to an IdP group, but it has nested relationships as a parent or child team, it is recommended to either create a new team or remove the nested relationships.
You must make the necessary adjustments on GitHub.com in order to manage repository access for any team in your company, including teams connected to an IdP group.
Conditional Access Policy
When your business implements OIDC SSO, GitHub EMU Migration will automatically apply the conditional access policy (CAP) IP conditions set by your IdP to validate user interactions with the platform, as well as any time a member changes their IP address or uses a personal access token or SSH key.
Any organisation with controlled users and OIDC SSO enabled can utilise GitHub organisation Cloud to support CAP. The IP conditions for your IdP are enforced by GitHub Enterprise Cloud, but the device conformance conditions cannot be enforced.
Once OIDC SSO is set up, enterprise owners can use this IP allow list setting rather than the IP allow list provided by GitHub Enterprise Cloud.
Migrating From SAML to OIDC
For enterprises using SAML SSO to authenticate with Azure AD, migrating to OIDC allows GitHub to utilise your IdP’s conditional access policy for validating user interactions. This includes verifying IP changes and the use of personal access tokens or SSH keys.
During the migration, user accounts and groups provisioned for SAML will have “(SAML)” added to their display names. If you’re new to Enterprise Managed Users and haven’t configured authentication, you can directly set up OIDC single sign-on without the need to migrate.
Migrating to new IP or Tenant
When utilising EMU Migration, you may need to move your enterprise to a different IdP or Azure AD tenant. For instance, transitioning from a testing environment to your live environment.
Before migrating your enterprise with managed user accounts to a new IdP or tenant, ascertain whether the normalised SCIM UserName attribute values will remain unchanged in the new setting.
If the normalised SCIM UserName values remain the same post-migration, you can handle the migration on your own. If the normalised SCIM UserName values are set to change after the migration, GitHub will assist you in the EMU Migration process.
Conclusion
GitHub Enterprise and its EMU Migration feature offer businesses a secure development environment for software development and collaboration. It provides centralized control over user accounts through an identity provider, allowing for streamlined authentication and management.
The integration of SAML and OIDC ensures secure user authentication, while SCIM provisioning enables efficient user account management. Conditional Access Policies validate user interactions based on identity provider conditions.
Enterprises can migrate to new identity providers or Azure AD tenants with assistance from GitHub EMU migration. Overall, GitHub Enterprise and Managed Users enhance productivity, code quality, and security in software development.
