Using 3rd Party IAM to Provisioning Enterprise Users via SCIM

[donc-radiant-dev]

Select Topic Area

General

Body

Hello all

I'm testing provisioning Enterprise Users using SCIM through a platform other than the officially support IDPs Azure (Entra), Okta or Ping Fed, using a 30-day EMU trial for "managed users". In reading through one of the Git docs related to provisioning via SCIM, it indicates this can be done. The referenced doc is at: https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users

In doing some baseline testing through Postman, I get an error when attempting to post to the /Users endpoint. The message states the operation is only supported on those platforms. (message below). Before digging further into this, I wanted to check if this is indeed feasible or we are constrained to just those providers. I am using a generated SCIM token with all scopes enabled. I can successfully run a list of users (GET) but the not the POST for user create. If it's a request configuration issue, I wouldn't expect this type of message (though wouldn't rule it out). I'm reviewing additional detail and testing.

Appreciate any insights from the community.

Error seen in Postman

{
"message": "Enterprise Managed User enabled Enterprises must use Azure AD, Okta, or Ping Federate for SCIM Provisioning",
"documentation_url": "https://docs.github.com/rest/enterprise-admin/scim#provision-a-scim-enterprise-user",
"status": "403"
}

[queenofcorgis]

Hi @donc-radiant-dev 👋🏼 ,

In your testing and reviewing, have you:

• Validate your SCIM payload against GitHub’s SCIM API spec:
  • Are required fields present (userName, active, etc)?
  • Is your SCIM token correct (scope, permissions)?

[ghost]

Thanks for the response, @queenofcorgis. I have reviewed the api spec and all seems ok. I tested using the sample provided in the api spec, copied below.

The token is 'classic', prompted during initial setup with a default scope of 'scim:enterprise'.

The document I referenced has a section related to 3rd party, being able to enable SCIM but I don't see that available. Only the option to enable SSO, at which point the default SCIM configuration shows enable for connection from the IDP. In this case Entra. Screenshot below.

Also checked the audit log. Looking to see if there's a deeper level of debug available, but for reference attached.

body request for new user

{
  "externalId": "E012345",
  "active": true,
  "userName": "E012345",
  "name": {
    "formatted": "Ms. Mona Lisa Octocat",
    "familyName": "Octocat",
    "givenName": "Mona",
    "middleName": "Lisa"
  },
  "displayName": "Mona Lisa",
  "emails": [
    {
      "value": "mlisa@example.com",
      "type": "work",
      "primary": true
    }
  ],
  "roles": [
    {
      "value": "User",
      "primary": false
    }
  ]
}

[ghost]

Just to note, I responded from another personal account. Having issues with replying to the community on my original account (I'm sure I just got in my own way).

[ghost]

As a baseline, I enabled provisioning from my Entra tenant and successfully provisioning through the OIDC app in Entra to my Git Enterprise. I added the user to the OIDC app, assign the user to the 'Enterprise Owner' role and manually provisioned. The user successfully logged into the GitHub Enterprise, authenticating to my Entra provider.

So the flow works fairly smooth leveraging the single IDP for both authn and provisioning. Will work from here, at least a point of reference - see where the breakage is when attempting to provisioning 3rd party.

[ghost]

There appears to be a missing bit of function in the Identity Provider > SSO configuration UI. Per the Git doc for enabling 3rd party SCIM, It indicates there should be an 'Open SCIM Configuration' option, which I'm not seeing. Running through a few times, make sure nothing obvious is missing.

From doc:

Settings in UI for SSO configuration:

[donc-radiant-dev]

Response from GitHub support clarified the issue. Using IDP with OIDC does not support open SCIM. Need to change to SAML for authentication. This worked for me.

Support indicated others have asked about this capability and potential for future inclusion but nothing planned at this time.