Disabling SCIM provisioning for users

You can disable SCIM provisioning for your enterprise's user accounts.

Who can use this feature?

Site administrators

In this article

Note

SCIM for GitHub Enterprise Server is currently in public preview and subject to change. GitHub recommends testing with a staging instance first. See Setting up a staging instance.

How do I disable SCIM?

To disable SCIM provisioning while keeping SAML on:

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

    Screenshot of the dropdown menu shown when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is outlined.

  2. On the left side of the page, in the enterprise account sidebar, click Settings.

  3. Under Settings, click Authentication security.

  4. Deselect Enable SCIM configuration.

When this happens, users will still be able to use SAML single sign-on through your identity provider, but SCIM provisioning will no longer work. Instead, SAML JIT provisioning will be used again. For more information on SAML provisioning, see Configuring SAML single sign-on for your enterprise.

If for some reason you no longer have access to your instance, you will need to sign in to the management console and enable built-in authentication. For more information, see Configuring built-in authentication. Once this is complete, you can sign in to your instance with the SCIM setup user you created when enabling SCIM, and uncheck the Enable SCIM configuration checkbox described above.

How else can be SCIM disabled?

In addition to directly disabling SCIM provisioning on your instance, SCIM will be disabled if any of the following actions are taken:

  • The SAML radio button is unselected in the "Authentication" section of the Management Console.
  • The SAML Issuer or Single sign-on URL field is updated in the "Authentication" section of the Management Console.

What happens if I disable SCIM?

When SCIM is disabled on GitHub Enterprise Server:

  • In your instance's audit logs, you should expect to see a "business.disable_open_scim" event.
  • All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance.
  • Requests to the SCIM API endpoints on your instance will no longer succeed.
  • All SCIM external identities on GitHub Enterprise Server will be deleted.
  • All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled.
  • All of the external groups that were previously provisioned by SCIM will be deleted.
  • All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended.
  • Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard.
  • Users will still be able to sign on via SAML, if enabled.
  • The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the Site Admin dashboard