Troubleshooting team membership with identity provider groups

If you manage team membership using groups on your identity provider (IdP), but team membership is not in sync, you can troubleshoot the problem.

Who can use this feature?

To manage users in your enterprise with your identity provider, your enterprise must be enabled for Enterprise Managed Users, which is available with GitHub Enterprise Cloud. For more information, see "About Enterprise Managed Users."

In this article

About management of team membership with IdP groups

With Enterprise Managed Users, you can manage team and organization membership within your enterprise through your IdP by connecting teams on GitHub.com with groups on your IdP. You can review a list of teams that you've synchronized to IdP groups from your enterprise's settings. For more information, see "Managing team memberships with identity provider groups."

If GitHub is unable to synchronize team membership with a group on your IdP, you can view an error message and troubleshoot the problem.

Viewing errors for team synchronization with an IdP group

  1. In the top-right corner of GitHub.com, click your profile photo, then click Your enterprises.

  2. In the list of enterprises, click the enterprise you want to view.

  3. To review a list of IdP groups, in the left sidebar, click Identity provider.

  4. If synchronization for a group is experiencing problems, you'll see a message that reads "Some groups are failing to synchronize to teams. Check that you have available licenses."

  5. In the list of IdP groups, click the group you'd like to review.

  6. To review the synchronization error for the group, under the name of the group, click Teams.

    Screenshot of the page for a synchronized IdP group. Under the name of the group, to the right, the "Teams" tab is highlighted in dark orange.

    If a team is unable to sync membership with a group on your IdP, you'll see a description of the problem under the team's name and membership count.

Error: "Out of sync due to insufficient licenses"

If your enterprise does not have sufficient licenses and GitHub is unable to synchronize team membership with a group on your IdP, you'll see a message that reads "Out of sync due to insufficient licenses".

Screenshot of the IdP group page. A warning that a team is out of sync due to insufficient licenses is outlined in dark orange.

The team may be missing members because your enterprise does not have sufficient licenses available. GitHub is unable to synchronize the team's membership with a group on your IdP, and any unlicensed user cannot be added to an organization.

  1. Review the available licenses for your enterprise. For more information, see "Viewing license usage for GitHub Enterprise."

  2. To resolve the problem, choose one of the following solutions.

    • Remove users from the IdP group.
    • Deprovision users from your enterprise.
    • Purchase additional licenses to allow synchronization to complete. For more information, see "About per-user pricing."

Error: "Out of sync"

If synchronization of team membership with a group on your IdP fails due to a problem other than licensing, you'll see a message that reads "Out of sync".

Screenshot of the IdP group page. A warning that a team is out of sync is outlined in dark orange.

GitHub will try to resolve this problem automatically during the next sync, which occurs at least once daily. You may be able to resolve the problem by unlinking the impacted team from the IdP group and then linking it to the same group again. For more information, see "Managing team memberships with identity provider groups."

If the problem persists, contact GitHub Enterprise Support and provide details about the organization, team, and the IdP group you're experiencing problems with.