Article version: Enterprise Server 2.17

Allowing built-in authentication for users outside your identity provider

You can configure built-in authentication to authenticate users who don't have access to your identity provider that uses LDAP, SAML, or CAS.

In this guide:

About built-in authentication for users outside your identity provider

You can use built-in authentication for outside users when you are unable to add specific accounts to your identity provider (IdP), such as accounts for contractors or machine users. You can also use built-in authentication to access a fallback account if the identity provider is unavailable.

After built-in authentication is configured and a user successfully authenticates with SAML or CAS, they will no longer have the option to authenticate with a username and password. If a user successfully authenticates with LDAP, the credentials are no longer considered internal.

Built-in authentication for a specific IdP is disabled by default.

Warning: If you disable built-in authentication, you must individually suspend any users that should no longer have access to the instance. For more information, see "Suspending and unsuspending users."

Configuring built-in authentication for users outside your identity provider

  1. In the upper-right corner of any page, click .

    Rocketship icon for accessing site admin settings

  2. In the left sidebar, click Management Console.

    Management Console tab in the left sidebar

  3. In the left sidebar, click Authentication.

    Authentication tab in the settings sidebar

  4. Select your identity provider.

    Select identity provider option

  5. Select Allow creation of accounts with built-in authentication.

    Select built-in authentication option

  6. Read the warning, then click Ok.

Two-factor authentication

When using LDAP or built-in authentication, two-factor authentication is supported. Organization administrators can require members to have two-factor authentication enabled.

Inviting users outside your identity provider to authenticate to your instance

When a user accepts the invitation, they can use their username and password to sign in rather than signing in through the IdP.

  1. Sign in to your GitHub Enterprise Server instance at http(s)://HOSTNAME/login.

  2. In the upper-right corner of any page, click .

    Rocketship icon for accessing site admin settings

  3. In the left sidebar, click Invite user.

    Invite user tab in the site admin console

  4. Type the username and email address for each of the user accounts that you'd like to create, then click Generate a password reset link.

    Generate a password reset link button

Further reading

Ask a human

Can't find what you're looking for?

Contact us