About guest collaborators
Note
The guest collaborator role is only available with Enterprise Managed Users.
You can use the guest collaborator role to grant limited access to vendors and contractors. Guest collaborators:
- Are provisioned by your IdP, like all managed user accounts.
- Can be added as organization members or as collaborators in repositories.
- Cannot access internal repositories in the enterprise, except in organizations where they're added as a member.
Enabling guest collaborators in your IdP
If you use Microsoft Entra ID (previously known as Azure AD) or Okta for authentication, you may need update the Enterprise Managed Users application in your IdP.
Enabling guest collaborators with Entra ID
-
Sign into the Microsoft Azure portal.
-
Click Identity.
-
Click Applications.
-
Click Enterprise applications.
-
Click All applications.
-
View the details for your Enterprise Managed Users application.
-
In the left sidebar, click Users and Groups.
-
View the application registration.
- If the application registration displays the "Restricted User" or "Guest Collaborator" roles, you're ready to invite guest collaborators to your enterprise.
- If the application registration does not display the roles, proceed to the next step.
-
In the Azure portal, click App registrations.
-
Click All applications, then use the search bar to find your application for Enterprise Managed Users.
-
Click your SAML or OIDC application.
-
In the left sidebar, click Manifest.
-
Search for the following
id
:1ebc4a02-e56c-43a6-92a5-02ee09b90824
within the Manifest file:- If the
id
is not present, proceed to the next step. - If the
id
is present, review thedescription
anddisplayName
values. If the values are not set toGuest Collaborator
, you can rename both to be so, and proceed to step 15.
- If the
-
Under the
appRoles
object, add the following block:{ "allowedMemberTypes": [ "User" ], "description": "Guest Collaborator", "displayName": "Guest Collaborator", "id": "1ebc4a02-e56c-43a6-92a5-02ee09b90824", "isEnabled": true, "lang": null, "origin": "Application", "value": null },
Note
The
id
value is critical. If anotherid
value is present, the update will fail. -
Click Save.
Enabling guest collaborators with Okta
To add the guest collaborator role to your Okta application:
-
Navigate to your application for Enterprise Managed Users on Okta.
-
Click Provisioning.
-
Click Go to Profile Editor.
-
Find "Roles" at the bottom of the profile editor and click the edit icon.
-
Add a new role.
- For "Display name", type
Guest Collaborator
. - For "Value", type
guest_collaborator
.
- For "Display name", type
-
Click Save.
Adding guest collaborators to your enterprise
When guest collaborators are enabled in your IdP, you can use SCIM to provision users with the guest_collaborator
role.
- If you use a partner IdP, use the "Roles" attribute in the Enterprise Managed Users application.
- If you use the SCIM endpoints of GitHub's REST API to provision users, use the
roles
user attribute.
For more information about partner IdPs and other identity management systems, see "About Enterprise Managed Users."
Giving guest collaborators access to resources
When you have added a guest collaborator to your enterprise, you can add the user to specific organizations or repositories.
Add the user to an organization
To give the user access to repositories in an organization, add the user as a member of the organization.
- As for all members, the base permission policy for the organization determines whether the user has access to internal and private repositories by default. See "Setting base permissions for an organization."
- Guest collaborators can be members of IdP groups that are connected to GitHub teams, and will be added to the organization via SCIM, just like other enterprise members. See "Managing team memberships with identity provider groups."
Add the user to a repository
To give the user access to specific repositories, add the user to the repositories as a repository collaborator.
This gives the user access to the repository without giving them access to other internal or private repositories in the same organization. For more information, see "Roles in an organization."
Further reading
- Tutorial: Configure GitHub Enterprise Managed User for automatic user provisioning in the Entra ID documentation
- Configure PingFederate for provisioning and SSO in the PingIdentity documentation
- "Configuring SCIM provisioning with Okta"
- "Provisioning users and groups with SCIM using the REST API"