User16952936220821148929 (Customer) asked a question.
My team are wanting to deprovision users from our GitHub Organisations (the enterprise version) once their accounts are removed from Okta. We currently only do SAML authentication at a GitHub Org level due to caveats with the SCIM provisioning of users as we allow developers to link their own accounts against our SSO setup.
Once a user leaves the business and their Okta account is removed, they cannot log in to GitHub once their SAML session expires, however their SSH key(s) & PAT(s) are still active and linked to the organisation.
I have attempted to setup the Okta-GitHub deprovisioning flow without provisioning users due to the caveats mentioned earlier. After running a test with a single account on a new organisation, the user is still able to access the organisation using their authenticated PAT. Is this expected behaviour given we don't provision users?
Hello @User16952936220821148929 (Customer) Thank you for reacting out to our Community!
That is not the expected behaviour, as the user account in GitHub should be deactivated and the account made inactive revoking any type of access.
However this might be because you are trying to deactivate the account whiteout Provisioning users. When you enable provisioning and assign the user in Okta the account on Okta side should get linked with the account on GitHub side, if this does not happen then the account on GitHub will not reflect any changes made on Okta side.
Please check out provisioning doc for GitHub:
https://saml-doc.okta.com/Provisioning_Docs/Github_Provisioning.html
Community members help others by clicking Like or Select as Best on responses. Try it today.
What you missed: new product releases and other announcements