App connectors · App connectors

GitHub Enterprise Cloud — Thoryn as the OIDC IdP

Configure GitHub Enterprise Cloud (with EMU) to authenticate users via Thoryn-issued OIDC tokens.

github
oidc
dev-tooling

Tested against:hub: 1.0.0github: EMU 2026

What you get

GitHub Enterprise Managed Users (EMU) authenticated via Thoryn. Users receive a normalised profile with email + given/family name; SCIM provisioning (separate flow) keeps the GitHub side in sync.

Setup

1. In Thoryn

hub clients create \
  --name "GitHub EMU" \
  --redirect-uri "https://github.com/enterprises/YOUR-ENTERPRISE/saml/consume" \
  --grant-types authorization_code \
  --scopes "openid email profile"

2. In GitHub

Enterprise → Settings → Authentication security → Configure OIDC. Fill in:

Field	Value
Issuer	`https://hub.thoryn.org`
Client ID	(from step 1)
Client Secret	(from step 1)

3. Claim mapping

GitHub field	Thoryn claim
`email`	`email`
`name`	`given_name` + `family_name`
`username`	`preferred_username` (set this in Hub)

Caveats

EMU required: standard GitHub Enterprise Cloud authenticates against the user's existing GitHub.com account. EMU is the only mode that authenticates fully against your IdP.
SCIM separate: OIDC handles authentication; GitHub still needs SCIM 2.0 for user lifecycle management. Run both together.

GitHub Enterprise Cloud — Thoryn as the OIDC IdP

What you get

Setup

1. In Thoryn

2. In GitHub

3. Claim mapping

Caveats

See also

More app connectors

Cloudflare Access — Thoryn as a generic OIDC IdP

Figma — SAML SSO via Thoryn

GitLab — Thoryn as a generic OIDC provider

HubSpot — SAML SSO via Thoryn