Configuration Guides

Configuring SAML SSO with GitHub Cloud and PingOne for Enterprise

Learn how to enable GitHub sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct GitHub sign-on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate GitHub with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and GitHub.

Set up the supplied GitHub application in PingOne for Enterprise

  1. Sign on to PingOne for Enterprise for and go to Applications → Application Catalog.

  2. Search for GitHub.

  3. Expand the GitHub entry and click the Setup icon.

    Screen capture of PingOne for Enterprise Application Catalog with GitHub displayed as the search result and the expansion arrow highlighted in red.
  4. Copy the Issuer and IdP ID values.

  5. Download the signing certificate.

    Screen capture of PingOne for Enterprise SSO Instructions with the Signing Certificate Download hyperlink, IdP ID, and Issuer value highlighted in red.
  6. Click Continue to Next Step.

  7. Set ACS URL to https://github.com/orgs/your-tenant/saml/consume.

    Set Entity ID to https://github.com/orgs/your-tenant.

  8. Click Continue to Next Step.

  9. Ensure that SAML_SUBJECT is mapped to the field containing a user’s email address.

  10. Click Continue to Next Step twice.

  11. Click Add for all user groups that should have access to GitHub.

    Screen capture of PingOne for Enterprise Group Access page.
  12. Click Continue to Next Step.

  13. Click Finish.

Add the PingOne for Enterprise IdP connection to GitHub

  1. Sign on to GitHub as an administrator.

  2. Select your GitHub organization.

  3. Click Organization settings, then click Security.

  4. Under SAML single sign-on, select Enable SAML authentication.

    The assertion consumer service URL displayed on this screen should match the value that you entered into the PingOne for Enterprise ACS URL field.

    Screen capture of GitHub SAML settings with the Enable SAML authentication checkbox, assertion consumer service URL, Sign on URL, Issuer URL, and Public certificate highlighted in red.
  5. Set the following values.

    Field Value

    Sign on URL

    Issuer

    PingOne for Enterprise Issuer value

    Public certificate

    Paste in the contents of the PingOne for Enterprise signing certificate.

  6. Click Save.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with GitHub access.

    To find the Ping desktop URL in the Admin console, go to Setup → PingOne Dock.

  2. Complete the PingOne for Enterprise authentication.

    You’re redirected to your GitHub domain.

    Screen capture of PingOne for Enterprise sign on screen.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to https://github.com/orgs/your-tenant/sso.

  2. After you’re redirected to PingOne for Enterprise, enter your PingOne for Enterprise username and password.

    Screen capture of PingOne for Enterprise sign on screen.

    You’re redirected back to GitHub.