Configuration Guides

Configuring SAML SSO with GitHub Cloud and PingFederate

Learn how to enable GitHub sign-on from a PingFederate URL (IdP-initiated sign-on) and direct GitHub sign on using PingFederate (SP-initiated sign-on).

Before you begin

  • Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.

  • Populate GitHub with at least one user to test access.

  • You must have administrative access to PingFederate and GitHub.

Create a PingFederate SP connection for GitHub

  1. Sign on to the PingFederate administrative console.

  2. Create an SP connection for GitHub in Ping Federate UI:

    1. Configure using Browser SSO profile SAML 2.0.

    2. Set Partner’s Entity ID to https://github.com/orgs/your-tenant.

    3. Enable the following SAML Profiles:

      • IdP-Initiated SSO

      • SP-Initiated SSO

    4. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT to an attribute containing the user’s email address.

    5. In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to https://github.com/orgs/your-tenant/saml/consume.

    6. In Protocol Settings: Allowable SAML Bindings, enable POST.

    7. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.

  3. Save the configuration.

  4. Export the signing certificate.

  5. Export and then open the metadata file.

    Copy the value of the entityID and the Location entry (https://your-value/idp/SSO.saml2).

Add the PingFederate IdP connection to GitHub

  1. Sign on to GitHub as an administrator.

  2. Select your GitHub organization.

  3. Click Organization settings, then click Security.

  4. Under SAML single sign-on, select Enable SAML authentication.

    The assertion consumer service URL displayed on this screen should match the value that you entered into the PingFederate Endpoint URL field.
    Screen capture of GitHub settings with the Enable checkbox, assertion consumer service URL, Sign on URL, Issuer URL, and Public certificate fields highlighted in red.

  5. Set the following values.

    Field Value

    Sign on URL

    The PingFederate Location value (https://your-value/idp/SSO.saml2)

    Issuer

    The PingFederate entityID value.

    Public certificate

    Paste in the contents of the PingFederate signing certificate.

  6. Click Save.

Test the PingFederate IdP-initiated SSO integration

  1. Go to the PingFederate SSO Application Endpoint for the GitHub SP connection.

  2. Complete the PingFederate authentication.

    You’re redirected to your GitHub domain.

Test the PingFederate SP-initiated SSO integration

  1. Go to https://github.com/orgs/your-tenant/sso

  2. After you’re redirected to PingFederate, enter your PingFederate username and password.

    You’re redirected back to GitHub.