Configuration Guides

Configuring SAML SSO with GitHub Enterprise Server and PingOne for Enterprise

Learn how to enable GitHub sign on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct GitHub sign on using PingOne for Enterprise (SP-initiated sign-on).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate GitHub with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and GitHub.

Download the GitHub metadata

  1. Go to where your GitHub server publishes its metadata (https://GitHub-hostname/saml/metadata).

  2. Save the metadata as an XML file.

Set up the GitHub application in PingOne for Enterprise

  1. Sign on to PingOne for Enterprise for Enterprise and go to Applications → Application Catalog.

  2. On the SAML tab, click Add Application.

    Screen capture of My Applications tab with the Add Application drop down opened and New SAML Application selected.

  3. Enter GitHub as the application name.

  4. Enter a suitable description.

  5. Select Collaboration as the category.

  6. Click Continue to Next Step.

  7. In the Upload Metadata row, click Select File and upload the metadata file that you saved from GitHub.

    Screen capture of Application Configuration section with the Select File button next to Upload Metadata highlighted in red.

    The following values should now be populated:

    • ACS URL: https://github.com/orgs/your-tenant/saml/consume

    • Entity ID: https://github.com/orgs/your-tenant

  8. Click Continue to Next Step.

  9. Click Add new attribute and map SAML_SUBJECT to the attribute containing the user’s email address.

    Screen capture of SSO Attribute Mapping section with the Add new attribute button highlighted in red.

    Screen capture of SSO Attribute mapping section with the Application Attribute table displaying SAML_SUBJECT as the first row entry.

  10. Optional: Add the username and full_name attributes, then map these to appropriate attributes.

    This populates these values in GitHub when a new user signs on.

  11. Click Continue to Next Step.

  12. Click Add for all user groups that should have access to GitHub.

    Screen capture of Group Access section.

  13. Click Continue to Next Step.

  14. Copy the Issuer and idpid values.

    Screen capture of Issuer and idpid values redacted and highlighted in red.

  15. Download the signing certificate.

    Screen capture of Signing Certificate Download hyperlink highlighted in red.

  16. Click Finish.

Add the PingOne for Enterprise IdP Connection to GitHub

  1. Sign on to GitHub Enterprise Server as an administrator.

  2. Click the Rocket icon.

  3. Click Management Console.

    Screen capture of GitHub Site admin controls with Management console highlighted in red.

  4. Click Authentication.

    Screen capture of GitHub Authentication option highlighted in red.

  5. Click SAML and select the idP initiated SSO (disables AuthnRequest) check box.

    Screen capture of GitHub Authentication settings with SAML checked and idP initiated SSO highlighted in red.

  6. In the Single sign-on URL field, enter https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=idpid-value-from-PingOne.

    Screen capture of GitHub Single sign-on URL field highlighted in red.

  7. In the Issuer field, enter the PingOne for Enterprise Issuer value.

    Screen capture of GitHub Issuer field highlighted in red.

  8. Click Choose File for the Verification Certificate and upload the PingOne signing certificate that you downloaded.

  9. Click Save Settings.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with GitHub access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete the PingOne for Enterprise authentication.

    You’re redirected to your GitHub server.

    Screen capture of sign on screen.

Test the PingOne SP-initiated SSO integration

  1. Go to your GitHub server.

  2. After you’re redirected to PingOne for Enterprise, enter your PingOne username and password.

    Screen capture of sign on screen.

    You’re redirected back to GitHub.