--- title: Configuring SAML SSO with GitHub Enterprise Server and PingOne for Enterprise description: Learn how to enable GitHub sign on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct GitHub sign on using PingOne for Enterprise (SP-initiated sign-on). component: configuration_guides page_id: configuration_guides:github:config_saml_githubenterpriseserver_p1 canonical_url: https://docs.pingidentity.com/configuration_guides/github/config_saml_githubenterpriseserver_p1.html revdate: May 20, 2024 section_ids: before-you-begin: Before you begin download-the-github-metadata: Download the GitHub metadata set-up-the-github-application-in-pingone-for-enterprise: Set up the GitHub application in PingOne for Enterprise add-the-pingone-for-enterprise-idp-connection-to-github: Add the PingOne for Enterprise IdP Connection to GitHub test-the-pingone-for-enterprise-idp-initiated-sso-integration: Test the PingOne for Enterprise IdP-initiated SSO integration test-the-pingone-sp-initiated-sso-integration: Test the PingOne SP-initiated SSO integration --- # Configuring SAML SSO with GitHub Enterprise Server and PingOne for Enterprise Learn how to enable GitHub sign on from the PingOne for Enterprise console (IdP-initiated sign-on) and direct GitHub sign on using PingOne for Enterprise (SP-initiated sign-on). ## Before you begin * Link PingOne for Enterprise to an identity repository containing the users requiring application access. * Populate GitHub with at least one user to test access. * You must have administrative access to PingOne for Enterprise and GitHub. ## Download the GitHub metadata 1. Go to where your GitHub server publishes its metadata (`https://GitHub-hostname/saml/metadata`). 2. Save the metadata as an XML file. ## Set up the GitHub application in PingOne for Enterprise 1. Sign on to PingOne for Enterprise for Enterprise and go to **Applications → Application Catalog**. 2. On the **SAML** tab, click **Add Application**. ![Screen capture of My Applications tab with the Add Application drop down opened and New SAML Application selected.](_images/opj1625255243572.png) 3. Enter **GitHub** as the application name. 4. Enter a suitable description. 5. Select **Collaboration** as the category. 6. Click **Continue to Next Step**. 7. In the **Upload Metadata** row, click **Select File** and upload the metadata file that you saved from GitHub. ![Screen capture of Application Configuration section with the Select File button next to Upload Metadata highlighted in red.](_images/tjn1625255382381.png) The following values should now be populated: * **ACS URL**: `https://github.com/orgs/your-tenant/saml/consume` * **Entity ID**: `https://github.com/orgs/your-tenant` 8. Click **Continue to Next Step**. 9. Click **Add new attribute** and map **SAML\_SUBJECT** to the attribute containing the user's email address. ![Screen capture of SSO Attribute Mapping section with the Add new attribute button highlighted in red.](_images/jvj1625255607747.png) ![Screen capture of SSO Attribute mapping section with the Application Attribute table displaying SAML\_SUBJECT as the first row entry.](_images/jeh1625255725920.png) 10. **Optional:** Add the **username** and **full\_name** attributes, then map these to appropriate attributes. This populates these values in GitHub when a new user signs on. 11. Click **Continue to Next Step**. 12. Click **Add** for all user groups that should have access to GitHub. ![Screen capture of Group Access section.](_images/und1625255913186.png) 13. Click **Continue to Next Step**. 14. Copy the **Issuer** and **idpid** values. ![Screen capture of Issuer and idpid values redacted and highlighted in red.](_images/wcx1625256134508.png) 15. Download the signing certificate. ![Screen capture of Signing Certificate Download hyperlink highlighted in red.](_images/zwu1625256184986.png) 16. Click **Finish**. ## Add the PingOne for Enterprise IdP Connection to GitHub 1. Sign on to GitHub Enterprise Server as an administrator. 2. Click the **Rocket** icon. 3. Click **Management Console**. ![Screen capture of GitHub Site admin controls with Management console highlighted in red.](_images/iig1625256280294.png) 4. Click **Authentication**. ![Screen capture of GitHub Authentication option highlighted in red.](_images/ian1625256331790.png) 5. Click **SAML** and select the **idP initiated SSO (disables AuthnRequest)** check box. ![Screen capture of GitHub Authentication settings with SAML checked and idP initiated SSO highlighted in red.](_images/thh1625256392431.png) 6. In the **Single sign-on URL** field, enter `https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=idpid-value-from-PingOne`. ![Screen capture of GitHub Single sign-on URL field highlighted in red.](_images/xge1625256484285.png) 7. In the **Issuer** field, enter the PingOne for Enterprise **Issuer** value. ![Screen capture of GitHub Issuer field highlighted in red.](_images/rfj1625256540616.png) 8. Click **Choose File** for the **Verification Certificate** and upload the PingOne signing certificate that you downloaded. 9. Click **Save Settings**. ## Test the PingOne for Enterprise IdP-initiated SSO integration 1. Go to your Ping desktop as a user with GitHub access. | | | | - | --------------------------------------------------------------------------------------------- | | | To find the Ping desktop URL in the Admin console, go to **Setup → Dock → PingOne Dock URL**. | 2. Complete the PingOne for Enterprise authentication. You're redirected to your GitHub server. ![Screen capture of sign on screen.](_images/llr1625256687377.png) ## Test the PingOne SP-initiated SSO integration 1. Go to your GitHub server. 2. After you're redirected to PingOne for Enterprise, enter your PingOne username and password. ![Screen capture of sign on screen.](_images/llr1625256687377.png) You're redirected back to GitHub.