Configuration Guides

Configuring SAML SSO with GitHub Enterprise Server and PingFederate

Learn how to enable GitHub sign-on from a PingFederate URL (IdP-initiated sign-on) and direct GitHub sign-on using PingFederate (SP-initiated sign-on).

Before you begin

  • Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.

  • Populate GitHub with at least one user to test access.

  • You must have administrative access to PingFederate and GitHub.

Download the GitHub metadata

  1. Go to where your GitHub server publishes its metadata (https://GitHub-hostname/saml/metadata).

  2. Save the metadata as an XML file.

Create a PingFederate SP connection for GitHub

  1. Sign on to the PingFederate administrative console.

  2. Create an SP connection for GitHub in PingFederate using the GitHub metadata file:

    1. Configure using Browser SSO profile SAML 2.0.

    2. Enable the following SAML Profiles:

      • IdP-Initiated SSO

      • SP-Initiated SSO

    3. In Assertion Creation: Attribute Contract, if you want to have these values populated in GitHub, extend the contract to add attributes called username and full_name.

    4. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT to an attribute containing the user’s email address.

      If added, map username and full_name to appropriate attributes.

    5. In Protocol Settings: Allowable SAML Bindings, enable POST.

    6. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.

  3. Save the configuration.

  4. Export the signing certificate.

  5. Export and then open the metadata file.

    Copy the value of the entityID and the Location entry (https://your-value/idp/SSO.saml2).

Add the PingFederate IdP Connection to GitHub

  1. Sign on to GitHub Enterprise Server as an administrator.

  2. Click the Rocket icon.

  3. Click Management Console.

    Screen capture of GitHub Site admin controls with Management console highlighted in red.

  4. Click Authentication.

    Screen capture of GitHub Authentication option highlighted in red.

  5. Click SAML and select the idP initiated SSO (disables AuthnRequest) check box.

    Screen capture of GitHub Authentication settings with SAML checked and idP initiated SSO highlighted in red.

  6. In the Single sign-on URL field, enter the PingFederate Location value (https://your-value/idp/SSO.saml2).

    Screen capture of GitHub Single sign-on URL field highlighted in red.

  7. In the Issuer field, enter the PingFederate entityID value.

    Screen capture of GitHub Issuer field highlighted in red.

  8. Click Choose File for the Verification Certificate and upload the PingFederate signing certificate that you downloaded

  9. Click Save Settings.

Test the PingFederate IdP-initiated SSO integration

  1. Go to the PingFederate SSO Application Endpoint for the GitHub SP connection.

  2. Complete the PingFederate authentication.

    You’re redirected to your GitHub domain.

Test the PingFederate SP-initiated SSO integration

  1. Go to your GitHub server.

  2. After you’re redirected to PingFederate, enter your PingFederate username and password.

    You’re redirected back to GitHub.