--- title: Configuring SAML SSO with GitHub Enterprise Server and PingFederate description: Learn how to enable GitHub sign-on from a PingFederate URL (IdP-initiated sign-on) and direct GitHub sign-on using PingFederate (SP-initiated sign-on). component: configuration_guides page_id: configuration_guides:github:config_saml_githubenterpriseserver_pf canonical_url: https://docs.pingidentity.com/configuration_guides/github/config_saml_githubenterpriseserver_pf.html revdate: May 16, 2024 section_ids: before-you-begin: Before you begin download-the-github-metadata: Download the GitHub metadata create-a-pingfederate-sp-connection-for-github: Create a PingFederate SP connection for GitHub add-the-pingfederate-idp-connection-to-github: Add the PingFederate IdP Connection to GitHub test-the-pingfederate-idp-initiated-sso-integration: Test the PingFederate IdP-initiated SSO integration test-the-pingfederate-sp-initiated-sso-integration: Test the PingFederate SP-initiated SSO integration --- # Configuring SAML SSO with GitHub Enterprise Server and PingFederate Learn how to enable GitHub sign-on from a PingFederate URL (IdP-initiated sign-on) and direct GitHub sign-on using PingFederate (SP-initiated sign-on). ## Before you begin * Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access. * Populate GitHub with at least one user to test access. * You must have administrative access to PingFederate and GitHub. ## Download the GitHub metadata 1. Go to where your GitHub server publishes its metadata (`https://GitHub-hostname/saml/metadata`). 2. Save the metadata as an XML file. ## Create a PingFederate SP connection for GitHub 1. Sign on to the PingFederate administrative console. 2. Create an SP connection for GitHub in PingFederate using the GitHub metadata file: 1. Configure using **Browser SSO** profile **SAML 2.0**. 2. Enable the following **SAML Profiles**: * **IdP-Initiated SSO** * **SP-Initiated SSO** 3. In **Assertion Creation: Attribute Contract**, if you want to have these values populated in GitHub, extend the contract to add attributes called **username** and **full\_name.** 4. In **Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment**, map **SAML\_SUBJECT** to an attribute containing the user's email address. If added, map **username** and **full\_name** to appropriate attributes. 5. In **Protocol Settings: Allowable SAML Bindings**, enable **POST**. 6. In **Credentials: Digital Signature Settings**, select the **PingFederate Signing Certificate**. 3. Save the configuration. 4. Export the signing certificate. 5. Export and then open the metadata file. Copy the value of the entityID and the Location entry (`https://your-value/idp/SSO.saml2`). ## Add the PingFederate IdP Connection to GitHub 1. Sign on to GitHub Enterprise Server as an administrator. 2. Click the **Rocket** icon. 3. Click **Management Console**. ![Screen capture of GitHub Site admin controls with Management console highlighted in red.](_images/hjm1625257408895.png) 4. Click **Authentication**. ![Screen capture of GitHub Authentication option highlighted in red.](_images/ian1625256331790.png) 5. Click **SAML** and select the **idP initiated SSO (disables AuthnRequest)** check box. ![Screen capture of GitHub Authentication settings with SAML checked and idP initiated SSO highlighted in red.](_images/thh1625256392431.png) 6. In the **Single sign-on URL** field, enter the PingFederate Location value (`https://your-value/idp/SSO.saml2`). ![Screen capture of GitHub Single sign-on URL field highlighted in red.](_images/xge1625256484285.png) 7. In the **Issuer** field, enter the PingFederate **entityID** value. ![Screen capture of GitHub Issuer field highlighted in red.](_images/rfj1625256540616.png) 8. Click **Choose File** for the **Verification Certificate** and upload the PingFederate signing certificate that you downloaded 9. Click **Save Settings**. ## Test the PingFederate IdP-initiated SSO integration 1. Go to the PingFederate **SSO Application Endpoint** for the GitHub SP connection. 2. Complete the PingFederate authentication. You're redirected to your GitHub domain. ## Test the PingFederate SP-initiated SSO integration 1. Go to your GitHub server. 2. After you're redirected to PingFederate, enter your PingFederate username and password. You're redirected back to GitHub.