GitHub

User and group management

The GitHub EMU Provisioner synchronizes users and groups from your datastore to GitHub.

SCIM API provisioning calls sent from the PingFederate Enterprise Managed User (EMU) Provisioner create the users, groups, and group memberships in a GitHub EMU enterprise. If an EMU enterprise account hasn’t been created via SCIM provisioning, PingFederate users cannot use a GitHub EMU account to login and access their GitHub EMU enterprise.

The GitHub EMU Provisioner sends a SCIM API GET call with a <SCIM User ID> value of 0 to /scim/v2/enterprises/<enterprise>/Users/<SCIM User ID> as part of a connection check that’s performed before every provisioning operation. This GET call causes 404 errors in the PingFederate and GitHub enterprise logs, because there isn’t a <SCIM User ID> with a value of 0. These error messages can be safely ignored. This is expected behavior and it does not indicate an issue.

You can configure the following capabilities and specify which users to provision during the Configure PingFederate for provisioning and SSO part of the setup process.

User provisioning

PingFederate provisions users if a user is added to the datastore group or filter that is targeted by the provisioner.

You can define which users PingFederate targets for provisioning on the Source Location tab of your provisioning connection configuration. For more information, see specifying a source location

User updates

PingFederate updates users when a user attribute changes in your datastore.

You can define which attributes PingFederate monitors for changes on the Attribute Mapping tab of your provisioning connection configuration.

User deprovisioning

PingFederate deprovisions users if:

  • A user is suspended from the user store.

  • A user is disabled in the user store.

  • A user is removed from the datastore group or filter that is targeted by the provisioner.

When the Remove User Action setting in the connection configuration is set to Disable, PingFederate sends a PATCH SCIM deprovisioning call to GitHub for an enterprise managed user, and the user account gets suspended in the GitHub enterprise. If the same user account in the datastore is re-provisioned, the enterprise managed user account becomes unsuspended.

Make sure to configure this setting for Disable. If the Remove User Action setting is set to Delete, PingFederate sends a DELETE SCIM deprovisioning call to GitHub for an enterprise managed user, and the user account gets suspended in the GitHub enterprise. If the same user account in the datastore is re-provisioned, the enterprise managed user account does not become unsuspended.

Group provisioning

PingFederate provisions groups when you add a group to the datastore filter that is targeted by the provisioner. You can define which groups PingFederate targets for provisioning and monitors for changes on the Source Location tab in your provisioner configuration.

After you successfully provision a group to a GitHub EMU enterprise, an enterprise owner can see the group by following the steps in this GitHub article. When mapping a team in the GitHub EMU enterprise to a group, an EMU organization owner makes selections from the list of groups that are provisioned to the enterprise.

Group name updates

PingFederate renames groups when they are renamed in the datastore.

Group membership updates

PingFederate updates group memberships when memberships change in the datastore, regardless of whether the change is in the group’s properties or a user’s properties.

Group memberships in the datastore overwrite the group memberships in GitHub.

Group deletion

PingFederate deletes groups if:

  • The group is deleted in the datastore.

  • The group is removed from the datastore group or filter that is targeted by the provisioner.

Group deletions are permanent and cannot be undone.