Configuring SAML SSO with GitHub Cloud and PingFederate

Page created: 2 Jul 2021 |

Page updated: 14 Dec 2021

| 2 min read

Single Sign-on (SSO) Capability PingFederate Product SAML Standards, specifications, and protocols

Learn how to enable GitHub sign on from a PingFederate URL (IdP-initiated sign on) and direct GitHub sign on using PingFederate (SP-initiated sign on).

Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
Populate GitHub with at least one user to test access.
You must have administrative access to PingFederate and GitHub.

Create a PingFederate SP connection for GitHub:
1. Sign on to the PingFederate administrative console.
2. Create an SP connection for GitHub in Ping Federate UI:
  1. Configure using Browser SSO profile SAML 2.0.
  2. Set Partner’s Entity ID to https://github.com/orgs/<Your tenant>.
  3. Enable the following SAML Profiles:
    - IdP-Initiated SSO
    - SP-Initiated SSO
  4. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECTto an attribute containing the user’s email address.
  5. In Protocol Settings: Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to https://github.com/orgs/<Your tenant>/saml/consume.
  6. In Protocol Settings: Allowable SAML Bindings, enable POST.
  7. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.
3. Save the configuration.
4. Export the signing certificate.
5. Export and then open the metadata file, and copy the value of the entityID and the Location entry (https://<your value>/idp/SSO.saml2).

Add the PingFederate IdP connection to GitHub:

Sign on to GitHub as an administrator.
Select your GitHub organization.
Click Organization settings, then click Security.
Under SAML single sign-on, select Enable SAML authentication.
Note:
The assertion consumer service URL displayed on this screen should match the value that you entered into the PingFederate Endpoint URL field.

Set the following values.

Field	Value
Sign on URL	The PingFederate Location value (https://`<your value>`/idp/SSO.saml2)
Issuer	The PingFederate entityID value.
Public certificate	Paste in the contents of the PingFederate signing certificate.

Click Save.

Test the PingFederate IdP-initiated SSO integration:
1. Go to the PingFederate SSO Application Endpoint for the GitHub SP connection.
2. Complete the PingFederate authentication.
  
  You're redirected to your GitHub domain.
Test the PingFederate SP-initiated SSO integration:
1. Go to https://github.com/orgs/<Your tenant>/sso
2. After you're redirected to PingFederate, enter your PingFederate username and password.
  
  You're redirected back to GitHub.

Configuring SAML SSO with GitHub Cloud and PingFederate - PingFederate

Configuration Guides