Configuring SAML SSO with GitHub Enterprise Server and PingFederate

Page created: 2 Jul 2021 |

Page updated: 15 Dec 2021

| 2 min read

PingFederate Product SAML Standards, specifications, and protocols Single Sign-on (SSO) Capability

Learn how to enable GitHub sign on from a PingFederate URL (IdP-initiated sign on) and direct GitHub sign on using PingFederate (SP-initiated sign on).

Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
Populate GitHub with at least one user to test access.
You must have administrative access to PingFederate and GitHub.

Download the GitHub metadata:
1. Go to where your GitHub server publishes its metadata (https://<GitHub hostname>/saml/metadata).
2. Save the metadata as an XML file.
Create a PingFederate SP connection for GitHub:
1. Sign on to the PingFederate administrative console.
2. Create an SP connection for GitHub in PingFederate using the GitHub metadata file:
  1. Configure using Browser SSO profile SAML 2.0.
  2. Enable the following SAML Profiles:
    - IdP-Initiated SSO
    - SP-Initiated SSO
  3. In Assertion Creation: Attribute Contract, if you want to have these values populated in GitHub, extend the contract to add attributes called username and full_name.
  4. In Assertion Creation: Authentication Source Mapping: Attribute Contract Fulfillment, map SAML_SUBJECT to an attribute containing the user’s email address. If added, map username and full_name to appropriate attributes.
  5. In Protocol Settings: Allowable SAML Bindings, enable POST.
  6. In Credentials: Digital Signature Settings, select the PingFederate Signing Certificate.
3. Save the configuration.
4. Export the signing certificate.
5. Export and then open the metadata file. Copy the value of the entityID and the Location entry (https://<your value>/idp/SSO.saml2).
Add the PingFederate IdP Connection to GitHub:
1. Sign on to GitHub Enterprise Server as an administrator.
2. Click the Rocket icon.
3. Click Management Console.
4. Click Authentication.
5. Click SAML and select the idP initiated SSO (disables AuthnRequest) check box.
6. In the Single sign-on URL field, enter the PingFederate Location value (https://<your value>/idp/SSO.saml2).
7. In the Issuer field, enter the PingFederate entityID value.
8. Click Choose File for the Verification Certificate and upload the PingFederate signing certificate that you downloaded
9. Click Save Settings.
Test the PingFederate IdP-initiated SSO integration:
1. Go to the PingFederate SSO Application Endpoint for the GitHub SP connection.
2. Complete the PingFederate authentication.
  
  You're redirected to your GitHub domain.
Test the PingFederate SP-initiated SSO integration:
1. Go to your GitHub server.
2. After you're redirected to PingFederate, enter your PingFederate username and password.
  
  You're redirected back to GitHub.

Configuring SAML SSO with GitHub Enterprise Server and PingFederate - PingFederate

Configuration Guides