Below are the tasks to enable provisioning and single sign-on (SSO) on the GitHub Admin Portal.
Note: The SCIM API is only available on the GitHub "Enterprise" and "One" plans with SAML SSO enabled. For more information, see SCIM REST API v3.

To configure GitHub for provisioning and SSO you will require both metadata and signing certificate from your PingFederate Identity Provider (IdP) setup. For more information, see Obtain PingFederate SAML 2.0 metadata and Obtain PingFederate signing certificate.

To configure GitHub for provisioning and SSO:

Note: For more information on how to set up SSO for GitHub, see Enabling and testing SAML single sign-on for your organization in the GitHub documentation.
  1. Log into your GitHub account as an administrative user for your organization.
  2. In the top right corner of GitHub, click your profile photo, then click Your profile.
    An image of the GitHub profile menu options.
  3. On the left side of your profile page, under Organizations, click the icon for your organization.
    An image of the GitHub organization icon.
  4. Under your organization name, click Settings.
    An image of the GitHub organization settings menu.
  5. In the organization settings sidebar, click Security.
    An image of Security in the settings menu.
  6. Under SAML single sign-on, select Enable SAML authentication.
    An image of the SAML single sign-on checkbox.
    Important: After enabling SAML SSO, you can download your single sign-on recovery codes so that you can access your organization even if your IdP is unavailable. For more information, see Downloading your organization's SAML single sign-on recovery codes in the GitHub documentation.
  7. Open your PingFederate metadata XML file using a text editor.
  8. In the Sign on URL field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is the SingleSignOnService POST binding available in your PingFederate metadata file. For example, https://<pf_hostname>:<pf_port>/idp/SSO.saml2
  9. Optional: In the Issuer field, type your SAML issuer's name. This verifies the authenticity of sent messages. This value is entityID available in your PingFederate metadata file.
  10. Open your PingFederate signing certificate file using a text editor.
  11. Under Public Certificate, paste your PingFederate signing certificate used to verify SAML responses.
    Note: GitHub requires the public certificate to be a valid x509 formatted certificate enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  12. Click the pencil icon to edit the Signature Method and Digest Method drop-downs, choose the hashing algorithm used by PingFederate issuer to verify the integrity of the requests.
  13. Before enabling SAML SSO for your organization, click Test SAML configuration to ensure that the information you have entered is correct.
    Note: To enforce SAML SSO and remove all organization members who haven't authenticated via your IdP, see Enforcing SAML single sign-on for your organization in the GitHub documentation.
  14. Click Save to complete the SAML single sign-on configuration.