To configure a connection for outbound provisioning and SSO to GitHub, follow the instructions in this section. Outbound provisioning details are managed within an SP connection and may be added to an existing SP connection.


The SCIM API requires GitHub Enterprise Cloud with SAML SSO enabled for the enterprise. For more information, see About SCIM in the GitHub documentation.

  1. In the PingFederate administrator console, configure the data store that PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate documentation.
    • When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to GitHub. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.
  2. Create a new SP connection or select an existing SP connection from the SP Configuration menu.
  3. On the Connection Template screen, select Use a template for this connection and choose GitHub Connector from the Connection Template drop-down list. When asked during the connection configuration steps, import the github-emu-saml-metadata.xml packaged with this connector.

    SAML metadata is available to download at the following GitHub URL:<enterprise_slug>/saml/metadata. Administrators can use the sample metadata packaged in the .zip file or download it from the GitHub website.

    Screen capture of the connection template tab showing the Use a Template for This Connection option selected and the GitHub EMU Connector selected in the Connection Template field.

    If this selection is not available, verify the connector installation and restart PingFederate.

  4. On the Connection Type screen, ensure both the Outbound Provisioning and Browser SSO Profiles checkboxes are selected.
  5. On the General Info screen, the default values are taken from the metadata file you selected in step 2. In the Partner's Entity ID (Connection ID) field and update with your corresponding enterprise name.
    Screen capture of the General Info tab.
  6. Click Next to continue the Browser SSO configuration. For more information, see the following sections under Identity provider SSO configuration:
  7. On the Assertion Creation screen, click Next.
  8. On the Protocol Settings screen, click Configure Protocol Settings.
  9. On the Summary screen, navigate to Assertion Consumer Service URL.
  10. On the Assertion Consumer Service URL screen, edit the existing entry. Enter the Endpoint URL corresponding to your enterprise name. For example,<enterprise slug>/saml/consume.
  11. Click Update and Done to proceed.
  12. On the Credentials > Digital Signature Settings screen, select the signing certificate.
  13. On the Outbound Provisioning screen, click Configure Provisioning.
  14. On the Target tab, enter the values for each field as required by the GitHub EMU Provisioner.
    Screen capture of the Target tab.
    Target screen options
    Field Name Description
    Base URL

    The base URL for GitHub. For example,<enterprise slug>

    To determine your enterprise name, see Accessing an enterprise in the GitHub documentation.

    Access Token

    The access token used by the provisioner to make authenticated API calls to GitHub.

    Provisioning Options
    User Create

    True (default) – Users will be created in GitHub.

    False – Users will not be created in GitHub.


    The provisioner.log will display a warning within the create user workflow that the user was not created in GitHub.

    User Update

    True (default) – Users will be updated in GitHub.

    False – Users will not be updated in GitHub.

    Enabling a previously deleted user in GitHub will trigger a create and as such, users can be enabled when User Update is set to false.


    The provisioner.log will display a warning within the update user workflow that the user was not updated in GitHub.

    User Disable/Delete

    True (default) – Users will be deleted/disabled in GitHub.

    False – Users will not be deleted/disabled in GitHub.


    The provisioner.log will display a warning indicating that the user was not deleted in GitHub.

    Remove User Action
    This option applies when:
    • User Disable / Delete is selected, and
    • a previously-provisioned user no longer meets the condition set on the Source Location tab, or
    • a user has been disabled or deleted from the data store.
    Disable (default)
    PingFederate disables the user in GitHub.
    PingFederate deletes the user from GitHub.
  15. Click Next to continue the provisioning configuration. For more information, see the following sections under Outbound provisioning for IdPs in the PingFederate documentation:

    Credentials will be verified when the channel and SP connection is set to Active and provisioning is initiated.


    If you are not ready to complete the provisioning configuration, you can click Save and return to the configuration page later. To return to the configuration page, select the connection from Identity Provider > SP Connections > Manage All.