GitHub

Configure PingFederate for provisioning and SSO

About this task

To configure a connection for outbound provisioning and SSO to GitHub, follow the instructions in this section. Outbound provisioning details are managed within an SP connection and may be added to an existing SP connection.

The SCIM API requires GitHub Enterprise Cloud with SAML SSO enabled for the organization. See About SCIM in the GitHub documentation.

Steps

  1. In the PingFederate administrator console, configure the datastore that PingFederate will use as the source of user data. You can find instructions in Datastores in the PingFederate documentation.

    • When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to GitHub. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.

  2. Create a new SP connection or select an existing SP connection from the SP Configuration menu.

  3. On the Connection Template page, select Use a template for this connection and select GitHub Connector in the Connection Template list. When asked during the connection configuration steps, import the github-saml-metadata.xml packaged with this connector.

    An image of the Connection Template screen.

    If this selection is not available, verify the connector installation and restart PingFederate.

  4. On the Connection Type page, ensure both the Outbound Provisioning and Browser SSO Profiles checkboxes are selected.

  5. On the General Info page, the default values are taken from the metadata file you selected in step 2. In the Partner’s Entity ID (Connection ID) field and update with your corresponding organization name.

    An image of the General Info screen.

  6. Click Next to continue the Browser SSO configuration. You can find more information in the following sections under Identity provider SSO configuration:

  7. On the Assertion Creation page, click Next.

  8. On the Protocol Settings page, click Configure Protocol Settings.

  9. On the Summary page, navigate to Assertion Consumer Service URL.

  10. On the Assertion Consumer Service URL screen, edit the existing entry. Enter the Endpoint URL corresponding to your organization name. For example, https://github.com/orgs/<organization_name>/saml/consume

  11. Click Update and Done to proceed.

  12. On the Credentials > Digital Signature Settings page, select the signing certificate.

  13. On the Outbound Provisioning page, click Configure Provisioning.

  14. On the Target page, enter the values for each field as required by the GitHub Connector.

    An image of the Target screen.
    Target screen options
    Field Name Description

    Base URL

    The base URL for GitHub. For example:

    https://api.github.com/scim/v2/organizations/<organization_name>

    To determine your organization name, see Accessing an organization in the GitHub documentation.

    Access Token

    The access token used by the connector to make authenticated API calls to GitHub. You can find more information about obtaining the access token in Obtain client ID and secret from GitHub and Generate OAuth access tokens.

    Provisioning Options

    User Create
    True (default)

    Users will be created in GitHub.

    False

    Users will not be created in GitHub.

    The provisioner.log will display a warning within the create user workflow that the user was not created in GitHub.

    User Update
    True (default)

    Users will be updated in GitHub.

    False

    Users will not be updated in GitHub.

    The provisioner.log will display a warning within the update user workflow that the user was not updated in GitHub.

    Enabling a previously deleted user in GitHub will trigger a create and as such, users can be enabled when User Update is set to false.

    User Delete
    True (default)

    Users will be deleted in GitHub.

    False

    Users will not be deleted in GitHub.

    The provisioner.log will display a warning indicating that the user was not deleted in GitHub.

  15. Click Next to continue the provisioning configuration. Learn more in the following sections under Configuring outbound provisioning in the PingFederate documentation: