How to Enable SSO to Github Enterprise with Safous

The article outlines the necessary steps to configure Safous as an Identity Provider (IdP) to facilitate Single Sign-On (SSO) with Github Enterprise serving as the Service Provider (SP).

Prerequisites

  • Your organization is using Github Enterprise Plan.
  • You have access to the GitHub Enterprise administrator account.
  • You possess administrative access to your Safous tenant through the admin portal.

1. Register Github Enterprise as a SaaS Application on Admin Portal

Please follow the steps outlined below to register Github Enterprise as a SaaS application on the Admin portal.

  1. Login to Safous admin portal.
  2. Navigate to Settings > ZTNA > Applications > SaaS > Click New SaaS.
  3. Enter the name for the SaaS application. In this example, the name is simply github.
  4. Choose site and domain.
  5. Enter https://github.com/enterprises/<Enterpise>/saml/consume as the ACS URL. Replace <Enterprise> with the name of your Enterprise on Github.
  6. Enter https://github.com/enterprises/<Enterprise> as the Entity ID. Replace <Enterprise> with the name of your Enterprise on Github.
  7. Enter https://github.com/enterprises/<Enterpise>/saml/consume as the Relay State. Replace <Enterprise> with the name of your Enterprise on Github.
  8. Enable the Allow IDP-Initiated Flow toggle.
  9. Click Save. 
  10. Your newly created SaaS application should resemble the image below. Please copy or take note of the generated SSO URL, Issuer and Certificate.
  11. Configure the user access policy for the application. You can refer to this guide for that.

2. Configure Safous as an IdP on Github Enterprise

This time we will register Safous as the IdP to use for SAML authentication on Github Enterprise in order to enable SSO.

  1. Open your Github Enterprise page (https://github.com/enterprises/<Enterprise>). Replace the <Enterprise> with the name of your Enterprise on Github.
  2. Navigate to Settings > Authentication Security. Click Require SAML authentication.
  3. Configure the IdP information as detailed below: 
    1. Set Sign on URL with the previously copied value of SSO URL 
    2. Set Issuer with the previously copied value of Issuer
    3. Set Public Certificate with the previously copied value of Certificate, and format it by wrapping the certificate like this:
    4. Change the signature method to RSA-SHA1 and the digest method to SHA1
  4. Click on the Test SAML configuration button. This will initiate an SP-initiated SSO flow.
  5. You will be redirected to your Safous tenant's user portal. Log in to Safous user portal with a matching email to the user that exists in your Github Enterprise organization.
  6. After you have succesfully authenticated through Safous, you will be redirected back to the Github Enterprise settings page. Notice that the SSO test is successfully done.
  7. Click Save SAML settings.
  8. Save the Single sign-on code generated by Github in a safe way then click Enable SAML Authentication.
  9. As the SSO with SAML has been saved and applied, you will be prompted to log in to Github Enterprise page. Click Continue.
  10. As you have previously logged in to Safous user portal during the test, you will not be asked to reauthenticate again and can continue to the Github Enterprise page. Notice that the SAML SSO configuration for your Enterprise has been configured succesfully.

3. Testing IdP-initiated SSO flow

As the SP-initiated SSO flow has been tested to be successfully working when we configured the SAML setting on Github Enterprise, we will now continue to test SSO with IdP-initiated flow.

  1. Go to your Safous tenant's user portal and log in with your credential.
  2. Click on the github SaaS application.
  3. You are authenticated to access Github Enterprise resource.
  4. Enter your Github personal account password to complete SSO.
  5. Now you can access Github Enterprise page

Logs

You can check the logs for SAML authentication on Safous admin portal.

  • On Safous admin portal, navigate to Analytics > ZTNA > Activity Log