Skip to main content

GitHub

This procedure describes how to integrate GitHub for user provisioning.

note

Before you begin, make note of your GitHub Enterprise name (Tenant ID).

Step 1: Complete the prerequisites

If required, complete the following prerequisites:

  1. The provisioner template contains the IDaaS user attributes that must be mapped to the attributes required for provisioning. If you use custom attributes you need to create custom IDaaS user attributes that are mapped to the custom attributes to GitHub. Create any required custom user attributes. See Create and manage user attributes.
  2. Identify the IDaaS users that need to be provisioned. In IDaaS, you select the users for provisioning using the Group option. If necessary, create the required groups and add the users to those groups. By default, provisioning selects all IDaaS users if no groups are selected. See Create and manage groups and Import groups.

Step 2: Add GitHub SAML to IDaaS

Log into your Identity as a Service administrator account.

  1. Click > Security > Applications. The Applications Lists page appears.
  2. Click Add. The Select an Application Template page appears.
  3. Do one of the following:
    • Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
  4. Click Generic SAML Application. The **Add Generic SAML **page appears.
  5. In the App Settings, enter a Name and optionally a Description.
  6. In the SAML Settings, do the following:
    1. In the **Reauthentication Assertion Consumer Service **field, enter -1.
    2. In the Default Assertion Consumer Service URL field, enter:

      https://github.com/enterprises/{EnterpriseName}/saml/consume

      where {EnterpriseName} is your GitHub Enterprise name (Tenant ID)

    3. In the Service Provider Entity OD (Issuer) field, enter:

      https://github.com/enterprises/{EnterpriseName}

      where {EnterpriseName} is your GitHub Enterprise name (Tenant ID)

    4. In the Single Logout Service URL field, enter:

      https://github.com/enterprises/{EnterpriseName}/sso

      where {EnterpriseName} is your GitHub Enterprise name (Tenant ID)

  7. Select the SAML Signing Certificate.
  8. Click Save.
  9. Add a resource rule. See Create resource rules.

Step 3: Copy the SAML configurations from IDaaS

  1. Log into your Identity as a Service administrator account.

  2. Click > Security > Applications. The Applications Lists page appears.

  3. Under SAML Cloud Integrations, click SAML Configuration. The SAML Configuration dialog box appears.

    This dialog box contains information you need to configure your SAML application for Identity as a Service authentication.

  4. Do one of the following:

    • Leave this dialog box open to reference later in this procedure.
    • Copy the Entity ID, Single Sign-on URL, and Single Logout URL to a text file and save it to reference later in this procedure.
info

Depending on the integration you are performing, you may not need all three of these SAML configuration values.

Step 4: Copy the SAML signing certificate from IDaaS

  1. Log in to your Identity as a Service administrator account.

  2. Click > Security > Applications. The Applications List page appears.

  3. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.

  4. Click next to the certificate to copy it to the clipboard.

    You can additionally download the certificate and save it for future use.

  5. Open a text editor, such as Notepad, and paste the contents of the certificate into the text file.

  6. Save the file.

Step 5: Configure GitHub for SAML and provisioning

  1. Log in to your GitHub root account.
  2. Click the Overview tab. The Welcome page appears.
  3. Click Enable single sign-on. The Identity Provider page appears.
  4. Click Single sign-on configuration. The Single sign-on page appears.
  5. In the Sign on URL, enter the Single Sign-On URL you copied in Step 3: Copy the SAML configurations from IDaaS.

    https://<your-idaas-tenant-account.com>/apps/appid

    where <your-idaas-tenant-account.com> is your IDaaS tenant account

  6. In the Issuer URL enter the Entity ID you copied in Step 3: Copy the SAML configurations from IDaaS.
  7. Open the certificate file you copied in *Step 4: Copy the SAML signing certificate from IDaaS *and paste the contents in the Public certificate field.
  8. Click Test SAML configuration.
  9. Click Save SAML Settings. The recovery codes appear.
  10. Open a text editor, such as Notepad and save the recovery codes.
  11. Click Back to single-sign on configuration.
  12. Click the Overview tab.
  13. Click Generate SCIM token.
  14. Refresh the Overview page. Both the Generate SCIM token and Enable single sign-on should be enabled.

Step 6: Add the provisioner to IDaaS

  1. Click > Provisioners. The Provisioners page appears.

  2. Click and select **GitHub **from the drop-down list.

  3. Enter a Name for the provisioner.

  4. Select Enable to automatically enable the provisioner when it is created. By default, this setting is deselected.

  5. Select the Groups to provision all users from the selected groups. You can select more than one group.

  6. In the SCIM Server Endpoints field, replace <tenantId> with your GitHub tenant ID.

    warning

    SCIM Server Endpoints cannot be edited after the provisioner has been added to IDaaS.

  7. The template maps the user attributes, but if required, add the custom user attributes, as follows:

    1. Under User Attribute Mapping, click . The SCIM Attribute dialog box appears.
    2. Select the Schema Name from the drop-down list or enter a custom name required by your service provider.
    3. From the Data Type drop-down list, select the conversion for the attribute mapping. The options include:
      • string
      • boolean
      • number
    4. From the SCIM Attribute Name drop-down list, select the SCIM attribute to map to IDaaS.
    5. From the IDaaS Attribute to map to field, do the following as required to map the SCIM attribute to IDaaS:
      1. Enter an attribute name.
      2. Select an attribute from the drop-down list.
      3. Combine multiple IDaaS attributes for mapping.
    6. Example: If you combine <First Name>_<Last Name>, IDaaS replaces <First Name> and <Last Name> with their corresponding values and keeps the underscore (_) separator between the attributes. If IDaaS does not find the attribute, it leaves the attribute unchanged. For example, if <First Name> is defined as Jane and <Last Name> is not defined, the attribute result is Jane.
    7. Click Add.
    8. Repeat these steps to map the following additional custom user attributes.

  8. Click Save. The provisioner appears on the Provisioner List page with an authorize () icon.

Step 7: Authorize and enable the provisioner

  1. Click next to the Provisioner. The General Settings page appears.

  2. Click Authorize to acquire OAuth access and refresh tokens.

  3. Follow the prompts that appear from GitHub to allow access. An Authorized message appears on the General Settings page to confirm authorization.

  4. Click API Key.

  5. In the API Key field enter the token value you copied from GitHub.

  6. Click Send Test SCIM to do a SCIM call to GitHub. A message appears to confirm a successful SCIM call to GitHub.

  7. Click Save. To return to the Provisioners List page.

    info

    If the Save fails, you may need to reauthorize and send a test SCIM again to save new refresh and access tokens.

  8. On the Provisioners List page, enable the provisioner as follows:

  9. Under Actions for the new provisioner, click . The Enable Provisioner prompt appears.

  10. Click Enable.

Step 8: Synchronize your users

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.

  2. Click next to the provisioner and then select . The Synchronize Provisioner dialog box appears.

  3. Click Synchronize.

    info

    Check the Audit Logs for errors after synchronizing your users for provisioning.

    warning

    Once a refresh token expires, you must re-authorize and repeat this step.

  4. Verify the results in IDaaS, as follows:

    1. In IDaaS, click > Bulk Operations. The Bulk Operations page appears.
    2. Confirm the SCIM Provisioning operation displays as Completed.

  5. Confirm the provisioned users in GitHub.

Step 9: If required, edit a provisioner

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.
  2. Click the name of the provisioner. The Edit Provisioner page appears.
  3. Make your required changes and then click Save.
Attention

If you need to make edits to the provisioner, changing a group or attribute mapping triggers many SCIM calls. Entrust recommends disabling the provisioner until you have completed all the required changes. When disabled, the only SCIM calls made are to are delete users or provisioners, as applicable. In addition, you may need to reauthorize the provisioner if an authentication configuration has changed.