Configuring Single Sign-On for GitHub with WSO2 Identity Server
GitHub has become one of the most essential tools for developers around the world with its ability that lets developers to work together on projects from literally anywhere. With a GitHub Enterprise Cloud organization, now you can enable Single-Sign-On for the members of your organization to control and secure access to organization resources like repositories, issues, and pull requests without a hassle.
In this blog, I would discuss on how you can configure single sign-on (SSO) for GitHub Enterprise Cloud with WSO2 Identity Server.
When SSO is configured and enabled for your organization on GitHub, the members of your GitHub Enterprise Cloud organization will continue to log into their accounts on GitHub. When a member accesses a resource within your organization, GitHub would redirect the member to WSO2 Identity Server to authenticate. After successful authentication, WSO2 Identity Server would redirect the member back to GitHub, allowing them with access to the organization’s resources.
The authentication and authorization flow for a user would be as follows after the configuration:
I will now explain how to configure WSO2 Identity Server and GitHub, and how to test the configuration.
Before you begin, please make sure that you have the following:
- GitHub Enterprise Cloud organization
- Admin privileges to the GitHub Enterprise Cloud organization
- WSO2 Identity Server admin privileges
Configuring WSO2 Identity Server
First, lets create a service provider in WSO2 Identity Server to handle GitHub requests.
To register GitHub as a service provider,
- Sign in to the Management Console.
- On the Main menu, click Identity > Service Providers > Add.
- Fill in the Service Provider Name and Description (optional) of the service provider as follows.
- Click Register to add the new service provider.
- Next, enter a suitable name for the service provider in the Service Provider Name text box.
Inbound Authentication Configuration
Under the Inbound Authentication Configuration section, click SAML2 Web SSO Configuration and click on configure.
Select Manual Configuration and enter the required details as given below.
Issuer — https://github.com/orgs/yourOrganizationName
Assertion Consumer URL — https://github.com/orgs/yourOrganizationName/saml/consume
NameID format — urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
After entering the details, click on Download IDP Metadata and Register at the bottom.
Save the IdP metadata file since it is required for the GitHub configuration.
Configuring GitHub
- In the top right corner of GitHub, click your profile photo, then click Your profile.
2. On the left side of your profile page, under “Organizations”, click the icon for your organization.
3. Under your organization name, click Settings.
4. In the left sidebar, click Organization security.
5. Under “SAML single sign-on”, select Enable SAML authentication.
Then, you will be prompted with the following settings to configure.
6. To configure these fields, first, open the IdP metadata file downloaded earlier and find the entityID, SingleSignOnService location and the X509Certificate values.
7. In the “Sign on URL” field, type in the URL value of the SingleSignOnService location in the metadata.xml file.
8. Optionally, in the “Issuer” field, type in the entityID found in the metadata.xml file. This verifies the authenticity of sent messages.
9. Under “Public Certificate,” paste the X509Certificate value found in the metadata.xml file.
Here, you need to paste the entire certficate in the Public certificate field, including -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE------
.
To format the X509Certificate value in the metadata.xml file as per the above format, you can use this tool.
10. Next, click edit and then in the Signature Method and Digest Method drop-downs, choose the hashing algorithms to verify the integrity of the requests. By default, WSO2 Identity Server uses RSA-SHA1 as the Response Signing Algorithm and SHA1as the Response Digest Algorithm.
Testing the Integration
click Test SAML configuration to ensure that the information you’ve entered is correct.
Then, you should be redirected the authentication endpoint of WSO2 Identity Server. If not, click on the click here link in the prompted page.
In the authentication endpoint page, enter the WSO2 Identity Server user credentials.
After submitting the credentials, you should be redirected to the GitHub settings page you were on.
You will see the following message on the top of the page.
Also, you will see the following next to the “Test SAML configuration” button.
After this, you can save the configurations by clicking on the “save” button.
Optionally, to enforce SAML SSO and remove all organization members who haven’t authenticated via WSO2 Identity Server, select Require SAML SSO authentication for all members of the organization name organization.
Things to note:
After you authenticate with WSO2 Identity Server successfully from GitHub, you must authorize any personal access token, SSH key, or OAuth App you would like to access the organization’s resources.
If you enforce SAML SSO authentication for the organization, only the members of the organization would be required to authenticate via WSO2 Identity Server to access organization’s resources. Outside collaborators aren’t required to authenticate with WSO2 Identity Server to access the resources in the organization.
GitHub does not support SAML Single Logout. To terminate an active SAML session, the users should log out directly from WSO2 Identity Server.