Hi, I'm Rachit. This project focuses on setting up SSO for Microsoft Entra users to authenticate and access multiple applications. We will use GitHub Enterprise Cloud with SAML for authentication and authorization, and include automated provisioning capabilities.
In this guide, I will walk you through the process of integrating GitHub Enterprise Cloud with Microsoft Entra ID (formerly Azure Active Directory) to enable Single Sign-On (SSO) using SAML. This integration will streamline the authentication process for users, further automating user provisioning, providing a seamless and secure login experience.
- Prerequisites
- Step 1: Adding GitHub from the Gallery
- Step 2: Configuring Microsoft Entra SSO
- Step 3: Creating a Microsoft Entra Test User
- Step 4: Assigning the Microsoft Entra Test User
- Step 5: Configuring GitHub SSO
- Step 6: Creating a GitHub Test User
- Step 7: Testing SSO
- Conclusion
- Duty of Care and Due Diligence
- Enhancement
To get started, you need the following items:
-
A Microsoft Entra subscription. If you don't have a subscription, you can get a free account here. As of now, the free account allows authentication, single sign-on, and application access.
- Limitation: The test user
Jane Doe
will not receive an email to validate the new GitHub signup. However, SSO test validation is possible at no cost, which is the primary objective of this project.
- Limitation: The test user
-
A GitHub organization created in GitHub Enterprise Cloud, which requires the GitHub Enterprise billing plan. I have used the 30-day trial for this project here.
- Enterprise Name: rachitsworld-test
- Organization Name/ID: rachitsworld-org
- Search GitHub Enterprise Cloud – Organization:
- There are two options; select the one with user provisioning available to automate user provisioning as explained in Enhancement.
-
Navigate to Entra Admin Center:
-
Edit Basic SAML Configuration with the following details:
- Identifier (Entity ID):
https://github.com/orgs/rachitsworld-org
Patterns:
https://github.com/orgs/<ORGANIZATION_ID>
- Reply URL (Assertion Consumer Service URL):
https://github.com/orgs/rachitsworld-org/saml/consume
Patterns:
https://github.com/orgs/<ORGANIZATION_ID>/saml/consume
- Sign on URL:
https://github.com/orgs/rachitsworld-org/sso
Patterns:
https://github.com/orgs/<ORGANIZATION_ID>/sso
- Identifier (Entity ID):
-
Under Attributes & Claims:
Note:
-
GitHub application expects Unique User Identifier (Name ID) to be mapped with user.mail. Each application has distinct requirements, so attributes & claims must be tailored to meet the specific expectations of the application.
-
Only two Attribute Mapping are necessary between GitHub and Microsoft Entra ID, as highlighted in the image below.
Modifying one of these or enabling additional mappings may cause user identification or authentication and access problems or provisioning errors.
The setting can be viewed / configured via Entral Portal --> Application --> Enterprise applications --> GitHub Enterprise Cloud - Organization --> Provisioning --> Provisioning --> Mapping --> Click Provision Microsoft Entra ID Users.
-
Download the Certificate (Base64) from SAML certificates.
-
Under Set up GitHub Enterprise Cloud – Organization:
Note down the following information for Step 5
- Login URL:
https://login.microsoftonline.com/4fd05c0d-44f5-4afd-8d9e-ad872e09be58/saml2
- Microsoft Entra Identifier:
https://sts.windows.net/4fd05c0d-44f5-4afd-8d9e-ad872e09be58/
- Logout URL:
https://login.microsoftonline.com/4fd05c0d-44f5-4afd-8d9e-ad872e09be58/saml2
Note: Do not test the Microsoft Entra SSO configuration yet as we still need to Configure GitHub SSO. Testing now will result in an error.
-
Create a New User:
- Go to Users > All Users > New User in Microsoft Entra Admin Center.
- Enter basic details, review and create the user.
- Details:
- Username:
[email protected]
- Password:
*********
-
Assign Roles:
-
Assign the Cloud Application Administrator role to the user. (This is mandatory)
-
Why assigning Cloud Administrator roles is mandatory?
- Because the GitHub App registration allows Cloud Administrator's for granting access for privileged actions in Microsoft Entra ID.
Visit Entra Portal to access
App registration
and follow steps as shown below:
- Because the GitHub App registration allows Cloud Administrator's for granting access for privileged actions in Microsoft Entra ID.
Visit Entra Portal to access
-
Note: Downloading and editing the CSV template can speed up the creation of multiple users.
- Assign the User to GitHub Enterprise Cloud – Organization Application:
Note: Adding the Microsoft Entra Administrator to the GitHub application is essential for configuring GitHub SSO. Otherwise, the testing in Step 5 will result in an error as shown below:
- Sign into GitHub as an administrator.
- Navigate to Settings > Authentication Security.
- Enable SAML Authentication:
- Use the details from Step 2.5, saved in the text editor to fill in the SSO configuration on GitHub.
- Ensure the Signature Method and Digest Method are set to
RSA-SHA256
andSHA256
, respectively.
The objective of this section is to create a user named Jane Doe in GitHub.
- Visit: myapplications.microsoft.com
- Login:
- Username:
[email protected]
- Password:
*********
- Username:
- Click GitHub Enterprise Cloud – Organization.
- Complete GitHub Signup for Jane Doe using the enterprise email ID.
Note:
- Jane Doe will be prompted to change her Microsoft email password, and the GitHub account will be created once the GitHub verification is completed.
- When Jane Doe clicks the GitHub application from the myapplications.microsoft.com homepage, it confirms that the SSO links are functioning correctly. The following step is not necessary, however, I have included additional methods to test SSO in the final step below as best practice for the Cloud Administrator.
-
Sign in to the Azure Portal:
- Go to Azure Portal and sign in with an account that has the necessary permissions.
-
Navigate to Azure Active Directory:
- Click on Azure Active Directory.
-
Go to Enterprise Applications:
- Search for and select your "GitHub Enterprise Cloud - Organization" application.
-
Test the Application:
- In the application settings, click on Single sign-on.
- Click on Test this application.
-
Go to GitHub Sign-on URL directly and initiate the login flow. Refer Step 2.2
This guide has demonstrated my in-depth knowledge and expertise in integrating GitHub Enterprise Cloud with Microsoft Entra ID for SAML-based Single Sign-On. By following these detailed steps, you can ensure a secure and seamless login experience for your users. This project showcases my ability to implement advanced authentication solutions, highlighting my technical proficiency.
-
Users invited or auto-provisioned should adhere to a complex password policy to enhance security. Additionally, enabling two-factor authentication (2FA) on GitHub accounts will further strengthen the security posture.
-
When implementing SSO and integrating cloud services, it is crucial to follow security best practices, ensure compliance with organizational policies, and regularly monitor and update configurations to maintain security integrity. Always test configurations in a controlled environment before deploying to production.
-
Ensure that only authorized personnel have access to configure and manage user provisioning settings. Regularly review and audit access policies and logs to maintain security and compliance within your organization.
- Automated User Provisioning (Organization Invitations): Requires adding GitHub from the Gallery.
- SAML Configuration: Ensure SAML is configured for the GitHub Enterprise Cloud organization.
- Third-Party Application Access Policy: Grant access for Microsoft Azure AD SCIM provisioning under Organization settings -> OAuth application policy.
-
Navigate to Azure Portal:
- Go to the Azure portal.
- You can also navigate through the Microsoft Entra Admin Center, which will redirect you to the Azure Portal for these settings.
- Search for "Enterprise Applications".
- Go to the Azure portal.
-
Select GitHub Enterprise - Cloud Application:
- Select the GitHub Enterprise - Cloud application.
- Go to the "Provisioning" section.
-
Configure Provisioning:
-
Authorize Application:
-
Test and Save Settings:
-
Enable Provisioning:
-
Processing Authorization Error:
-
User Identification / Authentication and Access / Provisioning Errors:
-
Ensure attribute mappings between GitHub and Microsoft Entra ID are correctly configured.
Refer to the Notes in the
Step 3
section for more details.
-
-
Create a Test User and assign the role:
-
Verify Logs (Azure Provisioning Logs):
-
Verify SCIM Invitations (GitHub Organization --> People):
-
Verify Audit Logs (GitHub Organizations --> Settings --> Logs --> Audit Logs):
- Visit GitHub's Organizations to access Audit Logs, followed by Settings --> Logs. Search for "
jane
" or "captain
", click on...
(3 dots) to expand the event, and look for Key and value of@timestamp
orcreated_at
and match with Azure provisioning log. In this example, it is2024-07-14 13:10:49 +0100
.
- Visit GitHub's Organizations to access Audit Logs, followed by Settings --> Logs. Search for "
Note: The provisioning interval is fixed at 40 minutes. After the interval, verify that the user count has increased from 2 to 3.
-
Log in to GitHub:
- Log in with your enterprise admin credentials.
- From the dashboard, go to "Settings".
-
Revoke OAuth App Authorization:
- Click "Applications" and select the "Authorized OAuth Apps" tab.
- Select "Microsoft Azure AD SCIM provisioning" and revoke authorization.
- Use the direct link: GitHub Settings - Applications
Automating user provisioning streamlines and enhances the efficiency of managing user access within an organization. This guide demonstrates my ability to set up and manage automated user provisioning between Azure AD and GitHub Enterprise Cloud, or any other application, effectively. This project highlights my skills in optimizing access management processes