SAML Github Enterprise server configuration

Team,
…I have one pressing question i want to configure both instance with SML with the url below “Using SAML - GitHub Docs” . Under “configuring saml settings” in the above link what info do i need from my networking team how do i proceed with step 11 " Under Verification certificate , click Choose File and choose a certificate to validate SAML responses from the IdP."" thanks

Hi @mikeadams123 - this verification certificate will come from your IdP (Identity Provider), and your SAML team should be able to provide it.

What IdP are you using? I’ll be happy to send any information we have for your IdP.

1 Like

nothing much from your network team as it is your IdP team that are most likely doing the configuration.
If you are using Azure Active Directory as your IdP the link below may help.
[Tutorial: Azure Active Directory integration with a GitHub Enterprise Cloud Organization | Microsoft Docs]
You download the Certificate (Base64) from your IdP configuration.

Thanks for the helpful information @GalaxyAllie and @byrneh . Do i need to configure SAML in my HA replica as well or since its a replica i dont need to?

Hi @mikeadams123 you’re very welcome. You only need to configure it on the primary instance, the replica uses the configuration from your primary and authentication is handled by the primary.

Awesome @GalaxyAllie if i still want to keep my admin credentials { so i am still logging in with username and password created when the GItHub appliance was installed} do i need to Select Disable administrator demotion/promotion?

@mikeadams123 - this option determines if your IdP can assign admin rights for users coming from the IdP, and won’t apply to built-in authentication accounts at all if you’re also allowing built-in authentication accounts as it sounds like is your plan.

@GalaxyAllie so my options when SAML is selected are
1} Allow creation of accounts with built-in authentication (for users not in saml)
2}IdP initiated SSO (disables AuthnRequest)
3) Disable administrator demotion/promotion (ignore the administrator attribute)

Hi @mikeadams123 , we recommend not enabling IdP-initiated SSO unless your IdP requires it.

2 Likes

@GalaxyAllie i suppose if i dont select any of the 3 options my admin user and password which got created when i set up the GitHub instance will still be intact. so after configuring SAML in GitHub i can still use my original admin credentials which i used to setup GitHub to still log into the instance correct?

1 Like

Hello Team,
I am told that i need to provide metadata of my GitHub instance in order for the saml/sso team to provide saml and sso config info. how do i go about that and what are the steps needed from my end? i appreciate your response

Thanks
Mike

Hi @mikeadams123 you can get this from https://[hostname]/saml/metadata, replacing [hostname] with the hostname of your GitHub Enterprise Server instance.

1 Like

Thanks @GalaxyAllie i had to swap hostname with the loadbalancer url and not the server dns in other to pull the metadata though i thought there was another way of providing that i guess not and finally other than providing the meta data to the saml/sso team is there any other item i need to update on the GitHub server other than the below which is provided by the saml/sso team
A} Single sign on url
B} Issuer - Available in the IdP configuration
C} Signature method and Digest Method
D} Certificate – Public
F} User attributes

https://docs.github.com/en/enterprise-server@3.0/admin/authentication/authenticating-users-for-your-github-enterprise-server-instance/using-saml

Hi @mikeadams123 you’re very welcome! I think that list covers it, but if you’re missing anything, let me know and I’ll be happy to help.

1 Like

Thanks @GalaxyAllie hopefully thats all i will revert if not . Thanks a lot

1 Like

@GalaxyAllie @byrneh how do i go about configuring SSL on GitHub Enterprise server. Any help will be greatly appreciated

Thanks
Ejike

Following these instructions should do the trick.
https://docs.github.com/en/enterprise-server/admin/configuration/configuring-network-settings/configuring-tls

1 Like