GitHub orgs within the Northwestern enterprise account can be configured for SSO authentication, which will allow users to log in with their Northwestern (NetID) identity, which will be linked to their GitHub account on a per-org basis.
This process is documented here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-tutorial. In short, the steps are as follows:
- Create a new helpdesk service request for a new “GitHub Enterprise Cloud – Organization” app to be added to Azure AD on your behalf. If you have access to the helpdesk system, you can assign this ticket directly to the NUIT-CI-CollaborationServices team. If you want MFA to be enabled for this app (meaning Northwestern DUO MFA, not GitHub 2FA), be sure to specify this in the request. The Collaboration Services team will add the app to Azure AD and make you and anyone else you designate an owner of it.
- Log into the Azure portal and configure the new Azure AD app with your GitHub org’s URLs
- Configure your GitHub org with the URLs and certificate provided by the Azure AD app
- Assign Northwestern users to the Azure AD app to give them access to the GitHub org
Once those steps are complete, users can access the org by visiting this special URL: https://github.com/orgs/<org>/sso (replacing “<org>” with the actual org identifier). Upon successfully authenticating with their Northwestern identity, they will be prompted to log in with their GitHub credentials. This will “link” their Northwestern identity with their GitHub account for that org only and grant them the Member role in the org.
Requiring SSO Authentication
Even if SSO is configured for an org, by default non-SSO GitHub users can still access the org if they have a role in it. You can also invite non-SSO users to an org if SSO is configured. To allow only SSO users to access the org, you must check the “Require SAML SSO authentication” checkbox on the org Authentication Security settings page.
Note: if you require SSO for your organization and do not have external identities set up in Azure AD for any automation or service accounts that access your org, they will be removed from your organization.
Command Line Repository Access for SSO Users
To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key.
If you don’t have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see “Creating a personal access token” or “Generating a new SSH key and adding it to the ssh-agent.”
To use a new or existing personal access token or SSH key with an organization that uses or enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see “Authorizing a personal access token for use with SAML single sign-on” or “Authorizing an SSH key for use with SAML single sign-on.”
Adding External Collaborators
External collaborators can be added at a repository level. To add an external collaborator, visit the Settings page for a repository, go to the “Collaborators and teams” page, and click the “Add people” button to enter the GitHub username or email address of the external collaborator to invite. They will be prompted to accept the invitation, and once accepted will be able to access that repository with whatever permissions they have been granted.
Resources
- Tutorial: Azure AD SSO integration with a GitHub Enterprise Cloud Organization (Microsoft documentation)
- About authentication with SAML single sign-on (GitHub documentation)
- Managing SAML Single Sign-On For Your Organization (GitHub documentation)
- Viewing and managing a member’s SAML access to your organization (GitHub documentation)