You can give users access to your GitHub Enterprise organization through the Teamstack SAML integration. Users will have to use their personal GitHub account or create a new GitHub account to access your GitHub Enterprise organization. Every time a user wants to access your GitHub organization, the user has to authenticate through Teamstack.
This approach will give you the option to revoke access from a centralized place, require multi-factor authentication and/or limit the access to a geo-location and much more.
Features:
GitHub (SP) initiated Single Sign On
Teamstack (IdP) initiated Single Sign On
JIT (Just In Time) Provisioning
Minimum Requirements:
Plan: GitHub Enterprise or higher
Set up SSO via SAML for GitHub
To set up SSO you first need to create a GitHub Enterprise app in Teamstack, assign it to yourself and then configure GitHub SSO with the SAML settings from Teamstack.
Step 1: Create GitHub app in Teamstack
Go to your Applications in Teamstack.
Click "Add Application" in the top right corner.
Search for "GitHub Enterprise" and click "Add".
Enter your "GitHub organization name". The easiest way to find the right value is to copy it from the URL when you are on the overview page of your organization in GitHub. The URL will look like github.com/myCompanyName. Use myCompanyName as a value. Providing the wrong value will cause the SAML login to fail.
Click on "Add" to save the settings.
On your applications overview, click on the newly created GitHub app. You will see all details about this app.
Click on "Users" and assign this app to yourself. You will need this to test that SAML is working during setup in GitHub.
Click on the "SAML Configurations" tab. Keep this page open, you will need these values once you configure the SAML settings in GitHub.
Step 2: Set up SAML in GitHub
You can set up SAML single sign-on and test it before you require it for all your users.
Log in to your GitHub organization with your administrator account and go to the organization settings.
On left sidebar, you find the "Security" section which opens the configuration for "SAML single sign-on"
Click on "Enable SAML authentication". You will need to enter your SAML settings from Teamstack (step 1.8).
Copy the three values (Sign-in page URL, Issuer, Identity provider certificate) from the Teamstack SAML settings from step 1.8.
GitHub gives you the option to download the recovery codes for your account. Go ahead and save your codes in a safe place.
Click on "Test SAML configuration". GitHub will redirect you to Teamstack, which will redirect you back to GitHub. If the redirection was successful, the SAML configuration is complete. Click on "Save" to confirm the settings.
It is now possible to give your users access to your GitHub organization through Teamstack. Once you assign the GitHub app to a user or add the user to a group with the app in it, the user will be able to log in to the GitHub organization.
The user will still need to have a personal GitHub account. This account will have access to your organization through the Teamstack SAML integration.
To activate SSO for all your users, you need to log in to GitHub through Teamstack and go to your SAML settings in GitHub and activate the "Require SAML SSO" checkbox.
Find out more about how SSO users can use the GitHub API or command line at the GitHub docs.