GitHub orgs within the Northwestern enterprise account can be configured for SSO authentication, allowing users to log in with their Northwestern (NetID) identity, which will be linked to their GitHub account on a per-org basis.
This process is documented here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-tutorial. In short, the steps are as follows:
- Create a helpdesk service request to the NUIT-CI-CollaborationServices team for a new “GitHub Enterprise Cloud – Organization” app to be added to Microsoft Entra ID. Specify whether you want MFA to be enabled for this app (meaning Northwestern Duo MFA, not GitHub 2FA). The Collaboration Services team will add the app to Microsoft Entra ID and make you and anyone else you designate an owner.
- Log into the Azure portal and configure the new Microsoft Entra ID app with your GitHub org’s URLs.
- Configure your GitHub org with the URLs and certificate provided by the Microsoft Entra ID app.
- Assign Northwestern users to the Microsoft Entra ID app to give them access to the GitHub org.
- Organization administrators can invite users to the organization via email invitation.
- To link their Northwestern identity with their GitHub account, new members of the organization can follow the link in the invitation or access the org by visiting https://github.com/orgs/<org>/sso (replacing “<org>” with the actual org identifier). Upon successfully authenticating with their Northwestern identity, they will be prompted to log in with their GitHub credentials. This will “link” their Northwestern identity with their GitHub account for that org only and grant them the Member role in the org.
Requiring SSO Authentication
Even if SSO is configured for an org, by default non-SSO GitHub users can still access the org if they have a role in it. You can also invite non-SSO users to an org if SSO is configured. To allow only SSO users to access the org, you must check the “Require SAML SSO authentication” checkbox on the org Authentication Security settings page.
Note: if you require SSO for your organization and do not have external identities set up in Microsoft Entra ID for any automation or service accounts that access your org, they will be removed from your organization.
Command Line Repository Access for SSO Users
To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key.
If you don’t have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see “Creating a personal access token” or “Generating a new SSH key and adding it to the ssh-agent.”
To use a new or existing personal access token or SSH key with an organization that uses or enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see “Authorizing a personal access token for use with SAML single sign-on” or “Authorizing an SSH key for use with SAML single sign-on.”
Adding External Collaborators
External collaborators can be added at a repository level. To add an external collaborator, visit the Settings page for a repository, go to the “Collaborators and teams” page, and click the “Add people” button to enter the GitHub username or email address of the external collaborator to invite. They will be prompted to accept the invitation, and once accepted will be able to access that repository with whatever permissions they have been granted.
Resources
Your feedback on this article is welcome, and we review comments regularly. However, if you have an issue or question requiring immediate attention or want to discuss your feedback on this article, please get in touch with the Northwestern IT Service Desk at 847-49
1-4357 (1-HELP) or
consultant@northwestern.edu.