205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

website/integrations: Refactor and cleanup GitHub Enterprise (#21685)

Browse Source
This commit is contained in:
Dominic R
2026-04-30 07:11:27 -04:00
committed by GitHub
parent d6c0ae21de
commit e78c43e9d9
13 changed files with 466 additions and 380 deletions
Download Patch File Download Diff File Expand all files Collapse all files
locale/en/dictionaries/integrations.txt
+1
View File
@@ -19,6 +19,7 @@ Forti
Fortigate
Gatus
Gestionnaire
ghec
Gitea
Gravitee
Homarr
website/integrations/development/github-enterprise-emu/ghec_emu_settings.png → website/integrations/development/ghec-emu/ghec_emu_settings.png
View File
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

website/integrations/development/ghec-emu/index.mdx
+234
View File
@@ -0,0 +1,234 @@
---
title: Integrate with GitHub Enterprise Managed Users
sidebar_label: GitHub Enterprise EMU
support_level: community
---
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
## What is GitHub Enterprise Managed Users
> With Enterprise Managed Users, you manage the lifecycle and authentication of your users on GitHub from an external identity management system, or IdP.
>
> -- https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users
This guide configures authentik as the SAML identity provider and SCIM provider for GitHub Enterprise Cloud with Enterprise Managed Users (EMU). It applies to EMU enterprises hosted on GitHub.com and EMU enterprises with data residency on GHE.com.
## Preparation
The following placeholders are used in this guide:
- `github.com/enterprises/foo` is your GitHub.com EMU enterprise, where `foo` is the name of your enterprise.
- `foo.ghe.com` is your GHE.com EMU enterprise, where `foo` is the name of your enterprise.
- `authentik.company` is the FQDN of the authentik installation.
- `GitHub Users` is an application entitlement used for standard GitHub users.
- `GitHub Admins` is an application entitlement used for GitHub enterprise administrators.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
SCIM must be configured for this integration. GitHub matches the SAML identity to the SCIM identity by comparing the SAML `NameID` value with the SCIM `userName` value. The mappings below use the `github_emu_username` user attribute when it exists, and fall back to the authentik username.
Use the values for your EMU deployment when configuring authentik:
<Tabs
groupId="github-emu-deployment"
defaultValue="github"
values={[
{label: 'GitHub.com', value: 'github'},
{label: 'GHE.com', value: 'ghec'},
]}>
<TabItem value="github">
| Setting | Value |
| ------------ | ------------------------------------------------- |
| **ACS URL** | `https://github.com/enterprises/foo/saml/consume` |
| **Audience** | `https://github.com/enterprises/foo` |
| **Issuer** | `https://github.com/enterprises/foo` |
| **SCIM URL** | `https://api.github.com/scim/v2/enterprises/foo` |
</TabItem>
<TabItem value="ghec">
| Setting | Value |
| ------------ | -------------------------------------------------- |
| **ACS URL** | `https://foo.ghe.com/enterprises/foo/saml/consume` |
| **Audience** | `https://foo.ghe.com/enterprises/foo` |
| **Issuer** | `https://foo.ghe.com/enterprises/foo` |
| **SCIM URL** | `https://api.foo.ghe.com/scim/v2/enterprises/foo` |
</TabItem>
</Tabs>
## authentik configuration
To support the integration of GitHub Enterprise EMU with authentik, you need to create property mappings, an application/provider pair, application entitlements, and a SCIM provider.
### Create property mappings in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**.
3. Create the following **SAML Provider Property Mapping**s:
- **Name**: `GitHub EMU username`
- **SAML Attribute Name**: `http://schemas.goauthentik.io/2021/02/saml/username`
- **Expression**:
```python
return request.user.attributes.get("github_emu_username", request.user.username)
```
- **Name**: `GitHub EMU full name`
- **SAML Attribute Name**: `full_name`
- **Expression**:
```python
return request.user.name
```
- **Name**: `GitHub EMU emails`
- **SAML Attribute Name**: `emails`
- **Expression**:
```python
if request.user.email:
yield request.user.email
```
4. Create a **SCIM Provider Mapping** with the following settings:
- **Name**: `GitHub EMU user`
- **Expression**:
The supported `roles` values are documented in [GitHub Enterprise Cloud's SCIM API documentation](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/scim#provision-a-scim-enterprise-user).
```python
username = request.user.attributes.get("github_emu_username", request.user.username)
formatted = request.user.name or username
given_name = formatted
family_name = " "
if " " in formatted:
given_name, _, family_name = formatted.partition(" ")
emails = []
if request.user.email:
emails.append(
{
"value": request.user.email,
"type": "work",
"primary": True,
}
)
entitlement_names = {
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
}
roles = []
if "GitHub Admins" in entitlement_names:
roles.append({"value": "enterprise_owner", "primary": True})
elif "GitHub Users" in entitlement_names:
roles.append({"value": "user", "primary": True})
return {
"userName": username,
"externalId": str(request.user.uid),
"name": {
"formatted": formatted,
"givenName": given_name,
"familyName": family_name,
},
"displayName": formatted,
"active": request.user.is_active,
"emails": emails,
"roles": roles,
}
```
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set **ACS URL** to the ACS URL for your EMU deployment.
- Set **Audience** to the audience value for your EMU deployment.
- Set **Issuer** to the issuer value for your EMU deployment.
- Set **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**:
- Add the `GitHub EMU full name` and `GitHub EMU emails` property mappings.
- Set **NameID Property Mapping** to `GitHub EMU username`.
- Set **Default NameID Policy** to `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`.
- Select an available **Signing certificate**. Download this certificate because it is required later.
- Enable **Sign assertion** and **Sign response**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. If you add the SCIM provider as a backchannel provider later, only users who can view this application are synchronized.
3. Click **Submit** to save the new application and provider.
### Create application entitlements
1. In the authentik Admin interface, open the GitHub EMU application that you created.
2. Click the **Application entitlements** tab.
3. Create two entitlements named `GitHub Users` and `GitHub Admins`.
4. Open each entitlement and bind the users or groups that should receive it.
## GitHub configuration
When GitHub provisions your managed enterprise, GitHub sends an email inviting you to reset the password for the setup user. The setup user has the username `foo_admin`, cannot be linked with SSO, and is the emergency account that can bypass SSO requirements.
### Create the SCIM token
1. Log in as the setup user.
2. Navigate to the personal access tokens page:
- GitHub.com: `https://github.com/settings/tokens`
- GHE.com: `https://foo.ghe.com/settings/tokens`
3. Generate a new classic personal access token with the `scim:enterprise` scope.
4. Copy the token. This value is used in the authentik SCIM provider.
### Configure SAML in GitHub
1. Log in as the setup user.
2. Navigate to your enterprise.
3. Click **Identity provider**.
4. Under **Identity Provider**, click **Single sign-on configuration**.
5. Under **Open SCIM Configuration**, select **Enable open SCIM configuration**.
6. Under **SAML single sign-on**, select **Add SAML configuration**.
7. Configure the following settings:
- **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
- **Issuer**: enter the **Issuer** that you configured in authentik.
- **Public certificate**: paste the full signing certificate that you downloaded from authentik.
- **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
8. Click **Test SAML configuration**.
9. After the test succeeds, click **Save SAML settings**.
10. Save the SAML recovery codes that GitHub provides.
![Screenshot showing populated GitHub Enterprise Cloud EMU SAML settings](ghec_emu_settings.png)
### Create a SCIM provider in authentik
1. In the authentik Admin interface, navigate to **Applications** > **Providers** and click **Create**.
2. Select **SCIM Provider** as the provider type and click **Next**.
3. Configure the following settings:
- **Name**: provide a descriptive name.
- **URL**: enter the SCIM URL for your EMU deployment.
- **Token**: paste the GitHub personal access token that you created earlier.
- **User Property Mappings**: remove `authentik default SCIM Mapping: User`, then add the `GitHub EMU user` mapping that you created earlier.
- **Group Property Mappings**: keep `authentik default SCIM Mapping: Group` selected.
4. Click **Finish**.
5. Navigate to **Applications** > **Applications** and open the GitHub EMU application.
6. Add the SCIM provider to **Backchannel Providers**.
7. Click **Update**.
## Configuration verification
To confirm that authentik is properly configured with GitHub Enterprise EMU, assign a test user to the `GitHub Users` entitlement and ensure that the user can view the application in authentik.
Open the SCIM provider and click **Run sync again**. After the sync completes, confirm that the user is provisioned in GitHub. Then, log in to GitHub as the test user and confirm that GitHub redirects the user to authentik for SAML authentication.
## Resources
- [GitHub Enterprise Cloud: configuring SAML single sign-on for Enterprise Managed Users](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)
- [GitHub Enterprise Cloud: configuring SCIM provisioning for Enterprise Managed Users](https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users)
- [GitHub Enterprise Cloud: REST API endpoints for SCIM](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/scim)
website/integrations/development/github-organization/ghorg_saml_settings.png → website/integrations/development/ghec/ghorg_saml_settings.png
View File
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 79 KiB

After

Width:  |  Height:  |  Size: 79 KiB

website/integrations/development/ghec/index.md
+75
View File
@@ -0,0 +1,75 @@
---
title: Integrate with GitHub Enterprise Cloud
sidebar_label: GitHub Enterprise Cloud
support_level: community
---
## What is GitHub Enterprise Cloud
> GitHub Enterprise Cloud is a plan for large businesses or teams who collaborate on GitHub.com.
>
> -- https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/githubs-plans
This guide configures SAML SSO for a GitHub Enterprise Cloud organization.
:::info
For GitHub Enterprise Cloud with Enterprise Managed Users, see the [GitHub Enterprise EMU](../ghec-emu/) integration guide.
:::
## Preparation
The following placeholders are used in this guide:
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your organization.
- `authentik.company` is the FQDN of the authentik installation.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Cloud with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set **ACS URL** to `https://github.com/orgs/foo/saml/consume`.
- Set **Audience** to `https://github.com/orgs/foo`.
- Set **Issuer** to `https://github.com/orgs/foo`.
- Set **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available **Signing certificate**. Download this certificate because it is required later.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## GitHub configuration
1. Log in to GitHub as an organization owner.
2. Navigate to your organization at `https://github.com/foo`.
3. Click **Settings**.
4. In the left sidebar, under **Security**, click **Authentication security**.
5. Under **SAML single sign-on**, select **Enable SAML authentication**.
6. Configure the following settings:
- **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
- **Issuer**: enter the **Issuer** that you configured in authentik.
- **Public certificate**: paste the full signing certificate that you downloaded from authentik.
- **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
7. Click **Test SAML configuration**.
8. After the test succeeds, click **Save**.
![Screenshot showing populated GitHub organization SAML settings](ghorg_saml_settings.png)
This enables SAML as an authentication option. To require SAML for all organization members, visit `https://github.com/orgs/foo/sso`, sign in with SAML, then return to **Authentication security** and select **Require SAML SSO authentication for all members of the foo organization**.
## Configuration verification
To confirm that authentik is properly configured with GitHub Enterprise Cloud, log out of GitHub and then access a resource in the organization. GitHub should prompt you to authenticate with SAML through authentik.
## Resources
- [GitHub Enterprise Cloud: managing SAML single sign-on for your organization](https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization)
website/integrations/development/github-enterprise-server/ghes_saml_settings.png → website/integrations/development/ghes/ghes_saml_settings.png
View File
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 84 KiB

After

Width:  |  Height:  |  Size: 84 KiB

website/integrations/development/ghes/index.md
+142
View File
@@ -0,0 +1,142 @@
---
title: Integrate with GitHub Enterprise Server
sidebar_label: GitHub Enterprise Server
support_level: community
---
## What is GitHub Enterprise Server
> GitHub Enterprise Server is a self-hosted platform for software development within your enterprise.
>
> -- https://docs.github.com/en/enterprise-server@latest/admin/overview/about-github-enterprise-server
## Preparation
The following placeholders are used in this guide:
- `github.company` is the FQDN of your GitHub Enterprise Server installation.
- `authentik.company` is the FQDN of the authentik installation.
- `GitHub Users` is an application entitlement used for standard GitHub Enterprise Server users.
- `GitHub Admins` is an application entitlement used for GitHub Enterprise Server administrators.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Server with authentik, you need to create an application/provider pair in authentik. If you want to use SCIM provisioning, you also need to create application entitlements and a SCIM property mapping.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set **ACS URL** to `https://github.company/saml/consume`.
- Set **Audience** to `https://github.company`.
- Set **Issuer** to `https://github.company`.
- Set **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**:
- Select an available **Signing certificate**. Download this certificate because it is required later.
- Set **NameID Property Mapping** to `authentik default SAML Mapping: Username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. If you add the SCIM provider as a backchannel provider later, only users who can view this application are synchronized.
3. Click **Submit** to save the new application and provider.
### Create application entitlements
1. In the authentik Admin interface, open the GitHub Enterprise Server application that you created.
2. Click the **Application entitlements** tab.
3. Create two entitlements named `GitHub Users` and `GitHub Admins`.
4. Open each entitlement and bind the users or groups that should receive it.
### Create a SCIM property mapping
1. In the authentik Admin interface, navigate to **Customization** > **Property Mappings** and click **Create**.
2. Select **SCIM Provider Mapping** and click **Next**.
3. Create a mapping for GitHub roles:
- **Name**: `GitHub roles`
- **Expression**:
The supported `roles` values are documented in [GitHub Enterprise Server's SCIM API documentation](https://docs.github.com/en/enterprise-server@latest/rest/enterprise-admin/scim#provision-a-scim-enterprise-user).
```python
entitlement_names = {
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
}
roles = []
if "GitHub Admins" in entitlement_names:
roles.append({"value": "enterprise_owner", "primary": True})
elif "GitHub Users" in entitlement_names:
roles.append({"value": "user", "primary": True})
return {
"roles": roles,
}
```
4. Click **Finish**.
## GitHub Enterprise Server configuration
### Create the SCIM token
1. Log in to GitHub Enterprise Server with the administrator account that you use for SCIM provisioning.
2. Navigate to `https://github.company/settings/tokens`.
3. Generate a new classic personal access token with the `scim:enterprise` scope.
4. Copy the token. This value is used in the authentik SCIM provider.
### Configure SAML
1. Navigate to the GitHub Enterprise Server Management Console at `https://github.company:8443`.
2. Sign in as an administrator.
3. Go to **Authentication**.
4. Configure the following settings:
- Select **SAML**.
- **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
- **Issuer**: enter the **Issuer** that you configured in authentik.
- **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
- **Validation certificate**: upload the signing certificate that you downloaded from authentik.
- If you plan to use SCIM, select **Allow creation of accounts with built-in authentication** and **Disable administrator demotion/promotion**.
- In the **User attributes** section, do not configure a different username attribute unless it returns the same value as the SCIM `userName` attribute.
5. Click **Save settings** and wait for the changes to apply.
![Screenshot showing populated GitHub Enterprise Server SAML settings](ghes_saml_settings.png)
### Enable SCIM
1. Log in to GitHub Enterprise Server with an administrator account.
2. Open **Enterprise settings**.
3. In the left sidebar, click **Settings** > **Authentication security**.
4. Select **Enable SCIM configuration**.
5. Click **Save**.
### Create a SCIM provider in authentik
1. In the authentik Admin interface, navigate to **Applications** > **Providers** and click **Create**.
2. Select **SCIM Provider** as the provider type and click **Next**.
3. Configure the following settings:
- **Name**: provide a descriptive name.
- **URL**: `https://github.company/api/v3/scim/v2`
- **Token**: paste the GitHub personal access token that you created earlier.
- **User Property Mappings**: keep `authentik default SCIM Mapping: User` selected, then add the `GitHub roles` mapping that you created earlier.
- **Group Property Mappings**: keep `authentik default SCIM Mapping: Group` selected.
4. Click **Finish**.
5. Navigate to **Applications** > **Applications** and open the GitHub Enterprise Server application.
6. Add the SCIM provider to **Backchannel Providers**.
7. Click **Update**.
## Configuration verification
To confirm that authentik is properly configured with GitHub Enterprise Server, assign a test user to the `GitHub Users` entitlement and ensure that the user can view the application in authentik.
Open the SCIM provider and click **Run sync again**. After the sync completes, confirm that the user is provisioned in GitHub Enterprise Server. Then, log in to GitHub Enterprise Server as the test user and confirm that GitHub redirects the user to authentik for SAML authentication.
## Resources
- [GitHub Enterprise Server: configuring SAML single sign-on for your enterprise](https://docs.github.com/en/enterprise-server@latest/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise)
- [GitHub Enterprise Server: REST API endpoints for SCIM](https://docs.github.com/en/enterprise-server@latest/rest/enterprise-admin/scim)
website/integrations/development/github-enterprise-cloud/ghec_saml_settings.png
BIN
View File
Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 60 KiB

website/integrations/development/github-enterprise-cloud/index.md
-67
View File
@@ -1,67 +0,0 @@
---
title: Integrate with GitHub Enterprise Cloud
sidebar_label: GitHub Enterprise Cloud
support_level: community
---
## What is GitHub Enterprise Cloud
> GitHub is a complete developer platform to build, scale, and deliver secure software. Businesses use our suite of products to support the entire software development lifecycle, increasing development velocity and improving code quality.
>
> -- https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-github-for-enterprises
:::info
GitHub Enterprise Cloud EMU (Enterprise Managed Users) are not compatible with authentik. GitHub currently only permits SAML/OIDC for EMU organizations with Okta and/or Microsoft Entra ID (Azure AD).
:::
## Preparation
The following placeholders are used in this guide:
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise.
- `authentik.company` is the FQDN of the authentik installation.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Cloud with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`.
- Set the **Audience** to `https://github.com/enterprises/foo`.
- Set the **Issuer** to `https://github.com/enterprises/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available **Signing certificate**. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## GitHub Configuration
Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, then select `Your enterprises` and click `Settings` for the enterprise you wish to configure.
In the left-hand navigation, within the `Settings` section, click `Authentication security`.
On this page:
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, type `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/enterprises/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
![Screenshot showing populated GitHub enterprise SAML settings](ghec_saml_settings.png)
Once these fields are populated, you can use the `Test SAML configuration` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.
Scroll down to hit the `Save` button below.
website/integrations/development/github-enterprise-emu/index.md
-130
View File
@@ -1,130 +0,0 @@
---
title: Integrate with GitHub Enterprise Cloud - Enterprise Managed Users
sidebar_label: GitHub Enterprise Cloud EMU
support_level: community
---
## What is GitHub Enterprise Cloud - Enterprise Managed Users
> With Enterprise Managed Users, you manage the lifecycle and authentication of your users on GitHub from an external identity management system, or IdP:
>
> - Your IdP provisions new user accounts on GitHub, with access to your enterprise.
> - Users must authenticate on your IdP to access your enterprise's resources on GitHub.
> - You control usernames, profile data, organization membership, and repository access from your IdP.
> - If your enterprise uses OIDC SSO, GitHub will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP). See "About support for your IdP's Conditional Access Policy."
> - Managed user accounts cannot create public content or collaborate outside your enterprise. See "Abilities and restrictions of managed user accounts."
>
> -- https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users
## Preparation
The following placeholders are used in this guide:
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik installation.
- `GitHub Users` is an application entitlement used for standard GitHub Enterprise Cloud EMU users.
- `GitHub Admins` is an application entitlement used for GitHub enterprise administrators.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Cloud EMU with authentik, you need to create an application/provider pair in authentik.
:::info
In order to use GitHub Enterprise Cloud EMU, SCIM must also be set up.
:::
:::info
GitHub will create usernames for your EMU users based on the SAML `NameID` property, which must also match SCIM's `_userName_` attribute.
:::
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`.
- Set the **Audience** to `https://github.com/enterprises/foo`.
- Set the **Issuer** to `https://github.com/enterprises/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available **Signing certificate**. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- Under **NameID Property Mapping**, set **NameID Property Mapping** to be based on the `Email` field.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. If you add the SCIM provider as a backchannel provider later, only users who can view this application will be synchronized.
3. Click **Submit** to save the new application and provider.
**Create the user and administrator entitlements**
In the authentik Admin interface, open the GitHub EMU application that you just created, click the **Application entitlements** tab, and create two entitlements named `GitHub Users` and `GitHub Admins`.
After creating the entitlements, open each entitlement and bind the users or groups that should receive it.
## GitHub SAML Configuration
When your EMU is provisioned by GitHub, you will receive an email inviting you to reset the password of your 'setup user'. This user cannot be linked with SSO and is an emergency access account, as it will be the only account that can bypass SSO requirements.
Before enabling SAML, go to your [Personal access tokens](https://github.com/settings/tokens) on your EMU setup user and Generate a new _personal access token (classic)_. This should have a descriptive note like `SCIM Token`. It is advisable to set this to not expire. For scopes, select only _admin:enterprise_ and click _Generate token_.
Copy the resulting token to a safe location.
After you have set a password for this account and generated your SCIM token, navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprise`, click the `Settings` link, and then click `Authentication security`.
On this page:
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, input the _SSO URL (Redirect)_ entry from the SAML provider you created.
- For `Issuer`, input the `Issuer` you set in authentik.
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
![Screenshot showing populated GitHub enterprise SAML settings](ghec_emu_settings.png)
Once these fields are populated, you can use the `Test SAML configuration` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.
Scroll down to hit the `Save SAML settings` button below.
You will now be prompted to save your SAML recovery codes. These will be necessary if you need to disable or change your SAML settings, so keep them safe!
## SCIM Provider
Before we create a SCIM provider, we also have to create a new Property Mapping. In authentik, go to _Customization_, then _Property Mappings_. Here, click _Create_, select _SCIM Provider Mapping_. Name the mapping something memorable and paste the following code in the _Expression_ field:
```python
entitlement_names = {
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
}
roles = []
# Edit this if statement if you need to add more GitHub roles.
# Valid roles include:
# user, guest_collaborator, enterprise_owner, billing_manager
if "GitHub Admins" in entitlement_names:
roles.append({'value': 'enterprise_owner', 'primary': True})
elif "GitHub Users" in entitlement_names:
roles.append({'value': 'user', 'primary': True})
return {
"roles": roles,
}
```
If you renamed either entitlement, make sure that you update the code above to match.
Create a new SCIM provider with the following parameters:
- URL: `https://api.github.com/scim/v2/enterprises/foo/` (Replacing `foo` with your Enterprise slug.)
- Token: Paste the token provided from GitHub here.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- You can leave the _Group Property Mappings_ as is.
- Click _Finish_.
Go back to your GitHub EMU Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.
You should now be ready to assign users or groups to your _GitHub Users_ and _GitHub Admins_ application entitlements. Use application bindings or policies to limit which users can view the application and are synchronized by SCIM, and use the entitlements to assign the corresponding GitHub SCIM role values. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
website/integrations/development/github-enterprise-server/index.md
-118
View File
@@ -1,118 +0,0 @@
---
title: Integrate with GitHub Enterprise Server
sidebar_label: GitHub Enterprise Server
support_level: community
---
## What is GitHub Enterprise Server
> GitHub Enterprise Server is a self-hosted platform for software development within your enterprise. Your team can use GitHub Enterprise Server to build and ship software using Git version control, powerful APIs, productivity and collaboration tools, and integrations. Developers familiar with GitHub.com can onboard and contribute seamlessly using familiar features and workflows.
>
> -- https://docs.github.com/en/enterprise-server@3.5/admin/overview/about-github-enterprise-server
## Preparation
The following placeholders are used in this guide:
- `https://github.company` is your GitHub Enterprise Server installation
- `authentik.company` is the FQDN of the authentik installation.
- `GitHub Users` is an application entitlement used for standard GitHub Enterprise Server users.
- `GitHub Admins` is an application entitlement used for GitHub Enterprise Server administrators.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Server with authentik, you need to create an application/provider pair in authentik.
:::info
In order to use GitHub Enterprise Server, SCIM must also be set up.
:::
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://github.company/saml/consume`.
- Set the **Audience** and **Issuer** to `https://github.company`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available **Signing certificate**. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. If you add the SCIM provider as a backchannel provider later, only users who can view this application will be synchronized.
3. Click **Submit** to save the new application and provider.
### Create the user and administrator entitlements
In the authentik Admin interface, open the GitHub Enterprise Server application that you just created, click the **Application entitlements** tab, and create two entitlements named `GitHub Users` and `GitHub Admins`.
After creating the entitlements, open each entitlement and bind the users or groups that should receive it.
## SAML Configuration
If you plan to use SCIM (available from GHES 3.14.0), create a first administrator user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_, and then click _Generate new token (classic)_. Your token should have a descriptive name and, ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location.
To enable SAML, navigate to your appliance maintenance settings. These are found at `https://github.company:8443`. Here, sign in with an administrator user and go to the Authentication section.
On this page:
- Select the _SAML_ option.
- In _Sign on URL_, input your _SSO URL (Redirect)_ from authentik.
- For _Issuer_, use the _Audience_ you set in authentik.
- Verify that the _Signature method_ and _Digest method_ match your SAML provider settings in authentik.
- For _Validation certificate_, upload the signing certificate you downloaded after creating the provider.
- If you plan to enable SCIM, select _Allow creation of accounts with built-in authentication_ and _Disable administrator demotion/promotion_ options. These are selected so you can use your administrator user as an emergency non-SSO account, as well as create machine users, and to ensure users are not promoted outside your IdP.
- In the _User attributes_ section, enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in the _Username_ field to ensure the emails become normalized into usernames in GitHub.
- Press Save settings on the left-hand side and wait for the changes to apply.
![Screenshot showing populated GitHub Enterprise Server SAML settings](ghes_saml_settings.png)
Once the appliance has saved the settings and reloaded the services, you should be able to navigate to your instance URL at `https://github.company` and sign in with SAML.
## SCIM Configuration
This section only applies if you completed the steps above to prepare the instance for SCIM enablement.
After enabling SAML, log into your initial administrator account again. Click the user portrait in the top right, click _Enterprise settings_, click _Settings_ in the left-hand sidebar, and then click _Authentication security_. On this page, check _Enable SCIM configuration_ and press _Save_. After that, you should see a message reading _SCIM Enabled_.
Before we create a SCIM provider, we have to create a new Property Mapping. In authentik, go to _Customization_, then _Property Mappings_. Here, click _Create_, select _SCIM Provider Mapping_. Name the mapping something memorable and paste the following code in the _Expression_ field:
```python
entitlement_names = {
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
}
roles = []
# Edit this if statement if you need to add more GitHub roles.
# Valid roles include:
# user, guest_collaborator, enterprise_owner, billing_manager
if "GitHub Admins" in entitlement_names:
roles.append({'value': 'enterprise_owner', 'primary': True})
elif "GitHub Users" in entitlement_names:
roles.append({'value': 'user', 'primary': True})
return {
"roles": roles,
}
```
If you renamed either entitlement, make sure that you update the code above to match.
Create a new SCIM provider with the following parameters:
- URL: `https://github.company/api/v3/scim/v2`
- Token: Paste the token you generated earlier here.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping from the _User Property Mappings_ by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- Ensure that `authentik default SCIM Mapping: Group` is the only one active in the _Group Property Mappings_.
- Click _Finish_.
Go back to your GitHub Enterprise Server Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.
You should now be ready to assign users or groups to your _GitHub Users_ and _GitHub Admins_ application entitlements. Use application bindings or policies to limit which users can view the application and are synchronized by SCIM, and use the entitlements to assign the corresponding GitHub SCIM role values. If you do not see your users being provisioned, go to your SCIM provider and click the _Run sync again_ option. A few seconds later, you should see results of the SCIM sync.
website/integrations/development/github-organization/index.md
-65
View File
@@ -1,65 +0,0 @@
---
title: Integrate with GitHub Organization
sidebar_label: GitHub Organization
support_level: community
---
## What is a GitHub Organization
> Organizations are shared accounts where businesses and open-source projects can collaborate across many projects at once, with sophisticated security and administrative features.
>
> -- https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations
## Preparation
The following placeholders are used in this guide:
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your GitHub organization.
- `authentik.company` is the FQDN of the authentik installation.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Organization with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://github.com/orgs/foo/saml/consume`.
- Set the **Audience** to `https://github.com/orgs/foo`.
- Set the **Issuer** to `https://github.com/orgs/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available **Signing certificate**. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## GitHub Configuration
Navigate to your organization settings by going to your organization page at https://github.com/foo, then click Settings.
In the left-hand navigation, scroll down to the Security section and click `Authentication security`.
On this page:
- Select the `Enable SAML authentication` checkbox.
- In `sign-on URL`, type `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/orgs/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
Once these fields are populated, you can use the `Test SAML configuration` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.
Scroll down to hit the `Save` button below.
![Screenshot showing populated GitHub organization SAML settings](ghorg_saml_settings.png)
This enables SAML as an authentication _option_. If you want to _require_ SAML for your organization, visit your SSO url at `https://github.com/orgs/foo/sso` and sign in. Once signed in, you can navigate back to the `Authentication security` page and check `Require SAML SSO authentication for all members of the foo organization.`
website/integrations/static/_redirects
+14
View File
@@ -10,4 +10,18 @@
/integrations/* /:splat 301!
#endregion
#region GitHub integration renames
/development/github-enterprise-cloud /development/ghec 301!
/development/github-enterprise-cloud/ /development/ghec/ 301!
/development/github-organization /development/ghec 301!
/development/github-organization/ /development/ghec/ 301!
/development/github-enterprise-emu /development/ghec-emu 301!
/development/github-enterprise-emu/ /development/ghec-emu/ 301!
/development/github-enterprise-server /development/ghes 301!
/development/github-enterprise-server/ /development/ghes/ 301!
#endregion
/networking/cloudflare-access /security/cloudflare-access 301!