Skip to main content

How to secure GitHub

License requirements

Your organization needs to be in the GitHub Enterprise tier to configure a custom SSO

GitHub has a Custom SSO feature which uses SAMLv2. By placing XFA between GitHub and your identity provider, every login attempt is checked for device security before access is granted.

When a user signs in to GitHub, the following happens:

  1. GitHub → XFA → your IdP: GitHub redirects the user to XFA, which immediately redirects to your identity provider (e.g. Google Workspace) to authenticate. The Entity ID configured in your IdP is the one for GitHub — it identifies what the user is authenticating for.
  2. Your IdP → XFA: After authentication, the identity provider sends the user back to the ACS URL, which points to XFA instead of directly to GitHub.
  3. XFA verifies the device: XFA checks the security posture of the device against your policy.
  4. XFA → GitHub: If the device passes, XFA forwards the authentication to GitHub using the application's real ACS URL and access is granted.

This guide will describe all steps needed to set this up.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.

Configure GitHub App in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

SAML Application Settings in IDP

Entity ID: https://github.com/orgs/<YOUR_GITHUB_ORGANIZATION>
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false

warning

The ACS URL / Redirect URL is different than the standard GitHub configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL: https://github.com/<YOUR_GITHUB_ORGANIZATION>/saml/consume
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)

Configure your GitHub organization to use XFA

1. Login to GitHub and go to your organization.

2. Go to Settings > Authentication & Security and click on "Set up SSO"

3. Enable SAML Authentication

Use the following settings to configure your GitHub organization with XFA.

Settings to use in GitHub

Sign on URL: (from XFA application)
Issuer: (from XFA application)
Public certificate: (from XFA application)

4. Test to make sure everything is configured correctly.

Use the "Test SAML configuration" button to test out the new settings. The browser should be first redirected to your identity provider, after being redirected to XFA to verify the security settings of the device against your application policy, before returning to GitHub.

5. Save the new verified settings by clicking on "Save"

You are done! The users in your GitHub organization will now be asked to verify their identity with your identity provider and XFA will check the security posture of the device to make sure that any device that is used to access GitHub is secure.

Demo

See the GitHub Enterprise demo for a video walkthrough of the full login flow with Google Workspace as the identity provider.