Skip to main content

How to secure Github

License requirements

Your organization needs to be in the Github Enterprise tier to configure a custom SSO

Github has a Custom SSO feature which uses SAMLv2 so you can link the accounts within your organizations with identities of your identity provider to make it easier to manage users.

You can configure an application in XFA with your identity providers credentials and first point to XFA instead to check the security posture of every device trying to login into GitHub. This guide will describe all steps needed to link Github to your identity provider trough XFA.

Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at

Configure Github App in your identity provider

Use our specific identity provider guides to learn how to setup an application with the provided settings.

SAML Application Settings in IDP

ACS URL / Redirect URL:
Signed Response: false


The ACS URL / Redirect URL is different than the standard configuration

Creating an application in XFA

A guide on how to create an application in XFA can be found here.

Settings to use in XFA

Assertion Consumer Service URL:<YOUR_GITHUB_ORGANIZATION>/saml/consume
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)\

Configure your Github organization to use XFA

1. Login to Github and go to your organization.

2. Go to Settings > Authentication & Security and click on "Set up SSO"

3. Enable SAML Authentication

Use the following settings to configure your Github organization with XFA.

Settings to use in Github

Sign on URL: (from XFA application)
Issuer: (from XFA application)
Public certificate: (from XFA application)

4. Test to make sure everything is configured correctly.

Use the "Test SAML configuration" button to test out the new settings. The browser should be first redirected to your identity provider, after being redirected to XFA to verify the security settings of the device against your application policy, before returning to Github.

5. Save the new verified settings by clicking on "Save"

You are done! The users in your Github organization will now be asked to verify their identity with your identity provider and XFA will check the security posture of the device to make sure that any device that is used to access Github is secure.