Secure Github Enterprise with XFA Connect (for Google Workspace)
Github has a Custom SSO feature which uses SAMLv2 so you can link the accounts within your organizations with identities of your identity provider (in this case Google) to make it easier to manage users.
You can configure an application in XFA with your identity providers credentials and first point to XFA instead to check the security posture of every device trying to login into GitHub. This guide will describe all steps needed to link Github to Google Workspace trough XFA.
Note: Your organization needs to be in the Github Enterprise tier to configure a custom SSO
Note: This article assumes that you have an account set up with XFA for your organization and your are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.
Setup Github App in Google Workspace
Step 1. Navigate to the Google Admin interface on admin.google.com and go to Apps > Web and mobile apps
Step 2. Click on Add app > Search for apps and search for the Github Business App.
Step 3. Copy the SSO URL, Entity ID and certificate of Google and keep them safe to configure the XFA application in a later step.
Step 4. Configure the application to work with XFA.
- Fill in the ACS URL-field with https://device-api.xfa.tech/saml2/consume
- Complete the Entity ID with your organizations name e.g. https://github.com/orgs/your-organization.
Step 5. Click finish to complete the configuration.
Step 6. Optional: Make sure your users have access by navigating into User access > Service Status.
- Enable the app for the users or groups that need access to GitHub.
Create the application in XFA Dashboard
Step 1. Login to the XFA dashboard.
Step 2. Create a new application under Connect > New application > Github Enterprise.
Step 3. Fill in the identity provider details (in this case Google)
- Fill in the SSO URL, Entity ID and certificate of the Github Business App in Google you copied before. Click "Next" to continue.
Step 4. Fill in the service provider details (in this case Github)
- Complete the ACS-URL with your Github organization name e.g. https://github.com/orgs/your-organization/saml/consume. Copy the the SSO URL, Entity ID and certificate of your new application. Click "Next" to continue.
- Copy the SSO URL, issuer and certificate of XFA for the next step in Github.
Setup your Github organization to use SSO
Step 1. Login to Github and go to your organization.
Step 2. Go to Settings > Authentication & Security.
Step 3. Click on "Set up SSO" and paste the SSO URL, issuer and certificate of XFA.
Step 4. Use the "Test" feature to make sure everything is configured correctly.
Step 5. Save the new verified settings by clicking on "Save".
You are done! The users in your Github organization will now be asked to verify their identity with Google and XFA will check the security posture of the device to make sure that any device that is used to access Github is secure.