Skip to content

GitHub Enterprise Cloud

Last reviewed: about 2 months ago

This guide covers how to configure GitHub Enterprise Cloud as a SAML application in Cloudflare Zero Trust.

Prerequisites

  • An identity provider configured in Cloudflare Zero Trust
  • A GitHub Enterprise Cloud subscription
  • Access to a GitHub account as an organization owner

1. Add a SaaS application to Cloudflare Zero Trust

  1. In Zero Trust, go to Access > Applications.
  2. Select Add an application > SaaS > Select.
  3. For Application, select Github.
  4. For the authentication protocol, select SAML.
  5. Select Add application.
  6. Fill in the following fields:
    • Entity ID: https://github.com/orgs/<your-organization>
    • Assertion Consumer Service URL: https://github.com/orgs/<your-organization>/saml/consume
    • Name ID format: Email
  7. Copy the SSO endpoint, Access Entity ID or Issuer, and Public key.
  8. Select Save configuration.
  9. Configure Access policies for the application.
  10. Select Done.

2. Create a x.509 certificate

  1. Paste the Public key in a text editor.
  2. Wrap the certificate in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

3. Configure an identity provider and SAML SSO in GitHub Enterprise Cloud

  1. In your Github organization page, go to Settings > Authentication security.
  2. Under SAML single sign-on, turn on Enable SAML authentication.
  3. Fill in the following fields:
    • Sign on URL: SSO endpoint from application configuration in Cloudflare Zero Trust.
    • Issuer: Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust.
    • Public certificate: Paste the entire x.509 certificate from step 2. Create a x.509 certificate.

4. Test the integration

Select Test SAML configuration. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider. When this is successful, select Save.

You can also turn on Require SAML SSO authentication for all members of your organization if you want to enforce SSO login with Cloudflare Access.