GitHub: Configuring GitHub as a SSO application in Forcepoint ONE SSE

This topic explains the process of setting up GitHub as a custom app in Forcepoint ONE SSE and configuring it for Single Sign-On (SSO).

Steps

  1. Log into the Forcepoint ONE SSE portal as a SysAdmin.
  2. Configure managed app for GitHub in the Forcepoint ONE SSE portal.
    1. Navigate to Policies > Add Apps > Managed Apps.
    2. On the Managed Apps screen, select Any Managed App tile.
    3. In the Custom Application Configuration page that appears, enter the details as below and Click OK.
      • Application Name: GitHub
      • Application URL: https://github.com/orgs/<org-name>
      • Application Logo: Upload an Application Logo for GitHub

        Application Logo is displayed as App Tile in the Forcepoint ONE SSE User Portal.

        Example Logo below:

      • Application Icon: Upload an Application Icon for GitHub

        The application Icon is displayed on the Protect > Policies page in Forcepoint ONE SSE Admin Portal.

        Example Icon below:

    4. Click on the Domain under App Instance, and on the page that appears, select the enable checkbox for SAML SSO and click OK.
    5. Click the Save button on the Any Managed App page to complete the initial app setup.
  3. Obtain Forcepoint ONE SSE SSO Config to enter into GitHub:
    1. Once the GitHub App is saved in Forcepoint ONE SSE, click on the Setup Web SSO link.

      Single Sign On Setup page opens.

    2. Click on the Download Certificate link and save the certificate downloaded to disk.

      OR

      Copy the following values:

      • Issuer ID
      • Login URL

      The Certificate information will need to be added to GitHub.

  4. Configure SSO Settings in GitHub:
    1. On another browser window, go to GitHub.com, log in with the credentials of the GitHub Admin account, and select Settings under the Admin profile.
    2. On the settings screen, click on your organization name under Organization settings in the left menu.
    3. Select Security under the organization settings menu.
    4. Select the Enable SAML authentication checkbox on the security screen, and a form for entering SAML settings should appear.
    5. Enter the Issuer/ID and Login URL from the Forcepoint ONE SSE SSO Setup page to the GitHub SSO settings page in the Issuer and Sign-on URL fields, respectively.
    6. Open the downloaded certificate in a text editor and copy its content to the Public Certificate field on the GitHub SSO settings page.
    7. Save the configuration in GitHub.
    8. Copy the Assertion Consumer Service (ACS) URL seen on the GitHub SSO settings page.
  5. Enter App SSO: Setup Details in Forcepoint ONE SSE portal:
    1. Go back to the browser tab for Forcepoint ONE SSE portal and click on the App SSO: setup link.
    2. On the Any App SSO Config Page:
      • Paste the ACS URL copied from GitHub into the Single Sign-On URL.
      • Enter the SP Entity ID as your GitHub organization URL, that is, https://github.com/orgs/<org-name>
      • Set the NameID Format as Unspecified and Assertion Signature as Unsigned.
      • Click Save to record the config.
  6. Test the SAML configuration on GitHub:
    1. Go back to the GitHub Browser window.
    2. Click on the Test SAML configuration, and a successful authenticated message is shown.
    3. Click the Save button to save the SSO settings in GitHub.
  7. Open an incognito window, log in to Forcepoint ONE SSE as a test user, and click on the GitHub app. You may be shown a GitHub signup page if there is no account already set up for the test user in GitHub.
  8. Require SAML SSO Authentication for all users on GitHub:
    1. Once you are ready to only allow SSO login for GitHub, Go to https://github.com/orgs/<org-name>/sso, in a new tab and sign in via SSO with the Idp credentials for the GitHub admin user.
    2. Once signed in, navigate to the Organization settings Security page and enable the Require SAML SSO authentication for all members of the <org-name> organization checkbox and click Save.

      On clicking save, you will be provided with a list of recovery codes that should be downloaded, printed, and saved in a secure location.