Set up GitHub for Authentication
Users in your GitHub tenant can access applications registered in SecureAuth. In this setup, GitHub acts as an external Identity Provider for SecureAuth, following the Bring Your Own Identity (BYOID) model. Follow these steps to configure the integration.
About GitHub as OIDC Identity Provider
OAuth applications registered in GitHub are natively supported by SecureAuth as OIDC Identity Providers, which means that it has a dedicated connection template in SecureAuth, for your convenience. GitHub OAuth applications implement the OIDC protocol, providing the proof of user authentication to SecureAuth within an ID Token and Access Token.
The client authorization flow with SecureAuth connected to GitHub looks as follows:
Client app requests the authorization code from SecureAuth.
SecureAuth requests the authorization code from GitHub IDP.
GitHub authenticates the user and asks for consent to share data with SecureAuth.
GitHub issues the code to SecureAuth after user's authentication.
SecureAuth requests tokens from GitHub using the provided code.
GitHub issues the tokens to SecureAuth.
Optionally, SecureAuth uses the token to pull user's group membership information - only when the Fetch groups option is selected in the connector.
SecureAuth asks for user consent to share data with the client app, unless the client app is marked as trusted or the requested scopes were already granted for this app.
SecureAuth issues the authorization code to the client app.
Client app requests the tokens from SecureAuth.
SecureAuth issues the tokens to the client app. SecureAuth tokens are minted based on the incoming GitHub tokens with claims mapped to SecureAuth's authentication context.
The following steps in the flow are optional:
SecureAuth only pulls group information if this option is explicitly enabled in the GitHub connector configuration, as explained later in this document.
SecureAuth only asks for consent if the client application is not marked as trusted and requests scopes which were not granted previously (or scopes for which the user's consent has been withdrawn).
Prerequisites
You have an OAuth application registered with your GitHub account. Follow GitHub documentation for help.
Authorization Callback URL for GitHub Application
When prompted for the Authorization Callback URL in GitHub, use the Redirect URL from SecureAuth once you have registered a GitHub connection in SecureAuth.
Connect GitHub IDP
Basic Configuration
In your workspace, go to Authentication > Providers > Create Connection.
Select the GitHub template and click Next.
Use the Redirect URL as Authorization Callback URL in GitHub to complete connecting the OAuth application on GitHub side.
In the Register OpenID Connect form, enter the Issuer URL, Client ID, and Client Secret.
Parameter
Description
Name
Name for your SecureAuth's GitHub connection. This name allows users to identify the IDP they need to authenticate with.
Client ID
Client ID of the OAuth application registered with GitHub
Client secret
Secret of OAuth application registered with GitHub
Optionally, enable Authentication context caching.
Tip
You can enable the authentication context caching if you wish to store the user's authentication context locally. If you do, specify the cache Time To Live as well. Learn more by reading Stateful authorization with SecureAuth.
Select Save.
Result: Your new IDP connection is created. Users can now authenticate via the OIDC-compliant IDP.
Configure Advanced Settings
Advanced settings contain optional features which may be necessary to use in specific cases.
From the Authentication > Providers > YOUR_IDENTITY_PROVIDER > Configuration page, select Advanced settings at the bottom.
In the Scopes field, add additional scopes to be returned in the IDP response after user authentication.
Note
Since multiple clients can use the same Add server-side web applicationIDP for user authentication, you may need to further restrict specific client's ability to request a given scope. For more information, read about Configuring applications in SecureAuth.
In the Authentication Method Reference you can select an authentication method to be written into the
amr
object returned by the IDP.The
amr
object is created if it doesn't exist. If it exists, its values are replaced with the selected item.Optionally, enable the Fetch groups option.
Shared Group Data
With this option enabled, GitHub shares organization, team membership, and private project boards with the client registered with SecureAuth after user's approval.
Select Save.
Add Custom IDP Attributes
If your IDP returns custom claims outside of the standard GitHub scope, make sure to add them to the IDP connector so that they can be recognized and mapped to the authentication context.
Go to Authentication > Providers and select an IDP from the list.
Open the Attributes page. A standard list of attributes returned by this IDP appears.
Select Add attribute.
In Source, select the data source for the custom attribute
Source
Description
Access token
Get data from the access token received from the IDP
ID token
Get data from the ID token received from the IDP
GitHub authenticated user data
Get user data returned by the GitHub user API (note that this must be explicitly enabled on the IDP connector)
Fill in the rest of the form.
Option
Description
Claim name
Name of your custom attribute matching the incoming IDP claim
Display name
User-friendly name for the custom attribute
Data type
Data type matching that of the incoming IDP claim
Claim Names with . Character
If the incoming attribute has a
.
character in the name, the dot must be explicitly escaped using\.
when defining the IDP attribute. For example, claim namehttps://example.com/groups
must be entered ashttps://example\.com/groups
.Save your changes and proceed to mapping the attributes to the authentication context.
Map IDP Attributes to Authentication Context
If you've added custom attributes for an IDP, you need to make sure they are mapped to the SecureAuth authentication context. You can do it either from the IDP configuration page (as explained here) or use Data Lineage instead.
Default OIDC/SAML attributes are mapped out of the box.
Go to Authentication > Providers and select an IDP from the list.
Open the Mappings page. A standard attribute mapping for this IDP appears.
Select Add mapping and map any custom IDP attributes to an existing authentication context attribute.
Note
If you need to create new authentication context attributes, read the Managing Authentication Context.
Optionally, you can enrich authentication context before issuing the token to the client. Attributes returned by the script do not need to be separately mapped to the authentication context.
Save your changes. Your mapped custom attributes should now be shared in the ID token issued to your client application, given that the target application requests them (you can check this in Data Lineage).
Connect Extensions to your IDP
Go to Authentication > Providers > YOUR_IDP > Extensions.
Assign a Post Authentication script to the IDP. This script will be executed upon user authentication via this IDP.
Connect your application to the IDP in the Post Authentication application field. Users will be redirected to this application upon authentication via this IDP.
Note
Post Authentication applications must be explicitly enabled in your tenant using the
custom_apps
feature flag.
Test IDP
Prerequisite
Your provider is configured as a user-authentication method by your administrator.
Demo workspace is available.
Test
Open the user portal.
Select LOGIN TO DEMO APP.
Select your configured GitHub IDP and, next, authenticate with GitHub IDP.
Result: SecureAuth displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by SecureAuth.
Note
For information on granting and managing SecureAuth consents, see Consents.