You can configure Auth0 to serve as an for GitHub Enterprise Cloud (github.com). GitHub requires an enterprise-level subscription to enable using an external IdP.

Configure SAML SSO on Auth0

  1. Go to Dashboard > Applications > Applications and create a new application. Give it a meaningful name like GitHub. You can choose any application type, but the Regular Web App type is recommended.
  2. Go to the Addons tab and enable the SAML2 Web App toggle.
  3. On the Settings tab, set the Application Callback URL to: https://github.com/orgs/{YOUR_GITHUB_ORG_NAME}/saml/consume.
    Dashboard Applications Applications Addons Tab SAML2 Web App Settings Tab
  4. Paste the following code into the Settings text box and click Debug. 
    {
      "audience": "https://github.com/orgs/{yourGitHubOrgName}",
      "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "emails",
    "name": "full_name"
      },
      "passthroughClaimsWithNoMapping": false,
      "mapIdentities": false,
      "signatureAlgorithm": "rsa-sha256",
      "digestAlgorithm": "sha256",
      "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
      ]
    }


   1. Replace `{YOUR_GITHUB_ORG_NAME}` with the GitHub organization name that corresponds to your subscription. The mapping will send the `user_id` as the **Name Identifier** to GitHub. This is a good option if you enable more than one connection for the GitHub application, as it will ensure uniqueness (every user will have a different ID).
   2. If you are using a single connection, you might want to use the `nickname` or another unique identifier as a friendlier **Name Identifier** (but make sure that the property you choose is unique). As an example, if you want `nickname` as the **Name Identifier**, the `mappings` section above will look like this:
5. Scroll to the bottom of the tab and click **Enable**.
6. On the **Usage** tab, locate **Identity Provider Metadata** and click **Download** to download the metadata file. You will need this when you configure Auth0 as the identity provider.

   <Frame>![Dashboard Applications Applications Addons Tab SAML2 Web App Usage Tab](https://images.ctfassets.net/cdy7uua7fh8z/3T90BDpyTXFUWDp1JkncBU/86bdba6bed8130b34b42b25c9bf2d232/dashboard-applications-applications-addons-saml2-web-app-usage.png)</Frame>

## Configure SAML SSO on GitHub

1. Follow the instructions in GitHub for [Enabling and testing SAML Single Sign-on (SSO) for your organization](https://help.github.com/en/articles/enabling-and-testing-saml-single-sign-on-for-your-organization) to complete the configuration on GitHub Enterprise Cloud.
2. You will need the following information:

   | **Field** | **Entry** |
   | --- | --- |
   | **Sign On URL** | `https://{yourDomain}/samlp/{CLIENT_ID}`   `{CLIENT_ID}` will be the `client_id` for the GitHub application you just created in Auth0. |
   | **Issuer** | `urn:auth0:{yourTenant}` |
   | **Public Certificate** | Download it from `https://{yourDomain}/pem`. Open the downloaded file with a text editor, copy the contents and paste it in the text area on GitHub. |
   | **Signature method** | `RSA256-SHA256` |
   | **Digest method** | `SHA256` |
3. As recommended in GitHub's documentation, before enabling SAML SSO for your organization, click **Test SAML configuration** to ensure that the information you've entered is correct.

When setting up SAML single sign-on (SSO) for your organization, you can test your implementation without affecting your organization members by leaving **Require SAML SSO authentication** **for all members of the organization** unchecked.