4. Connecting to GitHub Enterprise

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan
  3. Sign Up for GitHub Enterprise

Video Version

Introduction

EZSSH Helps you protect your code hosted in GitHub by removing the non-expiring ssh keys from the equation. Instead using your secure corporate identity to authenticate the engineers and issuing a short term SSH certificate that can be used to authenticate with GitHub.

Setting up GitHub

  1. Go to the EZSSH Portal https://portal.ezssh.io
  2. Click on Settings
  3. In the settings page, make sure that GitHub Certificates are enabled for your subscription. EZSSH Settings
  4. Enter the length in hours that you want your developers certificates to last (This is how ofter the engineer has to get a new certificate). Note: In Keytos we have it set to 8 hours so our engineers only request access once a day EZSSH Settings
  5. Copy the CA Key and save it somewhere or leave this tab open. You will need it when setting up your GitHub Enterprise Security EZSSH Settings
  6. Go to https://github.com
  7. Click on your profile picture on the right GH Settings
  8. Click on the settings button of your organization GH Settings
  9. Click on Organization Security GH Settings
  10. Scroll down to “SSH Certificate Authorities, and click on the “New CA” button. GH Settings
  11. Enter the key we copied in step 5 and click save. GH Settings
  12. You should now have a CA listed in your SSH Certificate Authorities.
  13. Click the Require SSH Certificates checkbox to only allow git operations with SSH Certificates (Recommended) GH Settings
  14. Click the “Save” button.

    EZGIT will assume that the username in the identity provider matches the user’s GitHub username. If user names are different, they will have to be mapped using the SAML mapping below.

  15. You are ready to start using EZSSH for GitHub

Setting Up SAML Mapping

When using GitHub Enterprise, you might let your engineers use their personal GitHub identity by linking it to your organization and their SAML Identity. To Give EZSSH Access to that mapping information, the following steps are needed:

1) Create GitHub Access Token

  1. First we have to create a GitHub access token. To get started, go to https://github.com and login with an account that is an owner of the organization.
  2. On the top right, click on your profile picture and then click on settings. GH Settings
  3. Then Click on Developer Settings. GH Settings
  4. Click on the “Personal access tokens” section.
  5. Click the “Generate new token” button. GH Settings
  6. Enter a name for the token. For Example “EZSSH User Mapping” GH Settings
  7. Select following Scopes:
    1. admin:org
    2. read:user GH Settings
  8. Click the “Generate token” button.
  9. Copy your token (you will need it for part two).

Enabling the token for SSO

If your organization uses SSO, you will have to grant SSO Access to your token.

  1. Click the “Enable SSO” button. GH Settings
  2. Authenticate with your SSO Identity.

2) Add Mapping Information to EZSSH

  1. Once you have created your GitHub token, go to the EZSSH Portal, login with an account that owns the subscription that generates the GitHub certificates and go to settings.
  2. Find the correct subscription in the settings page and expand the Advance Settings Tab. GH Settings
  3. Enable the “Map SAML Users to GitHub Users” option. GH Settings
  4. Enter your organizations URL https://github.com/"ORGANIZATIONNAME" GH Settings
  5. Enter the GitHub Token generated in the previous section. GH Settings
  6. Click Test Connection.
  7. If the connection is successful, click the “Save Changes” Button. GH Settings
  8. Your users will now be mapped at least once a day.