GitHub/SAML issues

From MozillaWiki
Jump to: navigation, search

GitHub Enterprise SAML Issues

This page is a landing spot from Auth0 if there's been an error authenticating your SAML connection with GitHub

There are several things needed in your account in people.mozilla.org in order to successfully SAML with GitHub, and other settings that may lead to problems with SAML authentication to GitHub organizations with Mozilla IP.

If you're confused about what this is all about, we have a FAQ

You need a profile in people.mozilla.org

  • If you're Mozilla staff or NDA'd, you should already have one linked to your LDAP account
  • If you're not, but still need access to SAML'd GitHub resources, you can sign up for one by going here and clicking on "Log in/Sign up"
    • You'll need to use either LDAP or an FxA account as the login source
      • NOTE: DO NOT use GitHub to authorize to people.m.o - use either Firefox accounts

Linking your people.mozilla.org account to your GitHub ID

In your profile on people.mozilla.org you need to have your identity from GitHub connected and verified.

  1. Log onto your profile people.mozilla.org
  2. Scroll down until you see the "Identities" section
  3. Click on the pencil icon to edit it.
  4. Click on "+ Identities"
  5. Select "GitHub" from the dropdown menu and click "VERIFY"
    1. Note, you can also link your Bugzilla ID here.
  6. You should be taken to GitHub to log in and verify your ID.
    1. You may see a button to “Authorize Mozilla” - Click that.
  7. Get back to your people.m.o profile, and edit the identities (Steps 1-5)

This linkage does NOT change anything in your GitHub account, merely allowing Mozilla staff to see the connection between your GitHub ID and your people account.

Make an email address at least Staff visible

  1. Log onto your profile people.mozilla.org
  2. Scroll down until you see the "Contact" section
  3. Click on the pencil icon to edit it.
  4. Add an email (if there isn't one already)
  5. Click on the small icon to the right of the text box, and select "Staff"
  6. Click Save.

Being a member of the correct groups in people.mozilla.org

If you want to SAML to a GitHub organization named <ORGNAME> you'll need to belong to a group in people.mozilla.org named "GHE_<ORGNAME>_users" - so if "mozilla-it" is the org, "GHE_mozilla-it_users" is the group.

  1. File a bug GitHub Administration asking for your mozilla account to be added to the appropriate people.m.o group. (for example, GHE_mozilla-it_users)
  2. If your invitation is approved, you'll receive an email for confirmation, and you'll be a member of the group.
    1. Once you have the invitation approved, log out of people (click on the profile pic in the upper left and click "Logout") then click "Sign in" also in the upper left.

If you've been logging in, and end up here, check membership

Rarely, people.mozilla.org will lose track of your groups. The website will show membership, but the underlying systems won't. Which will lead you here when logging into github.

  1. Go to https://sso.mozilla.com/info and verify that the group "mozilliansorg_ghe_<ORGNAME>_users" exists for whichever ORGNAME you're logging into
  2. From the URL of this page, please record the "dbg=XXXX" value and include just that (not the rest of the URL) in any bug filed
  3. If it doesn't, a GitHub admin will need to remove/readd your access to that group - file a bug here
  4. If it does, that's extra odd, either file a bug to the same as above with steps you've taken here, or reach out to us on matrix on the #github-admin channel so we can look. There might be a service interruption.

If nothing works

Record the URL of the page you get sent to (this one) as it should have some debug data in the URL. Then reach out to us:

  • Best - bugzilla bug for GitHub Administration
  • We're on matrix in the #github-admin channel
  • Email to ghe-admins@mozilla.com