MozillaWiki

GitHub/SAML issues

< GitHub
Revision as of 14:25, 20 January 2022 by Cknowles-moz (talk | contribs) (Added troubleshooting around groups disappearing.)

GitHub Enterprise SAML Issues

This page is a Landing spot from Auth0 if there's been an error authenticating your SAML connection with GitHub

There are three things needed in your account in people.mozilla.org in order to successfully SAML with GitHub, and other settings that may lead to problems with SAML authentication to Mozilla related GitHub organizations.

You need a profile in people.mozilla.org

  • If you're Mozilla staff or NDA'd, you should already have one linked to your LDAP account
  • If you're not, but still need access to SAML'd GitHub resources, you can sign up for one by going here and clicking on "Log in/Sign up"
    • You'll need to use either LDAP or an FxA account as the login source

Linking your people.mozilla.org account to your GitHub ID

In your profile on people.mozilla.org you need to have your identity from GitHub connected and verified.

  1. Log onto your profile people.mozilla.org
  2. Scroll down until you see the "Identities" section
  3. Click on the pencil icon to edit it.
  4. Click on "+ Identities"
  5. Select "GitHub" from the dropdown menu and click "VERIFY"
    1. Note, you can also link your Bugzilla ID here.
  6. You should be taken to GitHub to log in and verify your ID.
    1. You may see a button to “Authorize Mozilla” - Click that.
  7. Get back to your people.m.o profile, and edit the identities (Steps 1-5)

This linkage does NOT change anything in your GitHub account, merely allowing Mozilla staff to see the connection between your GitHub ID and your people account.

Being a member of the correct groups in people.mozilla.org

If you want to SAML to a GitHub organization named <ORGNAME> you'll need to belong to a group in people.mozilla.org named "GHE_<ORGNAME>_users" - so if "mozilla-it" is the org, "GHE_mozilla-it_users" is the group.

  1. Log into people.mozilla.org and look at the access groups here
  2. Search for the group in question
  3. Click on the group name
  4. Click on "Request Invitation" - a curator of the group may reach out to you with any questions
  5. If your invitation is approved, you'll receive an email for confirmation, and you'll be a member of the group.
    1. Once you have the invitation approved, log out of people (click on the profile pic in the upper left and click "Logout") then click "Sign in" also in the upper left.

If you've been logging in, and end up here, check membership

Rarely, people.mozilla.org will lose track of your groups. The website will show membership, but the underlying systems won't. Which will lead you here when logging into github.

  1. Go to https://sso.mozilla.com/info and verify that the group "mozilliansorg_ghe_<ORGNAME>_users" exists for whichever ORGNAME you're logging into
  2. If it doesn't, a GitHub admin will need to remove/readd your access to that group - file a bug here
  3. If it does, that's extra odd, either file a bug to the same as above with steps you've taken here, or reach out to us on matrix on the #github-admin channel so we can look. There might be a service interruption.

If nothing works

There are several ways to reach out to us

  • Best - bugzilla bug for GitHub Administration
  • We're on matrix in the #github-admin channel
  • Email to ghe-admins@mozilla.com
Retrieved from "https://wiki.mozilla.org/index.php?title=GitHub/SAML_issues&oldid=1240153"