> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure Auth0 as an identity provider using the SAML2 Web App addon for a GitHub Enterprise Cloud (github.com) organization.

# Configure GitHub Enterprise Cloud as SAML Service Provider

You can configure Auth0 to serve as an <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> for [GitHub Enterprise Cloud](https://help.github.com/en/articles/about-authentication-with-saml-single-sign-on) (github.com). GitHub requires an enterprise-level subscription to enable using an external <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> IdP.

* To learn about <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=SSO">SSO</Tooltip> on GitHub, read [About authentication with SAML single sign-on](https://help.github.com/en/articles/about-authentication-with-saml-single-sign-on) on [https://docs.github.com](https://docs.github.com).
* To learn how to configure Auth0 as the identity provider for GitHub Enterprise Server (private instance), read [Configure Auth0 as Identity Provider for GitHub Enterprise Server](/docs/authenticate/single-sign-on/outbound-single-sign-on/configure-auth0-saml-identity-provider/configure-saml2-web-app-addon-for-github-enterprise-server).

## Configure SAML SSO on Auth0

1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and create a new application. Give it a meaningful name like **GitHub**. You can choose any application type, but the **Regular Web App** type is recommended.
2. Go to the [Addons](https://manage.auth0.com/#/applications/\{yourClientId}/addons) tab and enable the **SAML2 Web App** toggle.
3. On the **Settings** tab, set the **Application Callback URL** to: `https://github.com/orgs/{YOUR_GITHUB_ORG_NAME}/saml/consume`.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/6dJgYkcOgMZ73HVTkAWt1x/fe9dbbf306e6c587cb3326c00a3b4e1f/2025-02-27_13-59-00.png" alt="Dashboard Applications Applications Addons Tab SAML2 Web App Settings Tab" />
   </Frame>
4. Paste the following code into the **Settings** text box and click **Debug**.

   ```json lines theme={null}
   {
         "audience": "https://github.com/orgs/{yourGitHubOrgName}",
         "mappings": {
       "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
       "email": "emails",
       "name": "full_name"
         },
         "passthroughClaimsWithNoMapping": false,
         "mapIdentities": false,
         "signatureAlgorithm": "rsa-sha256",
         "digestAlgorithm": "sha256",
         "nameIdentifierProbes": [
       "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
         ]
       }
   ```

   1. Replace `{YOUR_GITHUB_ORG_NAME}` with the GitHub organization name that corresponds to your subscription. The mapping will send the `user_id` as the **Name Identifier** to GitHub. This is a good option if you enable more than one connection for the GitHub application, as it will ensure uniqueness (every user will have a different ID).
   2. If you are using a single connection, you might want to use the `nickname` or another unique identifier as a friendlier **Name Identifier** (but make sure that the property you choose is unique). As an example, if you want `nickname` as the **Name Identifier**, the `mappings` section above will look like this:
5. Scroll to the bottom of the tab and click **Enable**.
6. On the **Usage** tab, locate **Identity Provider Metadata** and click **Download** to download the metadata file. You will need this when you configure Auth0 as the identity provider.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/3T90BDpyTXFUWDp1JkncBU/86bdba6bed8130b34b42b25c9bf2d232/dashboard-applications-applications-addons-saml2-web-app-usage.png" alt="Dashboard Applications Applications Addons Tab SAML2 Web App Usage Tab" />
   </Frame>

## Configure SAML SSO on GitHub

1. Follow the instructions in GitHub for [Enabling and testing SAML Single Sign-on (SSO) for your organization](https://help.github.com/en/articles/enabling-and-testing-saml-single-sign-on-for-your-organization) to complete the configuration on GitHub Enterprise Cloud.
2. You will need the following information:

| Field              | Entry                                                                                                                                                |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Sign On URL        | `https://{yourDomain}/samlp/{CLIENT_ID}`<br />`{'{CLIENT_ID}'}` will be the `client_id` for the GitHub application you just created in Auth0.        |
| Issuer             | `urn:auth0:{yourTenant}`                                                                                                                             |
| Public Certificate | Download it from `https://{yourDomain}/pem`. Open the downloaded file with a text editor, copy the contents and paste it in the text area on GitHub. |
| Signature method   | `RSA256-SHA256`                                                                                                                                      |
| Digest method      | `SHA256`                                                                                                                                             |

3. As recommended in GitHub's documentation, before enabling SAML SSO for your organization, click **Test SAML configuration** to ensure that the information you've entered is correct.

When setting up SAML single sign-on (SSO) for your organization, you can test your implementation without affecting your organization members by leaving **Require SAML SSO authentication** **for all members of the organization** unchecked.