1Kosmos integrates with GitHub Enterprise as a SAML 2.0 identity provider, securing access to code repositories and organization resources with biometric authentication.
Integration type
Productivity
Overview
1Kosmos integrates with GitHub Enterprise Cloud and Server as a SAML 2.0 identity provider, requiring biometric authentication via 1Kosmos before accessing repositories, issues, and pull requests. SAML SSO can be enforced at the organization or enterprise account level.
What we solve
GitHub Enterprise organizations need to protect source code and developer workflows from account takeover and credential phishing by reducing reliance on passwords for org/enterprise access. This integration enforces SAML SSO from GitHub to 1Kosmos so members must authenticate biometrically before accessing protected repositories and organization resources, while GitHub links each personal account to a verified 1Kosmos identity.
Unlike most SaaS SAML integrations, GitHub SAML SSO does not replace users' personal GitHub account login. Members continue to sign into their personal accounts on github.com, and GitHub then links each personal account to an external identity in the 1Kosmos IdP.
Users must complete a SAML SSO authentication session to access protected organization resources. For GitHub Enterprise Server, the SP metadata is available at https://HOSTNAME/saml/metadata.
For GitHub Enterprise Cloud organizations, it is available at https://github.com/orgs/ORGANIZATION/saml/metadata.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
GitHub Enterprise Cloud or Enterprise Server: Organization owner or enterprise owner access to configure SAML settings. SAML SSO requires a GitHub Enterprise Cloud subscription or GitHub Enterprise Server deployment.
Download recovery codes before enabling: Before enabling SAML SSO, GitHub recommends saving recovery codes so that enterprise owners can access the enterprise if the IdP is unavailable.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for GitHub:
Field | Where to find it |
|---|---|
SSO URL (Sign on URL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Issuer (Entity ID) | AdminX → Settings → IdP Configuration → Core Configuration |
Public Certificate | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Fixed GitHub SP values to enter in AdminX:
Scope | SP Entity ID | ACS URL |
|---|---|---|
GitHub Cloud (org-level) | https://github.com/orgs/ORGANIZATION | https://github.com/orgs/ORGANIZATION/saml/consume |
GitHub Cloud (enterprise-level) | https://github.com/enterprises/ENTERPRISE | https://github.com/enterprises/ENTERPRISE/saml/consume |
GitHub Enterprise Server | https://HOSTNAME | https://HOSTNAME/saml/consume |
Integration steps
Step 1: Add GitHub as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "GitHub Enterprise" as the Application Name, set Instance to Production, and enter your GitHub organization or enterprise URL as the Application Access URL. Click Next.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add a claim for email. Click Next.Enter the GitHub SP Entity ID and ACS URL from the table above, replacing ORGANIZATION, ENTERPRISE, or HOSTNAME with your actual values. Enable Assertion signing and click Save.
Step 2: Enable SAML SSO in GitHub (organization-level)
Navigate to your GitHub organization on github.com and click Settings → Authentication security (under the Security section).
Check the Enable SAML authentication checkbox.
In the Sign on URL field, paste the 1Kosmos SSO Login URL.
In the Issuer field, paste the 1Kosmos IdP Entity ID.
In the Public certificate field, paste the 1Kosmos signing certificate content.
Click Test SAML configuration to validate the setup before enforcing. Confirm the test succeeds before proceeding.
Click Save. If you want to enforce SAML for all members, check Require SAML SSO authentication for all members of the ORGANIZATION organization and save again.
Step 3: Enable SAML SSO in GitHub Enterprise Server (server deployments)
Navigate to the Management Console on your GitHub Enterprise Server instance and select Authentication → SAML.
Enable SAML and enter the 1Kosmos SSO URL, IdP Entity ID, and signing certificate in the corresponding fields.
Click Save and restart the instance if prompted.
Step 4: Test the integration
Navigate to a protected organization repository or resource and attempt to access it.
GitHub redirects to 1Kosmos for SAML authentication. Authenticate biometrically using the 1Kosmos mobile app.
Confirm you are returned to the GitHub resource with an active SAML session.
Verify that the identity is linked in GitHub by navigating to your profile → Settings → Security → SAML single sign-on.
Attribute mappings
Source (1Kosmos) | Target (GitHub) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary identifier; must match the email on the user's GitHub personal account |
user.firstName | full_name (first portion) | Optional; GitHub extracts name from the full_name attribute if provided |
Integration notes
GitHub SAML SSO sessions expire by default after 24 hours (or the value of SessionNotOnOrAfter if provided by the IdP). After expiration, users are prompted to reauthenticate with 1Kosmos to regain access to protected organization resources.
GitHub does not remove members from an organization when SAML is first enabled, but if you later enforce SAML, members who have not completed SAML authentication will lose access to organization resources.
Always test SAML with at least one account and save recovery codes before enforcing SAML across the organization.
