Skip to content

Instantly share code, notes, and snippets.

@MarcBittner

MarcBittner/gist:8f583863755031cdd6703cc1c5452713

Created September 12, 2025 22:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MarcBittner/8f583863755031cdd6703cc1c5452713 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MarcBittner/8f583863755031cdd6703cc1c5452713 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt.md

Setting Up Okta as IdP for Google Workspace and GitHub Integration

Overview of Architecture

  • Google Workspace: Primary directory service and user store
  • Okta: Identity Provider (IdP) for SSO and user management
  • GitHub: Service Provider (SP) receiving authentication via Okta
  • User Flow: Google → Okta → GitHub

Part 1: Set Up Google Workspace Integration with Okta

Step 1: Configure Google Workspace API Access

  1. Go to Google Cloud Console
  2. Create a new project or select existing project
  3. Enable the Admin SDK API:
    • Navigate to "APIs & Services" → "Library"
    • Search for "Admin SDK API" and enable it
  4. Create service account credentials:
    • Go to "APIs & Services" → "Credentials"
    • Click "Create Credentials" → "Service Account"
    • Name it (e.g., "okta-google-sync")
    • Download the JSON key file

Step 2: Enable Domain-wide Delegation

  1. In Google Cloud Console, go to your service account
  2. Click "Enable Google Workspace Domain-wide Delegation"
  3. Note the Client ID (you'll need this later)
  4. In Google Admin Console:
    • Go to Security → API Controls → Domain-wide Delegation
    • Add new with the Client ID
    • Add these OAuth scopes: 
      https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
https://www.googleapis.com/auth/admin.directory.group.member

Step 3: Configure Okta Google Workspace Integration

  1. Log into Okta Admin Console
  2. Go to DirectoryDirectory Integrations
  3. Click Add DirectoryGoogle Workspace
  4. Configure the integration:
    • Domain: Your Google Workspace domain
    • Service Account Email: From your JSON key file
    • Private Key: From your JSON key file
    • Admin Email: A Google Workspace admin email
  5. Configure import settings:
    • Select user attributes to import
    • Set up group imports if needed
    • Configure import schedules
  6. Run initial import to sync users from Google to Okta

Part 2: Set Up Okta as SAML IdP for Google Workspace

Step 4: Create SAML Application in Okta for Google Workspace

  1. In Okta Admin Console, go to ApplicationsApplications
  2. Click Add ApplicationCreate New App
  3. Choose SAML 2.0
  4. Configure General Settings:
    • App name: "Google Workspace"
    • App logo: Upload Google Workspace logo if desired
  5. Configure SAML Settings:
    • Single sign on URL: https://www.google.com/a/[yourdomain.com]/acs
    • Audience URI: https://www.google.com/a/[yourdomain.com]
    • Name ID format: EmailAddress
    • Application username: Email
  6. Add attribute statements:
    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • Value: user.email
  7. Download the Okta certificate and note the SSO URL

Step 5: Configure Google Workspace to Use Okta SAML

  1. In Google Admin Console, go to SecurityAuthenticationSSO with third-party IdP
  2. Check Set up SSO with third-party identity provider
  3. Configure:
    • Sign-in page URL: Okta SSO URL from Step 4
    • Sign-out page URL: Okta sign-out URL
    • Verification certificate: Upload Okta certificate
  4. Test the configuration with a test user

Part 3: Set Up GitHub Integration with Okta

Step 6: Configure GitHub Enterprise/Organization

  1. Go to your GitHub Enterprise or Organization settings
  2. Navigate to Authentication securitySAML single sign-on
  3. Or for Organizations: SettingsAuthentication security

Step 7: Create SAML Application in Okta for GitHub

  1. In Okta Admin Console, go to ApplicationsApplications
  2. Click Add ApplicationBrowse App Catalog
  3. Search for "GitHub" and select GitHub Enterprise Cloud
  4. Click Add Integration
  5. Configure General Settings:
    • Application label: "GitHub"
  6. Configure Sign-On Options:
    • GitHub Organization: Your GitHub org name
    • Base URL: https://github.com/orgs/[your-org-name]
  7. Note the SAML 2.0 settings:
    • Identity Provider SSO URL
    • Identity Provider Issuer
    • X.509 Certificate

Step 8: Configure GitHub SAML Settings

  1. In GitHub Organization settings, go to Authentication security
  2. Configure SAML:
    • Sign on URL: Okta IdP SSO URL
    • Issuer: Okta IdP Issuer
    • Public certificate: Upload Okta certificate
  3. Test SAML configuration
  4. Enable SAML SSO for your organization

Step 9: Assign Users to Applications in Okta

  1. In Okta Admin Console, go to each application (Google Workspace and GitHub)
  2. Go to Assignments tab
  3. Assign users or groups to each application
  4. Configure any specific user attributes or group memberships

Part 4: User and Group Management

Step 10: Set Up Groups and Access Policies

  1. In Okta, create groups that match your organizational structure
  2. Assign users to appropriate groups
  3. Configure group-based access to applications
  4. Set up Okta access policies for additional security

Part 5: Testing and Validation

Step 11: End-to-End Testing

  1. Test user login flow:
    • User accesses Google Workspace → redirected to Okta → authenticated → back to Google
    • User accesses GitHub → redirected to Okta → authenticated → back to GitHub
  2. Test user provisioning and deprovisioning
  3. Verify group memberships sync correctly
  4. Test password changes propagate appropriately

Step 12: Security Configuration

  1. Enable MFA in Okta for additional security
  2. Configure session policies
  3. Set up monitoring and alerts
  4. Review and adjust access policies

Important Notes

  • User Management: Users are mastered in Google Workspace and synced to Okta
  • Authentication Flow: All SSO goes through Okta, even for Google Workspace
  • GitHub Enterprise Cloud: Organization members must authenticate via SAML after enabling SSO
  • GitHub Teams: Manual management of GitHub team memberships required (GitHub Enterprise Cloud doesn't support automatic team provisioning via SAML)
  • Member Access: Existing GitHub organization members will lose access until they authenticate via SAML
  • Testing: Always test with a small group of users before full deployment
  • Backup Access: Ensure you have backup admin access configured in case of SSO issues
  • GitHub Billing: Ensure your GitHub Enterprise Cloud subscription supports SAML SSO

This setup provides centralized identity management with Google as the source of truth for users, Okta handling SSO, and seamless access to both Google Workspace and GitHub Enterprise Cloud.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment