Add query that lists SAML external identities for an Organization

[osowskit]

Business Plan hosted customers with SAML would like a way to programmatically query information about a GitHub user account's SAML identity. The following is a GraphQL query that accomplishes this for an Organization.

• Determine whether this is a standalone example for useful Business Plan hosted (SAML) queries or added under https://github.com/github/platform-samples/tree/master/graphql/queries

query {
  organization(login: "LOGIN") {
    samlIdentityProvider {
      ssoUrl
      externalIdentities(first: 100) {
        edges {
          node {
            guid
            samlIdentity {
              nameId
            }
            user {
              login
            }
          }
        }
      }
    }
  }
}

/cc @francisfuzz as you might be able to track down the author to see if they want to add this ☝️

[mikesimons]

This query was super helpful for us as we're primarily using v3 and couldn't see a way to do this there. I found the token needs admin:org though which feels excessive for a read only query.

[AjkayAlan]

This query was also super helpful for us - v3 provides their SCIM endpoint (https://developer.github.com/v3/scim/) which gets us close, but does not provide a true way to tie a GitHub identity to a SAML identity.

Using this query in v4 we are able to pull our user's verified domain email addresses and associate it to their github handle, making our notification process a lot easier.

[kamaltejaaol]

@AjkayAlan, I'm testing on the same where the email address for SAML authentication is different from github registered email address, can you please share us the query to trigger in GraphQL

[AjkayAlan]

@kamaltejaaol Unfortunately my org policy does not allow me to share code easily, specifically code I developed for our organization.

What we ended up doing was using the query provided by @osowskit above to get the SAML nameId, which corresponded to our user's primary email address associated to their enterprise account (the same address we would send emails on). Additionally, the query above gets you the user login, which is the actual github login of the associated user.

From there, you can just make a key value pair list of github login to enterprise email address. Once you have that, you should be off to the races.

In our case, we had to revoke PAT and SSH keys over a specified age limit using the credential authorizations API (https://developer.github.com/v3/orgs/#list-credential-authorizations-for-an-organization). That returns the github login, which we then look up against the list of login/email kvp's. From there, we were able to notify the users in advance that they needed to rotate their credentials to avoid disruption.

[kamaltejaaol]

@AjkayAlan, i understand the corporate security policies, but thanks for giving the detailed explanation, i will try to work it out. Thanks again.

[gracevivi523]

Hi, @osowskit
Thanks for this solution, really saved my day, however I am getting null with this query, not sure what I am missing here possibly? I have correct scope for the token and header stuff.

below is the return.
{
"data": {
"organization": {
"samlIdentityProvider": null
}
}
}

[osowskit]

@swinton @mtodd ☝️

[gracevivi523]

Thanks @osowskit .

@swinton @mtodd , I am still stuck on it, any help will be highly appreciated.

[gracevivi523]

Just did a bit more research on the issue, could it be related to SCIM is not enabled?

[micimize]

I am experiencing the same {"data":{"organization":{"samlIdentityProvider":null}}} issue making requests with both

• a PAT with admin:org and admin:enterprise permissions
• as well as a Github App with fairly substantial permissions

So I'm wondering:

1. My account is an org owner, but (I believe) only an enterprise member. Could this be the source of the issue?
2. If it is, shouldn't at least enterprise.ownerInfo.samlIdentityProvider throw an error?
3. More generally, what are the constraints and necessary permissions for this API?
4. What are its the supported consumers, and do they have varied constraints?
5. Are there known gotchas and caveats such as what @gracevivi523 proposed?

Also, this query has been added to the examples.

[micimize]

What I've learned since the above:

• is that when enterprise saml identity mapping is on, organization.samlIdentityProvider is not a view into the enterprise identity mapping, and there is no way to configure it as such
• enterprise saml identities can only be queried by enterprise owners

[kamaltejaaol]

https://gist.github.com/gbaman/b3137e18c739e0cf98539bf4ec4366ad ... these details helped me to develop python code to get the saml identify value and generate report

[barakwei]

I also got {"data":{"organization":{"samlIdentityProvider":null}}} when querying the organization, that's because the SAML configuration was at the enterprise level, so to get that the following query helped.

{
  enterprise(slug: "Your enterprise here") {
    ownerInfo {
      samlIdentityProvider {
        externalIdentities(after: null, first: 100) {
          pageInfo {
            hasNextPage
            endCursor
          }
          edges {
            node {
              user {
                login
              }
              samlIdentity {
                nameId
              }
            }
          }
        }
      }
    }
  }
}

[joehorsnell]

For anyone interested in how to adapt the original query from the first comment to support pagination, after some playing around and reading the docs (I'm not too familiar with GraphQL, so this wasn't obvious to me), I got this (example below using the GitHub CLI, see also here):

gh api graphql --paginate -f query='
query($endCursor: String) {
  organization(login: "<name-of-org>") {
    samlIdentityProvider {
      ssoUrl,
      externalIdentities(first: 100, after: $endCursor) {
        edges {
          node {
            guid,
            samlIdentity {
              nameId
            }
            user {
              login
            }
          }
        }
        pageInfo{
          hasNextPage,
          endCursor
        }
      }
    }
  }
}
'