ModernCyber Blog

Zero Trust Access to Git - Configuring Cisco Duo & GitHub Enterprise

Written by Jamie Sanbower | Oct 8, 2022 4:00:00 AM

Source code repositories can be the crown jewels of many organizations. For this and many other reasons, it is a higher risk target for adversaries and modern cyber threats. In this configuration example, we will integrate Cisco Secure Access by Duo and GitHub Enterprise to apply Zero Trust policies.

Applying zero trust policies to SaaS solutions typically involves integrating the application via SAML, OIDC, etc. One of my favorite guides on SAML is on the Duo Blog: The Beer Drinker’s Guide to SAML.

TIP

If your application is on-premise or doesn't support modern authentication. Zero Trust Network Access(ZTNA) and the Duo Network Gateway(DNG) Allows organizations to perform the same exact user and device trust checks on legacy applications and services.

 

Integrating Github Enterprise with Duo via SAML

Step 1: Navigating to GitHub Authentication Settings

To get started, login to your GitHub account and...

  1. Click your Avatar in the top right of the GitHub UI
  2. Select Settings
  3. Switch to your organization's account
  4. Select Authentication security in the left menu
Figure 1: Navigating to Github Authentication Settings
NOTE

You need to be an organization owner to have the correct rights and permissions to enable SSO/MFA/SAML for an Organization

 

Step 2: Enable SAML Authentication on your GitHub Organization

Next, check the box to Enable SAML authentication

Figure 2: Enable SAML authentication

Step 3: Add a new Generic SAML Application in Cisco Duo

Next, login to your Duo account and perform the following steps to add an application for GitHub integration.

  1. Select Protect an Application
  2. Search and Select Generic SAML Service Provider

Figure 3: Add Duo Generic SAML Service Provider

Step 4: Duo -> Github Configuration

Next, Copy configuration details from Cisco Duo and input them into SAML Configuration in Github

  1. Copy the Duo Entity ID and paste it as GitHub's Issuer
  2. Copy the Duo Single Sign-On URL and paste it as the GitHub's Sign-on URL
  3. Click Duo's Download Certificate button, open the certificate in your favorite text editor, and paste it as GitHub's Public certificate
Figure 4: Duo -> Github Configuration

Step 5: GitHub -> Duo Configuration

Next, Copy configuration details from GitHub's SAML Configuration and input them into Cisco Duo's application configuration

  1. Under the Duo Service Provider configuration input your organization URL (typically github.com / orgs / <Organization Name > ) as the Entity ID
  2. Copy the GitHub assertion consumer service URL and paste it as the Duo Assertion Consumer Service (ACS) URL
  3. Scroll to the bottom of the page and save the configuration in the Duo Admin session.
Figure 5: GitHub -> Duo Configuration

Step 6: Test the Integration

Next, click the Test SAML configuration button on your GitHub page.

Figure 6a: Test SAML configuration

Figure 6b: Successful Test SAML configuration

CAUTION

If your test does NOT succeed, do NOT proceed or click Save as this could lock you out of your organization.

 

Step 7: Require SAML SSO

Finally, check the box to Require SAML SSO authentication for all members of your organization and then click Save.

Figure 7: Test SAML configuration

Zero Trust Policies for GitHub Application Access

By integrating GitHub with Duo, you now can use Duo's Adaptive Policy & Control to meet your organization's requirements around zero trust and move your Zero Trust Maturity to optimal for Identity. A few of the top policy items:

Figure 8: Duo Access Policies

Risk-Based Authentication

Risk-Based Authentication is the difference between advanced and optimal zero trust maturity.
Figure 9: Duo Risk-Based Authentication

Managed Device Check

Duo integrates with your favorite endpoint and mobile device management tools to determine if the device is managed and trusted.

Duo Device Health

Duo Device Health allows organizations to control access to your applications through the policy system by restricting access when devices do not meet particular security requirements.
Figure 10: Duo Device Health

Getting Help

If you are looking for help with Cisco Duo, MFA, SSO, Zero Trust, etc. Schedule some time to speak with one of our cybersecurity experts.