I'd like to get a mapping between GitHub logins and emails in my organization using the GitHub API (any version).
I can get the emails on organization members' accounts with this GraphQL query:
query {
organization(login:"myorg"){
members(first:100) {
nodes {
login
name
email
}
}
}
}
But this isn't the email I'm after. I really want the email on the "Linked SSO identity", which I get to from my organization page by clicking this link:
When I click this link, the desired email is listed in several places on https://github.com/orgs/myorg/people/danvk/sso.
Is it possible to access this SSO-linked email via any version of the GitHub API?
You can access this information for accounts provisioned via SCIM*.
query {
organization(login: "LOGIN") {
samlIdentityProvider {
ssoUrl
externalIdentities(first: 100) {
edges {
node {
guid
samlIdentity {
nameId
}
user {
login
}
}
}
}
}
}
}
[authored by a member of GitHub's support staff] and samples available here.
If your IdP's configured at the enterprise level, run instead:
{
enterprise(slug: "MYENTERPRISENAME") {
ownerInfo {
samlIdentityProvider {
externalIdentities(after: null, first: 100) {
pageInfo {
hasNextPage
endCursor
}
edges {
node {
user {
login
}
samlIdentity {
nameId
}
}
}
}
}
}
}
}
These GraphQL queries can be run via the GitHub CLI (download here).
Permissions are provided by a personal access token (PAT). You can set this up at https://github.com/settings/tokens.
admin:org
right. You'll also need to authorise it for each org against which you intend to use it (via the Configure SSO
option next to the PAT.admin:enterprise
right.To authenticate create an environment variable, GH_TOKEN
, and set its value to the token's value (if you didn't note this when creating the token, you'll have to drop and recreate the token to get a fresh value).
Examples of how to use the gh
cli to run graphql (and other API) queries can be found here: https://cli.github.com/manual/gh_api