Access linked SAML identity via the GitHub API
I'd like to get a mapping between GitHub logins and emails in my organization using the GitHub API (any version).
I can get the emails on organization members' accounts with this GraphQL query:
query {
organization(login:"myorg"){
members(first:100) {
nodes {
login
name
email
}
}
}
}
But this isn't the email I'm after. I really want the email on the "Linked SSO identity", which I get to from my organization page by clicking this link:
When I click this link, the desired email is listed in several places on https://github.com/orgs/myorg/people/danvk/sso.
Is it possible to access this SSO-linked email via any version of the GitHub API?
Organisation Level SAML
You can access this information for accounts provisioned via SCIM*.
query {
organization(login: "LOGIN") {
samlIdentityProvider {
ssoUrl
externalIdentities(first: 100) {
edges {
node {
guid
samlIdentity {
nameId
}
user {
login
}
}
}
}
}
}
}
[authored by a member of GitHub's support staff] and samples available here.
- I haven't verified if accounts that have linked SAML accounts outside of SCIM would work using this query.
Enterprise Level SAML
If your IdP's configured at the enterprise level, run instead:
{
enterprise(slug: "MYENTERPRISENAME") {
ownerInfo {
samlIdentityProvider {
externalIdentities(after: null, first: 100) {
pageInfo {
hasNextPage
endCursor
}
edges {
node {
user {
login
}
samlIdentity {
nameId
}
}
}
}
}
}
}
}
Additional Info
These GraphQL queries can be run via the GitHub CLI (download here).
Permissions are provided by a personal access token (PAT). You can set this up at https://github.com/settings/tokens.
- If querying the org, you'll need to assign your PAT the
admin:orgright. You'll also need to authorise it for each org against which you intend to use it (via theConfigure SSOoption next to the PAT. - If querying the enterprise, you'll need to assign your PAT the
admin:enterpriseright.
To authenticate create an environment variable, GH_TOKEN, and set its value to the token's value (if you didn't note this when creating the token, you'll have to drop and recreate the token to get a fresh value).
Examples of how to use the gh cli to run graphql (and other API) queries can be found here: https://cli.github.com/manual/gh_api
- GitHub Error - "ssh: connect to host github.com port 22: Operation timed out fatal: Could not read from remote repository."
- Why use a GitHub template instead of a fork?
- Git Submodule - Permission Denied
- GitHub Actions: How to call a reusable workflow as a step?
- Do I need authentication as well as signing keys on Github?
- GitHub breaks Visual Studio indentation
- git: create tag and push to remote: why tag is behind master on remote?
- How to rename main branch to master on a Github repository
- How to use gitignore command in git
- Github Search: how to search in multiple languages
- Get connectionString value from az storage account show in github action
- How to share dependencies installation with reusable workflow in github actions
- GitHub folders have a white arrow on them
- Delete git LFS files not in repo
- The url I created with '/gist' appears broken inside the issue
- Inline code syntax highlighting in GitHub markdown?
- Vite (react) project after building, dist folder/assets don't have any image
- Cannot upload files for release in Github
- Why doesn't my SSH key work for connecting to github?
- How do I update or sync a forked repository on GitHub?
- git lost master branch
- Checking if GitHub is blocked by organisation network
- Error fatal: credential-cache unavailable; no Unix socket support
- What is a subproject commit?
- workflow_run use files from current branch
- How to add my current project to an already existing GitHub repository
- GitHub: Permission denied (publickey). fatal: Could not read from remote repository
- How do I get git to default to ssh and not https for new repositories
- Delete a workflow from GitHub Actions
- Invoke github composite action within same repo