Skip to content

Latest commit

 

History

History
104 lines (83 loc) · 7.8 KB

roll-out-plan.md

File metadata and controls

104 lines (83 loc) · 7.8 KB

SAML Plan Rollout

Week 0

Week 1

  • GitHub purchased + upgraded
  • Configure testing
    • Cloud: For GHEC you can create a new org within your Enterprise to use for testing or use a current org but do not switch on the “enforce” option. Once successfully configured users will see an “authenticate with saml” banner so using a separate org might be needed to avoid users seeing this.
    • Server: For GHES we recommend using a test/staging instance of GHES as there is no enable but not enforce option so once enabled all users will need to authenticate through SAML.
  • Begin manager communication, ideally at Engineering Managers Meeting
  • Create documentation plan for tracking information about users, admins, and bot accounts

Week 2

Audit Users

Testing & Initial Configuration

Communication

  • Begin user communication
  • Message inactive Admins to ensure that they do not need access before downgrading
  • Identify pool of test users and bots based on manager and engineer feedback

Week 3

Week 4

Week 5

  • Audit for adoption
    • GHEC: script to run via GraphQL
    • Server: As you click the button, you will be prompted with list of users who do not yet have it enabled, and asked if you are sure you want to enforce
  • Resolve unverified accounts
  • Prepare response team for SAML enforcement

Week 6

  • Wrap up communication
  • Rollout / SSO Required in GitHub
    • Users not authed via Okta will automatically removed from of the Org and will need to auth via Okta and be manually added to the Dev Team. You can find instructions here.
    • Enforcing SAML
  • Response team available for immediate auth needs

Beyond

In the future, when a user is provisioned GitHub in the SAML IdP, they will receive an GitHub Organization invite email from GitHub. The user should click on the link in the email and complete the SSO flow. This will be the standard for all new users once SAML authentication is enforced.