Any organization GitHub account linked to the WB enterprise account will use what is called SSO when authenticating a user. What SSO means in practice differ depending on you use a World Bank owned or personal owned computer. If you are following the instructions below on a World Bank managed device, then SSO is automatic. You will be redirected to a page and then automatically redirected back to the page you tried to access.
However, if you are using a personal device, then you will be redirected to the same page, but at that page you will be asked to log in on your World Bank account. Typically you will use your Yubikey to log in to your World Bank account. This should be possible to use on most use cases listed below. The one use case we know it does not work is on the GitHub mobile app. SSO authentication will only work in the app on World Bank owned cell phones. You can always use the app to access repositories that are not hosted on a World Bank owned account.
Accessing any non-public page on an account migrated to the WB Enterprise Account requires SSO login. If you are connecting from a WB computer, then the SSO will be automatic. If you are connecting from a personal computer, then you need to log in using your YubiKey.
SSO login is not required for external collaborators.
Accessing repos hosted on the WB Enterprise Account can be accessed in the GitHub app (iOS app/Android app) after you have logged out and logged in again. When logging in again you will be asked to authenticate accounts hosted in the Enterprise plan.
On a WB managed smart phone you can just click authenticate and the SSO authentication is automatic.
We are currently working on a solution for personal smart phones.
The first time you push to an account migrated to the WB Enterprise Account using GitHub Desktop, you will need to log out and log in again in GitHub Desktop. If you do not do this, you will get an error that you do not have access to that repository.
To do this, go to GitHub Desktop. Then go to File -> Options -> Account.
Select GitHub.com and sign out and then sign in again.
You will then be able to push to the repository.
This does not apply to external collaborators.
The first time you push to an account migrated to the WB Enterprise Account using Git Bash/Git CLI, you will need to refresh your credentials.
This does not apply to external collaborators.
To do so on a Windows computer, follow these instructions:
- Search for "Credential Manager" in the Windows menu
- Look in the "Windows Credentials" tab for the
git:https://github.comitem - Expand that item and click "Remove"
- Go back to Git Bash/Git CLI and run any command that needs authentication.
git push,git pull(on a private repo), etc. - Follow the authentication steps.
To access your GitHub account, it will be required to use SSH instead of a username/password combination. This is because GitHub is phasing out username/password authentications from Git Bash.
If you are already familiar with SSH keys and have been using them, you can skip to step 4.
- (optional) Read this article about SSH keys: link.
- Run
ls -al ~/.sshto check if you already have a valid SSH key set up. You can find more details and a list of what SSH keys are valid for GitHub here.- If you do not have a key in a format that GitHub will accept, you can create one by following these instructions: link.
- Add the SSH key to your GitHub account by following these instructions: link.
- Authenticate this key to be used on accounts
managed by the WB Enterprise account.
Go to the SSH and GPG key page on your GitHub account:
link.
- For the key you want to authenticate in the WB Single Sign-On,
click the
Configure SSObutton and select the account you want to use this key for. (Note that you first need to be a member of the account for it to appear there). - After selecting the account, you need to log in to the WB intranet. If you are not using a WB computer (virtual or physical), you need to use your YubiKey. This step only needs to be done once for each new key.
- For the key you want to authenticate in the WB Single Sign-On,
click the
- Configure your repository to use SSH instead of HTTPS.
If you are asked for a username/password when accessing a repository,
it means the repository is set to HTTPS.
To switch to SSH, use the following command:
git remote set-url origin [email protected]:<ACCOUNTNAME>/<REPOSITORY>.git. Replace<ACCOUNTNAME>with the name of the WB Enterprise managed GitHub account, and<REPOSITORY>with the name of the repository. Unfortunately, you need to do this once per repository.
Access tokens can be used in scripts to authenticate a GitHub user on Github.com. However, in order for a token to work on a repo hosted on a WB Enterprise managed account, the token needs to be added to the WB Single Sign-On. Follow these instructions to do so:
- Go to the access token page on your account: https://github.com/settings/tokens
- For the token you want to use on the WB Enterprise hosted repo,
click
Configure SSO.
- Select the account you want to use this key for. (Note that you first need to be a member of the account for it to appear there).
- After selecting the account, you need to log in to the WB intranet. If you are not using a WB computer (virtual or physical), you need to use your YubiKey. This step only needs to be done once for each new key.
The first time you push to an account migrated to the WB Enterprise Account using an IDE that uses Git Bash/Git CLI, you will need to follow the instructions in the Git Bash/Git CLI section above.
This does not apply to external collaborators.
The first time you push to an account migrated to the WB Enterprise Account using GitKraken, you will, similarly to GitHub Desktop, log out and log in again in GitKraken.
To do so, go to File -> Preferences -> Integration -> GitHub and then click Disconnect.
Then log in again.
This does not apply to external collaborators.