Service accounts are user accounts that an application or service uses to authenticate to GitHub. Unlike a normal user account, service accounts are not associated with an individual person, but otherwise function just like a user account. Service accounts are very useful for automated systems where actions are performed by computers rather than humans.
Service accounts must be approved by the NC State GitHub Service Team before they are available for use in GitHub.
Service accounts are audited once a year by the NC State GitHub Service Team to ensure inactive accounts are disabled and removed.
The NC State GitHub Enterprise Cloud service utilizes the campus Active Directory (AD) service as its authentication provider; therefore, in order to log in to GitHub an account must exist in AD. Active Directory OU Admins can create service accounts within their OU, so work with your local IT staff to create the account in AD. According to the NC State Active Directory Service Team, all service accounts should follow the following naming convention: <DEPT>.<SERVICENAME>.svc
Note that there is a functional 20 character limit on the account name for it to successfully authenticate to GitHub.
Be sure to set the domain for the User Principle Name to "@ncsu.edu" instead of "@wolftech.ad.ncsu.edu".
We recommend setting a useful Display Name for the account, which will appear in GitHub when viewing the account.
Once the account has been created in Active Directory, please submit a request to the NC State Help Desk to grant the account access to GitHub. Please include the name of the service account and a brief description of how the account will interact with GitHub in your request.
Further instructions will be given in your ticket to finalize the on-boarding process for the service account.
Note that when changing any attributes, it takes up to 90 minutes for the changes to be reflected in GitHub.
Password changes and User Principle Name changes may take up to 30 minutes to take effect when logging in.
1. Go to https://github.com/ncstate-community
2. You should see a prompt for "Single sign-on to North Carolina State University". Click the green Continue button.
3. You will be redirected to an EntraID login for NC State. Log in by following the on-screen instructions.
3a. Your account name will be your service-account username, followed by "@ncsu.edu".
3b. Some older service-accounts have their User Principle Name (UPN) set to "@wolftech.ad.ncsu.edu" in AD. These account will use @wolftech.ad.ncsu.edu instead of @ncsu.edu when logging in. It is recommended to change the UPN for the account in AD to use "@ncsu.edu" when possible.
7. After entering your password, you'll be prompted to "Verify your identity". Click "Approve with NCSU Duo".
8. Follow the on-screen instructions to verify your identity via Duo. Note that you may need to choose a different option if there are multiple devices enrolled for the account.
9. You will be redirected back to github.com, logged in to your NC State GitHub service account.
After logging in for the first time as the Service Account in GitHub, we recommend making the following changes to the User Profile:
When configuring notifications, be sure that the email address associated with the account can receive emails, or disable notifications.
After setting up the account profile, you'll likely want to add SSH keys or generate Personal Access Tokens (PAT) to allow automation access.
Note that each SSH Key or PAT will need to be additionally authorized for SSO for each organization the key/token will need to access.
It is recommended to add the service account to all organizations where it will be used first, so you can authorize all organization at once.
Please follow the Principle of Least Access, and only grant your service account the minimal amount of permissions required to perform its tasks.
Additionally, be mindful of rate limiting when configuring automation to talk to the GitHub API.