Merge pull request #683 from github/graphql-saml-query-updates

Updating the GraphQL queries for enterprise and org member data (saml identities, scim identities, emails for EMUs)

Author: stacycarter

graphql/queries/12-members-with-scim-identity-org.graphql

@@ -0,0 +1,23 @@
+# This GraphQL query will print a list of all EMU (Enterprise Managed User) member email addresses, usernames, and display names in an enterprise.
+# This query will not work properly for enterprises that do not use EMUs, as non-EMU enterprises contain personal user accounts and therefore email addresses may be private depending on the user profile configuration. 
+
+{
+  enterprise(slug: "enterprise slug") {
+    members(first: 100) {
+      nodes {
+        ... on EnterpriseUserAccount {
+          login
+          name
+          user {
+            email
+          }
+          organizations(first: 10) {
+            nodes {
+              login
+            }
+          }
+        }
+      }
+    }
+  }
+}

graphql/queries/13-members-with-scim-identity-enterprise.graphql

@@ -0,0 +1,31 @@
+# For GitHub Enterprise Cloud enterprises that have SAML configured at the enterprise level, this query will print a list of the first 100 SAML identities (specifically the `nameId` attribute value) in the enterprise and the linked GitHub username (if the SAML identity is linked).
+# An email address often gets used for the SAML `nameId` value, but this is not always the case. 
+# If the Identity Provider has sent an `emails` attribute/value in a previous SAML response for enterprise member(s), it also possible to add the `emails` attribute in the `samlIdentity` section right below `nameID` and query for this SAML identity attribute value as well. 
+# If there are a large number of identities/users (greater than 100), pagination will need to be used. See https://graphql.org/learn/pagination/ for details on pagination. 
+ 
+query listSSOUserIdentities ($enterpriseName:String!) {
+  enterprise(slug: $enterpriseName) {
+    ownerInfo {
+      samlIdentityProvider {
+        externalIdentities(first: 100) {
+          totalCount
+          edges {
+            node {
+              guid
+              samlIdentity {
+                nameId
+              }
+              user {
+                login
+              }
+            }
+          }
+          pageInfo {
+            hasNextPage
+	    endCursor
+          }
+        }
+      }
+    }
+  }
+}

graphql/queries/emu-list-enterprise-member-email-addresses.graphql

@@ -0,0 +1,27 @@
+# For GitHub Enterprise Cloud organizations that have SAML configured at the organization level, this query will print out a list of the first 100 SAML identities (specifically the `nameid` attribute value in these SAML identities) in the organization and the GitHub username linked to them.
+# This query can be used to see which users in a GitHub Enterprise Cloud organization have a linked SAML identity.
+# This query will not print out a user username (`login`) value if there is not a GitHub user account linked to this SAML identity. 
+# If there are a large number of identities/users (greater than 100), pagination will need to be used. See https://graphql.org/learn/pagination/ for details on pagination. 
+
+
+query OrgSAMLidentities {
+  organization(login: "organization name") {
+    samlIdentityProvider {
+      externalIdentities(first: 100) {
+        edges {
+          node {
+            samlIdentity {
+              nameId
+            }
+            user {
+              login
+            }
+          }
+        }
+        pageInfo {
+          endCursor
+        }
+      }
+    }
+  }
+}

graphql/queries/enterprise-sso-member-details.graphql

@@ -0,0 +1,38 @@
+# For GitHub Enterprise Cloud enterprises that are using Enterprise Managed Users (EMUs) and have Azure AD OIDC setup in the enterprise authentication settings, this query will print a list of the first 100 SCIM identities and their GitHub usernames.
+# The SCIM identity attributes displayed in the query results will include the SCIM `username`, the first (`givenName`) and last (familyName`) name, and the `emails` attribute value. 
+# The SCIM identity attributes that are stored in a GitHub EMU enterprise are based on the attributes that the external Identity Provider has previously sent for each user via the SCIM integration which leverages the GitHub EMU SCIM API.
+# The query will not work for EMU enterprises that are using SAML as the enterprise authentication method. 
+ 
+{
+  enterprise(slug: "enterprise slug") {
+    ownerInfo {
+      oidcProvider {
+        id
+        providerType
+        tenantId
+        externalIdentities(first: 100) {
+          totalCount
+          edges {
+            node {
+              scimIdentity {
+                username
+                givenName
+                familyName
+                emails {
+                  primary
+                  type
+                  value
+                }
+              }
+              user {
+                login
+                name
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+

graphql/queries/saml-identities-enterprise-level.graphql

@@ -0,0 +1,31 @@
+# For GitHub Enterprise Cloud enterprises that are using Enterprise Managed Users (EMUs) and SAML authentication, this GraphQL query will print a list (first 100 in this example) of the SCIM identities (specifically, the SCIM `username` attribute) and the linked GitHub usernames.
+# This query will not work for enterprises that do not use EMUs, as SCIM provisioning cannot be enabled at the enterprise level for enterprises that do not use EMUs.j
+# Modifying this query to also show member SAML identities will not work for EMU enterprises, since SAML identities are not currently stored for enterprises that use EMUs. 
+# This query will also not work for EMU enterprises that are using Azure AD OIDC for authentication. 
+# If there are a large number of identities/users (greater than 100), pagination will need to be used. See https://graphql.org/learn/pagination/ for details on pagination. 
+
+query {
+  enterprise(slug: "enterprise slug") {
+    ownerInfo {
+      samlIdentityProvider {
+        externalIdentities(first: 100) {
+          pageInfo {
+            hasNextPage
+            endCursor
+          }
+          edges{
+            node{
+              scimIdentity {
+                username
+              }
+              user {
+                login
+                name
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

graphql/queries/saml-identities-single-organization.graphql

@@ -0,0 +1,33 @@
+# For GitHub Enterprise Cloud organizations that are in an enterprise and have SAML and SCIM configured at the organization level, this query will print out a list of the first 100 SCIM identities (specifically the `username` attribute value in these SCIM identities) in the first 100 organizations in the enterprise.
+# The query will also print out the linked GitHub username, if the SCIM identity is linked to a user. A SCIM identity can be unlinked if a user has not logged in with their GitHub.com user account, accepted the invitation and authenticated via SAML to link their SAML/SCIM identity.
+# This query will not print out a SCIM identity (`username` attribute) for members if an organization is not using SCIM provisioning, or if a user does not have a linked SCIM identity. 
+# This query will not work for GitHub Enterprise Cloud enterprises that are using Enterprise Managed Users (EMUs). 
+
+query ($enterprise: String!) {
+  enterprise(slug: $enterprise) {
+    organizations(first: 100) {
+      nodes {
+        samlIdentityProvider {
+          ssoUrl
+          externalIdentities(first: 100) {
+            edges {
+              node {
+                user {
+                  login
+                  email
+                }
+                scimIdentity {
+                  username
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+variables {
+  "enterprise": "enterprise"
+}

graphql/queries/scim-emu-enterprises-list-scim-identities.graphql

@@ -0,0 +1,28 @@
+# For GitHub Enterprise Cloud organizations that have SAML and SCIM provisioning configured at the organization level, this query will print out a list of the first 100 SCIM identities (specifically the `username` attribute value in these SCIM identities) in the organization.
+# The query will also print out the linked GitHub username, if the SCIM identity is linked to a user. A SCIM identity can be unlinked if a user has not logged in with their GitHub.com user account, accepted the invitation and authenticated via SAML to link their SAML/SCIM identity.
+# This query will not print out a SCIM identity (`username` attribute) for members if an organization is not using SCIM provisioning, or if a user does not have a linked SCIM identity. 
+
+
+query ($organization: String!) {
+  organization(login: $organization) {
+    samlIdentityProvider {
+      ssoUrl
+      externalIdentities(first: 100) {
+        edges {
+          node {
+            user {
+              login
+            }
+            scimIdentity {
+              username
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+variables {
+  "organization": "github"
+}