Access linked SAML identity via the GitHub API

I'd like to get a mapping between GitHub logins and emails in my organization using the GitHub API (any version).

I can get the emails on organization members' accounts with this GraphQL query:

query { 
  organization(login:"myorg"){
    members(first:100) {
      nodes {
        login
        name
        email
      }
    }
  }
}

But this isn't the email I'm after. I really want the email on the "Linked SSO identity", which I get to from my organization page by clicking this link:

When I click this link, the desired email is listed in several places on https://github.com/orgs/myorg/people/danvk/sso.

Is it possible to access this SSO-linked email via any version of the GitHub API?

Solution

Organisation Level SAML

You can access this information for accounts provisioned via SCIM*.

query($login: String!, $ssoCursor: String) {
  organization(login: $login) {
    samlIdentityProvider {
      externalIdentities(after: $ssoCursor, first: 100) {
        totalCount
        pageInfo {
            hasNextPage
            endCursor
        }
        edges {
          node {
            user {
              id
              login
            }
            samlIdentity {
              nameId
            }
          }
        }
      }
    }
  }
}

[authored by a member of GitHub's support staff] and samples available here.

I haven't verified if accounts that have linked SAML accounts outside of SCIM would work using this query.

Enterprise Level SAML

If your IdP's configured at the enterprise level, run instead:

query($enterprise: String!, $ssoCursor: String) {
    enterprise(slug: $enterprise) {
        ownerInfo {
            samlIdentityProvider {
                externalIdentities(after: $ssoCursor, first: 100) {
                    totalCount
                    pageInfo {
                        hasNextPage
                        endCursor
                    }
                    edges {
                        node {
                            user {
                                id
                                login
                            }
                            samlIdentity {
                                nameId
                            }
                        }
                    }
                }
            }
        }
    }
}

Additional Info

These GraphQL queries can be run via the GitHub CLI (download here or in the GitHub Graph API Explorer site).

Permissions are provided by a personal access token (PAT). You can set this up at https://github.com/settings/tokens.

If querying the org, you'll need to assign your PAT the admin:org right. You'll also need to authorise it for each org against which you intend to use it (via the Configure SSO option next to the PAT.
If querying the enterprise, you'll need to assign your PAT the admin:enterprise right.
to fetch the first page of results , assign ssoCursor with null; for subsequent pages use the previous page's endCursor value.

To authenticate create an environment variable, GH_TOKEN, and set its value to the token's value (if you didn't note this when creating the token, you'll have to drop and recreate the token to get a fresh value).

Examples of how to use the gh cli to run graphql (and other API) queries can be found here: https://cli.github.com/manual/gh_api