About identity and access management with SAML single sign-on
Using Security Assertion Markup Language (SAML) web browser single sign-on (SSO), administrators can use an identity provider to manage the identities of their users and the applications they use. Organization members can authenticate with an identity provider that grants access to your GitHub organization.
SAML single sign-on is available with GitHub Enterprise Cloud. For more information, see "GitHub's products."
In this article
About SAML SSO
With SAML SSO, organization administrators can invite members to connect their existing GitHub user accounts to a supported IdP. SAML SSO gives organizations a centralized and secure way of controlling access to their resources on GitHub and helps organization members maintain control of their identity and contributions.
Organization members sign in through the organization's IdP, and their existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, their GitHub account and is used to control access to the organization's resources like repositories, issues, and pull requests.
Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.
Organization members must periodically log in to the SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires users to re-identify themselves to continue.
To access the organization's protected resources using the API and Git on the command line, members will be required to create and use personal access tokens. Organization administrators can revoke the access token at any time. For more information, see "Viewing and revoking organization members' authorized access to tokens."
SAML SSO can be disabled, enabled but not enforced, or enabled and enforced. For more information on setting up and enforcing SAML SSO for your GitHub organization, see "Connecting your identity provider to your organization" and "Enforcing SAML single sign-on for your organization."
Supported SAML services
We offer limited support for all identity providers that implement the SAML 2.0 standard. We officially support these identity providers that have been internally tested:
- Active Directory Federation Services (AD FS)
- Azure Active Directory (Azure AD)
If your IdP supports SCIM, members are automatically invited to join the GitHub organization when access is provisioned in your IdP and will be automatically removed from the GitHub organization when their access is removed from your IdP.
GitHub does not support SAML Single Logout. To terminate an active SAML session, users should log out directly on your SAML server.
Adding members to an organization using SAML SSO
After you enable SAML SSO, there are multiple ways you can add new members to your organization. Organization owners can invite new members manually on GitHub or using the API. For more information, see "Inviting users to join your organization" and "Members" on the GitHub Developer documentation.
You can use team synchronization to automatically add and remove team members in an organization through an identity provider. For more information, see "Synchronizing teams between your identity provider and GitHub."
To provision new users without an invitation from an organization owner, you can use the URL
https://github.com/orgs/ORGANIZATION/sso/sign_up, replacing ORGANIZATION with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your GitHub organization.
If your IdP supports SCIM, new users in your IdP can be added automatically to your organization on GitHub. For more information, see "About SCIM."