You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP). To use the API or Git on the command line with an organization that enforces SAML SSO, you will need to use an authorized personal access token over HTTPS.

SAML SSO helps you maintain control of your identity and 
contributions, while giving organizations a centralized and secure way of 
controlling access to their resources on GitHub. When you join an organization that uses SAML SSO, you sign in through the organization's IdP and your existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, your GitHub account and is used to control access to the organization's resources like
 repositories, issues, and pull requests.

If you have an active SAML session in your browser, you are automatically authorized when you access a GitHub organization that uses SAML SSO. If you don't have an active SAML session in your browser, you must enter the credentials for your SAML identity provider before you can access the organization.

GitHub supports these identity providers for SAML SSO:

  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth
  • Custom applications

Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.

You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings.

To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS. OAuth App access tokens are authorized by default. You cannot use SSH to access organizations that use SAML SSO.

If you don't have a personal access token, you can create a personal access token for the command line. To use a new or existing personal access token with an organization that enforces SAML SSO, you will need to authorize the token for use with a SAML SSO organization.

Further reading