You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP). To use the API or Git on the command line with an organization that enforces SAML SSO, you will need to use an authorized SSH key or an authorized personal access token over HTTPS.

SAML SSO helps you maintain control of your identity and 
contributions, while giving organizations a centralized and secure way of 
controlling access to their resources on GitHub. When you join an organization that uses SAML SSO, you sign in through the organization's IdP and your existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, your GitHub account and is used to control access to the organization's resources like
 repositories, issues, and pull requests.

If you have an active SAML session in your browser, you are automatically authorized when you access a GitHub organization that uses SAML SSO. If you don't have an active SAML session in your browser, you must enter the credentials for your SAML identity provider before you can access the organization.

GitHub supports these identity providers for SAML SSO:

  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

We offer limited support for identity providers other than those listed.

Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.

You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings. For more information, see "Viewing and managing your active SAML sessions."

To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key. OAuth App access tokens are authorized by default.

If you don't have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see:

To use a new or existing personal access token or SSH key with an organization that enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see:

Further reading