Using Security Assertion Markup Language (SAML) web browser single sign-on (SSO), administrators can use an identity provider to manage the identities of their users and the applications they use. Organization members can authenticate with an identity provider that grants access to your GitHub organization.

Note: This feature is only available on GitHub Business Cloud. For more information, see "Organization billing plans."

With SAML SSO, organization administrators can invite members to connect their existing GitHub user accounts to a supported IdP. SAML SSO gives organizations a centralized and secure way of
controlling access to their resources on GitHub and helps organization members maintain control of their identity and contributions.

Organization members sign in through the organization's IdP, and their existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, their GitHub account and is used to control access to the organization's resources like
 repositories, issues, and pull requests.

Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.

Organization members must periodically log in to the SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires users to re-identify themselves to continue.

To access the organization's protected resources using the API and Git on the command line, members will be required to create and use personal access tokens. Organization administrators can revoke the access token at any time. For more information, see "Viewing and revoking organization members' authorized access to tokens."

SAML SSO can be disabled, enabled but not enforced, or enabled and enforced. For more information on setting up and enforcing SAML SSO for your GitHub organization, see "Connecting your identity provider to your organization" and "Enforcing SAML single sign-on for your organization."

Supported SAML services

We offer limited support for all identity providers that implement the SAML 2.0 standard. We officially support these identity providers that have been internally tested:

  • Active Directory Federation Services (AD FS)
  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

If your IdP supports SCIM, members are automatically invited to join the GitHub organization when access is provisioned in your IdP and will be automatically removed from the GitHub organization when their access is removed from your IdP.

GitHub does not support SAML Single Logout. To terminate an active SAML session, users should log out directly on your SAML server.

Further reading