Using Security Assertion Markup Language (SAML) web browser single sign-on (SSO), administrators can use an identity provider to manage the identities of their users and the applications they use. Organization members can authenticate with an identity provider that grants access to your GitHub organization.

Note: This feature is only available on the Business plan.

With SAML SSO, organization administrators can invite members to connect their existing GitHub user accounts to a supported IdP. SAML SSO gives organizations a centralized and secure way of 
controlling access to their resources on GitHub and helps organization members maintain control of their identity and 
contributions. Organization members sign in through the organization's IdP and their existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, their GitHub account and is used to control access to the organization's resources like
 repositories, issues, and pull requests.

GitHub supports these identity providers for SAML SSO:

  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth
  • Custom applications

SAML SSO can be disabled, enabled but not enforced, or enabled and enforced. For more information on setting up and enforcing SAML SSO for your GitHub organization, see "Connecting your identity provider to your organization" and "Enforcing SAML single sign-on for your organization."

You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue.

Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.

Members will be required to authorize personal access tokens to access the organization's protected resources using the API and Git on the command line. Organization administrators can revoke the access token at any time. For more information, see "Viewing and revoking organization members' authorized access to tokens."

Note: If your IdP supports SCIM, members are automatically invited to join the GitHub organization when access is provisioned in your IdP and will be automatically removed from the GitHub organization when their access is removed from your IdP.

Further reading