Organization owners and admins can enable SAML single sign-on to add an extra layer of security to their organization.
Note: This feature is only available on the Business plan.
You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not enforcing SAML SSO in your organization can help smooth your organization's SAML SSO adoption. Once a majority of your organization's members use SAML SSO, you can enforce it within your organization.
If you enable but don't enforce SAML SSO, organization members who choose not to use SAML SSO can still be members of the organization. For more information on enforcing SAML SSO, see "Enforcing SAML single sign-on for your organization."
Note: You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue.
Prior to enforcing SAML SSO in your organization, ensure that you've set up your identity provider (IdP). For more information, see "Preparing to enforce SAML single sign-on in your organization."
Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO.
In the top right corner of GitHub, click your profile photo, then click Your profile.
On the left side of your profile page, under "Organizations", click the icon for your organization.
Under your organization name, click Settings.
In the organization settings sidebar, click Security.
Under "SAML single sign-on", select Enable SAML authentication.
Note: After enabling SAML SSO, you can download your single sign-on recovery codes so that you can access your organization even if your IdP is unavailable. For more information, see "Downloading your organization's SAML single sign-on recovery codes."
In the "Sign on URL" field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
- Optionally, in the "Issuer" field, type your SAML issuer's name. This verifies the authenticity of sent messages.
- Under "Public Certificate," paste a certificate to sign SAML responses before they're sent.
- Click and then in the Signature Method and Digest Method drop-downs, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests.
Before enabling SAML SSO for your organization, click Test SAML configuration to ensure that the information you've entered is correct.
Tip: When setting up SAML SSO in your organization, you can test your implementation without affecting your organization members by leaving Require SAML SSO authentication for all members of the organization name organization unchecked.
- To enforce SAML SSO and remove all organization members who haven't authenticated via your IdP, select Require SAML SSO authentication for all members of the organization name organization. For more information on enforcing SAML SSO, see "Enforcing SAML single sign-on for your organization."
- Click Save.