关于使用 SAML 单点登录管理身份和访问
If you centrally manage your users' identities and applications with an identity provider (IdP), you can configure Security Assertion Markup Language (SAML) single sign-on (SSO) to protect your organization's resources on GitHub.
SAML 单点登录可用于 GitHub Enterprise Cloud。 更多信息请参阅“GitHub's products”。
SAML SSO gives organization owners and enterprise owners on GitHub a way to control and secure access to organization resources like repositories, issues, and pull requests.
After you configure SAML SSO, members of your GitHub organization will continue to log into their user accounts on GitHub. When a member accesses resources within your organization that uses SAML SSO, GitHub redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to GitHub, where the member can access your organization's resources.
Enterprise owners can also enforce SAML SSO for all organizations in an enterprise account. For more information, see "Enforcing security settings in your enterprise account."
Note: Outside collaborators aren't required to authenticate with an IdP to access the resources in an organization with SAML SSO. 有关外部协作者的更多信息，请参阅“组织的权限级别”。
Before enabling SAML SSO for your organization, you'll need to connect your IdP to your organization. For more information, see "Connecting your identity provider to your organization."
For an organization, SAML SSO can be disabled, enabled but not enforced, or enabled and enforced. After you enable SAML SSO for your organization and your organization's members successfully authenticate with your IdP, you can enforce the SAML SSO configuration. For more information about enforcing SAML SSO for your GitHub organization, see "Enforcing SAML single sign-on for your organization."
Members must periodically authenticate with your IdP to authenticate and gain access to your organization's resources. 此登录期的持续时间由 IdP 指定，一般为 24 小时。 此定期登录要求会限制访问的时长，您必须重新验证身份后才可继续访问。
To access the organization's protected resources using the API and Git on the command line, members must authorize and authenticate with a personal access token or SSH key. For more information, see "Authorizing a personal access token for use with SAML single sign-on" and "Authorizing an SSH key for use with SAML single sign-on."
The first time a member uses SAML SSO to access your organization, GitHub automatically creates a record that links your organization, the member's GitHub account, and the member's account on your IdP. You can view and revoke the linked SAML identity, active sessions, and authorized credentials for members of your organization or enterprise account. For more information, see "Viewing and managing a member's SAML access to your organization" and "Viewing and managing a user's SAML access to your enterprise account."
Organization members must also have an active SAML session to authorize an OAuth 应用程序. You can opt out of this requirement by contacting GitHub 支持 或 GitHub 高级支持. GitHub does not recommend opting out of this requirement, which will expose your organization to a higher risk of account takeovers and potential data loss.
我们向执行 SAML 2.0 标准的所有身份提供程序提供有限的支持。 我们正式支持以下经过内部测试的身份提供程序：
- Active Directory Federation Services (AD FS)
- Azure Active Directory (Azure AD)
Some IdPs support provisioning access to a GitHub organization via SCIM. For more information, see "About SCIM."
您可以使用团队同步通过身份提供程序自动添加和删除组织中的团队成员。 更多信息请参阅“在身份提供程序与 GitHub 之间同步团队”。
https://github.com/orgs/ORGANIZATION/sso/sign_up，将 ORGANIZATION 替换为组织的名称。 For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your GitHub organization.
If your IdP supports SCIM, GitHub can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your GitHub organization on your SAML IdP, the member will be automatically removed from the GitHub organization. For more information, see "About SCIM."
GitHub 不支持 SAML 单次注销。 To terminate an active SAML session, users should log out directly on your SAML IdP.