About authentication with SAML single sign-on
You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP). To use the API or Git on the command line with an organization that enforces SAML SSO, you will need to use an authorized SSH key or an authorized personal access token over HTTPS.
SAML single sign-on is available with GitHub Enterprise Cloud. For more information, see "GitHub's products."
SAML SSO helps you maintain control of your identity and contributions, while giving organizations a centralized and secure way of controlling access to their resources on GitHub. When you join an organization that uses SAML SSO, you sign in through the organization's IdP and your existing GitHub account is linked to an external identity that belongs to the organization. This external identity is separate from, but related to, your GitHub account and is used to control access to the organization's resources like repositories, issues, and pull requests.
If you have an active SAML session in your browser, you are automatically authorized when you access a GitHub organization that uses SAML SSO. If you don't have an active SAML session in your browser, you must enter the credentials for your SAML identity provider before you can access the organization.
We offer limited support for all identity providers that implement the SAML 2.0 standard. We officially support these identity providers that have been internally tested:
- Active Directory Federation Services (AD FS)
- Azure Active Directory (Azure AD)
- Okta
- OneLogin
- PingOne
- Shibboleth
Note: Outside collaborators aren't required to have an external (SAML) identity to access an organization that uses SAML SSO. For more information on outside collaborators, see "Permission levels for an organization."
You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings. For more information, see "Viewing and managing your active SAML sessions."
To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key. OAuth App access tokens are authorized by default.
If you don't have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see:
- "Creating a personal access token for the command line"
- "Generating a new SSH key and adding it to the ssh-agent"
To use a new or existing personal access token or SSH key with an organization that enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see:
- "Authorizing a personal access token for use with SAML single sign-on"
- "Authorizing an SSH key for use with SAML single sign-on"