Authorizing an SSH key for use with SAML single sign-on

To use an SSH key with an organization that uses SAML single sign-on (SSO), you must first authorize the key.

You can authorize an existing SSH key, or create a new SSH key and then authorize it. For more information about creating a new SSH key, see "Generating a new SSH key and adding it to the ssh-agent."

Before you can authorize a personal access token or SSH key, you must have a linked SAML identity. If you're a member of an organization where SAML SSO is enabled, you can create a linked identity by authenticating to your organization with your IdP at least once. For more information, see "About authentication with SAML single sign-on."

After you authorize a personal access token or SSH key, the authorization does not expire. The token or key will stay authorized until revoked in one of these ways.

  • An organization owner revokes the authorization.
  • You are removed from the organization.
  • The scopes in a personal access token are edited, or the token is regenerated.

Note: If your SSH key authorization is revoked by an organization, you will not be able to reauthorize the same key. You will need to create a new SSH key and authorize it. For more information about creating a new SSH key, see "Generating a new SSH key and adding it to the ssh-agent."

  1. In the upper-right corner of any page, click your profile photo, then click Settings. Settings icon in the user bar
  2. In the user settings sidebar, click SSH and GPG keys. Authentication keys
  3. Next to the SSH key you'd like to authorize, click Enable SSO or Disable SSO. SSO token authorize button
  4. Find the organization you'd like to authorize the SSH key for.
  5. Click Authorize. Token authorize button

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.