Enabling SAML single sign-on for organizations in your enterprise account

You can control and secure access to resources like repositories, issues, and pull requests by enabling SAML single sign-on (SSO) and centralized authentication through an IdP across all organizations owned by an enterprise account.

Enterprise owners can enable SAML single sign-on for organizations in an enterprise account.

Enterprise accounts are available with GitHub Enterprise Cloud and GitHub Enterprise Server. For more information, see "About enterprise accounts."

In this article

About SAML single sign-on for enterprise accounts

SAML single sign-on (SSO) gives organization owners and enterprise owners on GitHub a way to control and secure access to organization resources like repositories, issues, and pull requests. For more information, see "About identity and access management with SAML single sign-on."

Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enabled by default for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account.

To access each organization's resources on GitHub, the member must have an active SAML session in their browser. To access each organization's protected resources using the API and Git, the member must use a personal access token or SSH key that the member has authorized for use with the organization. Enterprise owners can view and revoke a member's linked identity, active sessions, or authorized credentials at any time. For more information, see "Viewing and managing a user's SAML access to your enterprise account."

We offer limited support for all identity providers that implement the SAML 2.0 standard. We officially support these identity providers that have been internally tested:

  • Active Directory Federation Services (AD FS)
  • Azure Active Directory (Azure AD)
  • Okta
  • OneLogin
  • PingOne
  • Shibboleth

If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in GitHub. You can use provisioning to manage organization membership by configuring SCIM in your IdP. If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "About user provisioning for organizations in your enterprise account."

Enabling SAML single-sign on for organizations in your enterprise account

Note: Enabling authentication with SAML single sign-on for your enterprise account will override any existing organization-level SAML configurations.

For more detailed information about how to enable SAML using Okta, see "Configuring SAML single sign-on and SCIM for your enterprise account using Okta."

  1. In the top-right corner of GitHub, click your profile photo, then click Your enterprises.

    "Your enterprises" in drop-down menu for profile photo on GitHub

  2. In the list of enterprises, click the enterprise you want to view.

    Name of an enterprise in list of your enterprises

  3. In the enterprise account sidebar, click Settings.

    Settings tab in the enterprise account sidebar

  4. In the left sidebar, click Security.

    Security tab in the enterprise account settings sidebar

  5. Optionally, to view the setting's current configuration for all organizations in the enterprise account before enforcing the setting, click View your organizations' current configurations.

    Link to view the current policy configuration for organizations in the business

  6. Under "SAML single sign-on", select Enable SAML authentication.

    Checkbox for enabling SAML SSO

  7. In the Sign on URL field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.

    Field for the URL that members will be forwarded to when signing in

  8. Optionally, in the Issuer field, type your SAML issuer URL to verify the authenticity of sent messages.

    Field for the SAML issuer's name

  9. Under Public Certificate, paste a certificate to verify SAML responses.

    Field for the public certificate from your identity provider

  10. To verify the integrity of the requests from your SAML issuer, click . Then in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer.

    Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer

  11. Before enabling SAML SSO for your enterprise, click Test SAML configuration to ensure that the information you've entered is correct.

    Button to test SAML configuration before enforcing

  12. Click Save.

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.