Skip to main content

About authentication with SAML single sign-on

You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP). After you authenticate with the IdP successfully from GitHub Enterprise Cloud, you must authorize any personal access token, SSH key, or OAuth 应用程序 you would like to access the organization's resources.

About authentication with SAML SSO

SAML 单点登录 (SSO) 为使用 GitHub Enterprise Cloud 的组织所有者和企业所有者提供一种控制安全访问仓库、议题和拉取请求等组织资源的方法。 Organization owners can invite your personal account on GitHub to join their organization that uses SAML SSO, which allows you to contribute to the organization and retain your existing identity and contributions on GitHub.

If you're a member of an 具有托管用户的企业, you will use a new account that is provisioned for you. 更多信息请参阅“GitHub 帐户类型”。

When you access resources within an organization that uses SAML SSO, GitHub will redirect you to the organization's SAML IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to GitHub, where you can access the organization's resources.

注:外部协作者无需使用 IdP 进行身份验证即可访问实施 SAML SSO 的组织中的资源。 有关外部协作者的更多信息,请参阅“组织中的角色”。

If you have recently authenticated with your organization's SAML IdP in your browser, you are automatically authorized when you access a GitHub organization that uses SAML SSO. If you haven't recently authenticated with your organization's SAML IdP in your browser, you must authenticate at the SAML IdP before you can access the organization.

You must periodically authenticate with your SAML IdP to authenticate and gain access to the organization's resources on GitHub.com. The duration of this login period is specified by your IdP and is generally 24 hours. This periodic login requirement limits the length of access and requires you to re-identify yourself to continue. You can view and manage your active SAML sessions in your security settings. For more information, see "Viewing and managing your active SAML sessions."

To use the API or Git on the command line to access protected content in an organization that uses SAML SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key.

If you don't have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see "Creating a personal access token" or "Generating a new SSH key and adding it to the ssh-agent."

To use a new or existing personal access token or SSH key with an organization that uses or enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see "Authorizing a personal access token for use with SAML single sign-on" or "Authorizing an SSH key for use with SAML single sign-on."

About OAuth 应用程序, GitHub 应用程序, and SAML SSO

You must have an active SAML session each time you authorize an OAuth 应用程序 or GitHub 应用程序 to access an organization that uses or enforces SAML SSO. You can create an active SAML session by navigating to https://github.com/orgs/ORGANIZATION-NAME/sso in your browser.

After an enterprise or organization owner enables or enforces SAML SSO for an organization, and after you authenticate via SAML for the first time, you must reauthorize any OAuth 应用程序 or GitHub 应用程序 that you previously authorized to access the organization.

To see the OAuth 应用程序 you've authorized, visit your OAuth 应用程序 page. To see the GitHub 应用程序 you've authorized, visit your GitHub 应用程序 page.

Further reading