实施组织的 SAML 单点登录

Organization owners and admins can enforce SAML SSO so that all organization members must authenticate via an identity provider (IdP).

SAML 单点登录可用于 GitHub Enterprise Cloud。 更多信息请参阅“GitHub's products”。

About enforcement of SAML SSO for your organization

When you enable SAML SSO, GitHub will prompt members who visit the organization's resources on GitHub.com to authenticate on your IdP, which links the member's user account to an identity on the IdP. Members can still access the organization's resources before authentication with your IdP.

Banner with prompt to authenticate via SAML SSO to access organization

You can also enforce SAML SSO for your organization. When you enforce SAML SSO, all members of the organization must authenticate through your IdP to access the organization's resources. Enforcement removes any members and administrators who have not authenticated via your IdP from the organization. GitHub sends an email notification to each removed user.

成功完成单点登录后,可以恢复组织成员。 Removed users' access privileges and settings are saved for three months and can be restored during this time frame. 更多信息请参阅“恢复组织的前成员”。

Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed when you enforce SAML SSO. For more information about bots and service accounts, see "Managing bots and service accounts with SAML single sign-on."

If your organization is owned by an enterprise account, requiring SAML for the enterprise account will override your organization-level SAML configuration and enforce SAML SSO for every organization in the enterprise. For more information, see "Enforcing SAML single sign-on for organizations in your enterprise account."

提示: 在组织中设置 SAML SSO 时,可通过不选中 Require SAML SSO authentication for all members of the organization name organization(要求组织的所有成员进行 SAML SSO 身份验证),在不影响组织成员的情况下测试您的实现。

Enforcing SAML SSO for your organization

  1. Enable and test SAML SSO for your organization, then authenticate with your IdP at least once. 更多信息请参阅“对组织启用并测试 SAML 单点登录”。

  2. Prepare to enforce SAML SSO for your organization. 更多信息请参阅“准备在组织中实施 SAML 单点登录”。

  3. 在 GitHub 的右上角,单击您的个人资料照片,然后单击 Your organizations(您的组织)个人资料菜单中的组织

  4. 在组织旁边,单击 Settings(设置)设置按钮

  5. 在左边栏中,单击 Organization security(组织安全)

    组织安全设置

  6. Under "SAML single sign-on", select Require SAML SSO authentication for all members of the ORGANIZATION organization. "Require SAML SSO authentication" checkbox

  7. If any organization members have not authenticated via your IdP, GitHub displays the members. If you enforce SAML SSO, GitHub will remove the members from the organization. Review the warning and click Remove members and require SAML single sign-on. "Confirm SAML SSO enforcement" dialog with list of members to remove from organization

  8. Under "Single sign-on recovery codes", review your recovery codes. Store the recovery codes in a safe location like a password manager.

延伸阅读

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或, 了解如何参与。