If you use SAML SSO in your organization, you can implement SCIM to add, manage, and remove organization members' access to GitHub. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.
If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. To remove access, organization administrators can either manually remove the authorized token from the organization or automate its removal with SCIM.
These identity providers are compatible with the GitHub SCIM API for organizations. For more information, see SCIM in the GitHub API documentation.
- Azure AD
If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in GitHub. You can use provisioning to manage organization membership by configuring SCIM in your IdP. For more information, see "Enforcing security settings in your enterprise account."