SAML single sign-on (SSO) gives organization owners and enterprise owners on GitHub a way to control and secure access to organization resources like repositories, issues, and pull requests. Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enforced for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account. For more information, see "Enforcing SAML single sign-on for organizations in your enterprise account."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts.
If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. When you synchronize a GitHub team with an IdP group, changes to the IdP group are reflected on GitHub automatically, reducing the need for manual updates and custom scripts. You can use an IdP with team synchronization to manage administrative tasks such as onboarding new members, granting new permissions for movements within an organization, and removing member access to the organization. For more information, see "Managing team synchronization for organizations in your enterprise account."
We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the SAML Wiki on the OASIS website.
|IdP||SAML||User provisioning||Team synchronization|
|Active Directory Federation Services (AD FS)|
|Azure Active Directory (Azure AD)|