Enabling and testing SAML single sign-on for your organization

Organization owners and admins can enable SAML single sign-on to add an extra layer of security to their organization.

SAML single sign-on is available with GitHub Enterprise Cloud. For more information, see "GitHub's products."

About SAML single sign-on

You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not enforcing SAML SSO in your organization can help smooth your organization's SAML SSO adoption. Once a majority of your organization's members use SAML SSO, you can enforce it within your organization.

If you enable but don't enforce SAML SSO, organization members who choose not to use SAML SSO can still be members of the organization. For more information on enforcing SAML SSO, see "Enforcing SAML single sign-on for your organization."

Note: Outside collaborators aren't required to authenticate with an IdP to access the resources in an organization with SAML SSO. For more information on outside collaborators, see "Roles in an organization."

Enabling and testing SAML single sign-on for your organization

SAML SSO requires GitHub Enterprise Cloud. For more information about how you can try GitHub Enterprise Cloud for free, see "Setting up a trial of GitHub Enterprise Cloud."

Before your enforce SAML SSO in your organization, ensure that you've prepared the organization. For more information, see "Preparing to enforce SAML single sign-on in your organization."

For more information about the identity providers (IdPs) that GitHub supports for SAML SSO, see "Connecting your identity provider to your organization."

  1. In the top right corner of GitHub.com, click your profile photo, then click Your organizations. Your organizations in the profile menu

  2. Next to the organization, click Settings. The settings button

  3. In the left sidebar, click Organization security.

    Organization security settings

  4. Under "SAML single sign-on", select Enable SAML authentication. Checkbox for enabling SAML SSO

    Note: After enabling SAML SSO, you can download your single sign-on recovery codes so that you can access your organization even if your IdP is unavailable. For more information, see "Downloading your organization's SAML single sign-on recovery codes."

  5. In the "Sign on URL" field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration. Field for the URL that members will be forwarded to when signing in

  6. Optionally, in the "Issuer" field, type your SAML issuer's name. This verifies the authenticity of sent messages. Field for the SAML issuer's name

  7. Under "Public Certificate," paste a certificate to verify SAML responses. Field for the public certificate from your identity provider

  8. Click and then in the Signature Method and Digest Method drop-downs, choose the hashing algorithm used by your SAML issuer to verify the integrity of the requests. Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer

  9. Before enabling SAML SSO for your organization, click Test SAML configuration to ensure that the information you've entered is correct. Button to test SAML configuration before enforcing

    Tip: When setting up SAML SSO in your organization, you can test your implementation without affecting your organization members by leaving Require SAML SSO authentication for all members of the organization name organization unchecked.

  10. To enforce SAML SSO and remove all organization members who haven't authenticated via your IdP, select Require SAML SSO authentication for all members of the organization name organization. For more information on enforcing SAML SSO, see "Enforcing SAML single sign-on for your organization." Checkbox to require SAML SSO for your organization

  11. Click Save. Button to save SAML SSO settings

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.