About disabled authentication for Enterprise Managed Users
After you disable SAML or OIDC SSO for your enterprise, the following effects apply:
- All external identities for the enterprise, and associated email addresses for managed user accounts, will be removed. For more information, see "Viewing and managing a user's SAML access to your enterprise."
- All managed user accounts will be suspended. The suspended accounts will not be renamed. For more information, see "Viewing people in your enterprise."
- All personal access tokens and SSH keys associated with managed user accounts will be deleted.
- All of the external groups provisioned by SCIM will be deleted. For more information, see "Managing team memberships with identity provider groups."
If you later reconfigure authentication for the enterprise, external groups must be reprovisioned via SCIM, and managed user accounts must be reprovisioned before users can sign in.
Note
When a managed user account is suspended, the user's avatar is permanently deleted. If you reprovision the user, the user will need to reupload their avatar.
If you want to migrate to a new identity provider (IdP) or tenant rather than disabling authentication entirely, see "Migrating your enterprise to a new identity provider or tenant."
Disabling authentication
Warning
Disabling authentication and provisioning will prevent your enterprise's managed user accounts from signing in to access your enterprise on GitHub Enterprise Cloud.
- Sign in as the setup user for your enterprise with the username SHORT-CODE_admin, replacing SHORT-CODE with your enterprise's short code.
- Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see "Accessing your enterprise account if your identity provider is unavailable."
- In the top-right corner of GitHub, click your profile photo, then click Your enterprise.
- On the left side of the page, in the enterprise account sidebar, click Identity provider.
- Under Identity Provider, click Single sign-on configuration.
- Next to "SAML single sign-on" or "OIDC single sign-on", click to deselect SAML single sign-on or OIDC single sign-on.
- To confirm, click Disable SAML single sign-on or Disable OIDC single sign-on.