Skip to content

saml

Subscribe to all “saml” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

When users access an organization with SAML SSO, GitHub stores a link between the SAML identity and the user's GitHub account. This link is used by SCIM and team synchronization to grant access within your organization or enterprise. If you break this link by signing into that organization with a different SAML identity, you are likely to lose access to resources inside that organization.

Starting gradually today and being fully rolled out tomorrow, users will see a warning message if they attempt to sign in with a different SAML account and change their linked identity. They'll have the option to go back to their IdP to sign in with a different account, which is usually the correct option. If they really intend to break the link to their previous SAML account and link to a new one, they can choose to continue.

Learn more by reading "About Authentication with SAML SSO".

See more

GitHub recently introduced the ability to set an expiration date when creating or regenerating a personal access token (PAT). For a PAT that is authorized to access an organization protected by SAML single sign-on (SSO), the expiration date of that PAT is now available via the GET /orgs/{org}/credential-authorizations API.

Organization administrators can use the following gh command to see the expiration dates of all PATs that are authorized to access their org by authenticating with a PAT that has the read:org scope:

gh api --paginate /orgs/:org/credential-authorizations --jq='.[] | [.authorized_credential_expires_at]'

Learn more about authorizing a personal access token for use with SAML single sign-on.

See more