About authentication with SSO
Das einmalige Anmelden per SAML bietet Organisations- und Unternehmensbesitzenden eine Möglichkeit, den Zugriff auf Organisationsressourcen wie Repositorys, Issues und Pull Requests zu steuern und zu sichern. Organization owners can invite your personal account on GitHub to join their organization that uses SSO, which allows you to contribute to the organization and retain your existing identity and contributions on GitHub.
Access to SSO protected internal resources in an enterprise, such as repositories, projects, and packages, requires an SSO session for any organization in the enterprise. This allows code and work to be shared across organizations in an enterprise without requiring users to join each organization.
If you're a member of an Unternehmen mit verwalteten Benutzer*innen, you will instead use a new account that is provisioned for you and controlled by your enterprise. Weitere Informationen finden Sie unter Arten von GitHub-Konten.
When you attempt to access most resources within an organization that uses SSO, GitHub will redirect you to the organization's SSO identity provider (IdP) to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to GitHub, where you can access the organization's resources.
Die IdP-Authentifizierung ist nicht erforderlich, wenn auf bestimmte Weise auf öffentliche Repositorys zugegriffen wird:
- Anzeigen der Übersichtsseite und des Dateiinhalts des Repositorys auf GitHub
- Forken des Repositorys
- Ausführen von Lesevorgängen über Git, z. B. das Klonen des Repositorys
Die Authentifizierung ist bei anderen Zugriffsmethoden auf öffentliche Repositorys erforderlich, z. B. für das Anzeigen von Issues, Pull Requests, Projekten und Releases.
Hinweis
SAML-Authentifizierung ist für externe Mitarbeiter nicht erforderlich. Weitere Informationen zu externen Projektmitarbeitern findest du unter Rollen in einer Organisation.
If you have recently authenticated with your organization's SAML IdP in your browser, you are automatically authorized when you access a GitHub organization that uses SAML SSO. If you haven't recently authenticated with your organization's SAML IdP in your browser, you must authenticate at the SAML IdP before you can access the organization.
Du musst dich regelmäßig bei deinem SAML-IdP authentifizieren, um dich bei den Ressourcen deiner Organisation auf GitHub zu authentifizieren und darauf Zugriff zu erhalten. Die Dauer dieser Anmeldephase wird von Deinem IdP festgelegt und beträgt in der Regel 24 Stunden. Durch diese Verpflichtung zur regelmäßigen Anmeldung wird die Dauer des Zugriffs begrenzt, und Du musst Dich erneut identifizieren, um fortzufahren. Du kannst deine aktiven SAML-Sitzungen in deinen Sicherheitseinstellungen anzeigen und verwalten. Weitere Informationen finden Sie unter Viewing and managing your active SSO sessions.
Linked external identities
When you authenticate with your IdP account and return to GitHub, GitHub will record a link in the organization or enterprise between your GitHub personal account and the external identity you signed into. This linked identity is used to validate your membership in that organization, and depending on your organization or enterprise setup, is also used to determine which organizations and teams you're a member of as well. Each GitHub account can be linked to exactly one external identity per organization. Likewise, each external identity can be linked to exactly one GitHub account in an organization.
If you sign in with an external identity that is already linked to another GitHub account, you will receive an error message indicating that you cannot sign in with that identity. This situation can occur if you are attempting to use a new GitHub account to work inside of your organization. If you didn't intend to use that external identity with that GitHub account, then you'll need to sign out of that external identity and then repeat the SSO login. If you do want to use that external identity with your GitHub account, you'll need to ask your administrator to unlink your external identity from your old account, so that you can link it to your new account. Depending on the setup of your organization or enterprise, your admin may also need to reassign your identity within your identity provider. For more information, see Anzeigen und Verwalten des SAML-Zugriffs eines Mitglieds auf deine Organisation.
If the external identity you sign in with does not match the external identity that is currently linked to your GitHub account, you'll receive a warning that you are about to relink your account. As your external identity is used to govern access and team membership, continuing with the new external identity can cause you to lose access to teams and organizations inside of GitHub. Only continue if you know that you're supposed to use that new external identity for authentication in the future.
Authorizing personal access tokens and SSH keys with SSO
To use the API or Git on the command line to access protected content in an organization that uses SSO, you will need to use an authorized personal access token over HTTPS or an authorized SSH key.
If you don't have a personal access token or an SSH key, you can create a personal access token for the command line or generate a new SSH key. For more information, see Verwalten deiner persönlichen Zugriffstoken or Generieren eines neuen SSH-Schlüssels und Hinzufügen des Schlüssels zum ssh-agent.
To use a new or existing personal access token or SSH key with an organization that uses or enforces SSO, you will need to authorize the token or authorize the SSH key for use with the organization. For more information, see Authorizing a personal access token for use with single sign-on or Authorizing an SSH key for use with single sign-on.
About OAuth apps, GitHub Apps, and SSO
You must have an active SSO session each time you authorize an OAuth app or GitHub App in order to access an organization that uses or enforces SSO. If you do not have an active session for an organization that requires SSO when you sign into the app, the app will be unable to access that organization. You can create an active SSO session by navigating to https://github.com/orgs/ORGANIZATION-NAME/sso or https://github.com/enterprises/ENTERPRISE-NAME/sso in your browser.
After an enterprise or organization owner enables or enforces SSO for an organization, and after you authenticate via SSO for the first time, you must reauthorize any OAuth apps or GitHub Apps that you previously authorized to access the organization.
To see the OAuth apps you've authorized, visit your OAuth apps page. To see the GitHub Apps you've authorized, visit your GitHub Apps page.
For more information, see SAML- und GitHub-Apps.