Configuring SAML single sign-on (SSO) for GitHub Copilot ensures your organization maintains centralized identity management while enabling developers to use Copilot CLI and IDE integrations. This guide covers SSO setup, token authorization, and troubleshooting common authentication issues.
Understanding GitHub SSO/SAML for Copilot
GitHub Copilot does not have its own separate SSO configuration. Instead, Copilot inherits your organization's existing SAML SSO settings. When a user authenticates to GitHub through your identity provider (IdP), they gain access to all organization resources they are authorized for, including Copilot.
How SSO Affects Copilot Access
| Scenario | Copilot Access Behavior |
|---|---|
| SSO not configured | Users authenticate with GitHub credentials directly |
| SSO enabled (not enforced) | Users can choose SSO or GitHub credentials |
| SSO enforced | All users must complete SAML authentication |
| Enterprise Managed Users | Users only exist through IdP provisioning |
Key Point: If your organization already has SAML SSO working for GitHub, Copilot will work once users authorize their tokens. No additional IdP configuration is required.
Prerequisites
Before configuring SSO for Copilot access, ensure you have:
- GitHub organization with admin permissions
- For SAML SSO: A supported identity provider (Entra ID, Okta, OneLogin, PingFederate, or any SAML 2.0 compliant IdP)
- For Enterprise Managed Users: GitHub Enterprise Cloud with EMU enabled
- Copilot Business or Enterprise subscription assigned to your organization
- Access to configure your identity provider
Supported Identity Providers
GitHub supports SAML SSO with:
- Microsoft Entra ID (formerly Azure AD)
- Okta
- OneLogin
- PingFederate
- Shibboleth
- Any SAML 2.0 compliant IdP
For Enterprise Managed Users (EMU), supported IdPs include:
- Microsoft Entra ID
- Okta
- PingFederate
How Copilot Inherits Organization SSO Settings
When you configure SAML SSO for your GitHub organization, Copilot automatically uses the same authentication flow. There is no separate Copilot SSO configuration.
Authentication Flow
- User attempts to access Copilot (via CLI, IDE, or GitHub.com)
- GitHub checks if the user has a valid SSO session
- If no session exists, user is redirected to your IdP
- User authenticates with corporate credentials
- IdP returns SAML assertion to GitHub
- GitHub grants access to organization resources including Copilot
Setting Up Organization SAML SSO
If you have not yet configured SAML SSO for your organization:
- Navigate to your organization settings at
github.com/organizations/YOUR_ORG/settings - Under Security, click Authentication security
- Select Enable SAML authentication
- Configure your IdP settings:
Issuer: Your IdP's entity ID
Single sign-on URL: Your IdP's SSO endpoint
Public certificate: Your IdP's signing certificate (Base64 encoded)
- Test the configuration before enforcing
- Optionally check Require SAML SSO authentication to enforce for all members
Authorizing Tokens for SSO Organizations
After SSO is enabled, users must explicitly authorize their tokens to access SSO-protected resources. This is the most common step users miss when Copilot CLI stops working after SSO is enabled.
Authorizing the GitHub CLI Token
When you authenticate with gh auth login, the token created needs SSO authorization:
- Complete authentication:
gh auth login --web
- Visit github.com/settings/tokens
- Find the token labeled "GitHub CLI" (or your custom token name)
- Click Configure SSO next to the token
- Click Authorize next to your organization name
- Copilot CLI should now work with SSO
Authorizing Personal Access Tokens
If you use personal access tokens for Copilot:
- Go to github.com/settings/tokens
- Find your token (classic or fine-grained)
- Click Configure SSO
- Authorize for each organization that requires SSO
- Tokens show a green checkmark when authorized
Token Authorization Status
Check your token's SSO status:
| Indicator | Meaning |
|---|---|
| "Configure SSO" button | Token not authorized for any SSO org |
| "SSO: Authorized for X orgs" | Token authorized for some organizations |
| Green checkmark next to org | Token authorized for that organization |
CLI Authentication with SSO
Copilot CLI uses the GitHub CLI (gh) for authentication. When SSO is enforced, follow this workflow:
Initial Authentication
# Authenticate via browser (required for SSO)
gh auth login --web
# When prompted, select your organization
# Complete the SAML authentication in your browser
# Authorize the OAuth application for your organization
Verifying SSO Authentication
# Check authentication status
gh auth status
# Example output showing SSO-enabled org
# github.com
# Logged in to github.com as username (oauth_token)
# Git operations for github.com configured to use https protocol
# Token: ghp_****
# Token scopes: admin:public_key, gist, read:org, repo
# SSO: Authorized for org-name
Re-authenticating When SSO Session Expires
SSO sessions have timeout periods configured by your IdP. When expired:
# Refresh authentication
gh auth refresh
# If refresh fails, do a full re-login
gh auth login --web
Managing Copilot Access Through SSO Groups
Enterprise organizations can use IdP groups to manage Copilot seat assignments.
Using SCIM for Automated Provisioning
With SCIM (System for Cross-domain Identity Management), user provisioning is automated:
- Enable SCIM in your organization settings
- Configure your IdP to sync groups to GitHub
- Create a "Copilot Users" group in your IdP
- Map this group to Copilot seat assignment in GitHub
Group-Based Seat Management
Configure Copilot to auto-assign based on team membership:
- Go to Organization Settings > Copilot > Access
- Select Enabled for selected members
- Add teams that map to your IdP groups
- Users joining the IdP group automatically get Copilot access
Enterprise Managed Users (EMU)
For maximum control, EMU provides:
- All accounts created and managed through IdP
- Users sign in exclusively through SSO
- No personal GitHub accounts can access org resources
- Full lifecycle management through SCIM
Troubleshooting Common SSO Issues
"SSO Session Required" Error
Cause: Your SSO session has expired or was never established.
Solution:
gh auth login --web
# Complete SAML authentication in browser
"Token Not Authorized for SSO" Error
Cause: Token exists but has not been authorized for SSO organization.
Solution:
- Go to github.com/settings/tokens
- Find your token
- Click Configure SSO
- Authorize for your organization
"User Not a Member of Organization" After SSO
Cause: SAML assertion does not include organization membership or SCIM has not provisioned the user.
Solution:
- Verify user exists in IdP group mapped to GitHub
- Check SCIM provisioning logs in your IdP
- Manually add user to organization if SCIM is not configured
SSO Works in Browser but Not CLI
Cause: Browser session is authenticated but CLI token is not authorized.
Solution:
# Force re-authentication via browser
gh auth logout
gh auth login --web
# Then authorize the token for SSO at github.com/settings/tokens
Copilot Works for Some Users but Not Others
Cause: Inconsistent SSO authorization or seat assignment.
Solution:
- Verify all users have completed SSO authorization
- Check Copilot seat assignments in organization settings
- Ensure users are in the correct IdP groups
Token Revocation and Re-authorization
When to Revoke Tokens
Revoke tokens when:
- An employee leaves the organization
- A token may be compromised
- Rotating credentials as a security practice
Revoking Organization Access
Organization admins can revoke SSO authorization:
- Go to Organization Settings > Security > Authentication security
- Under "Active SAML sessions", find the user
- Click Revoke to end their SSO session
User Token Revocation
Users can revoke their own tokens:
- Go to github.com/settings/tokens
- Click Delete on the token
- Re-authenticate with
gh auth login --web - Re-authorize for SSO organizations
Best Practices for Enterprise Deployments
Security Recommendations
- Enforce SSO: Do not leave SSO optional; enforce it for all organization members
- Enable SCIM: Automate user provisioning and deprovisioning
- Set session timeouts: Configure reasonable IdP session durations (4-8 hours typical)
- Require MFA: Enable multi-factor authentication in your IdP
- Audit regularly: Review SSO sessions and token authorizations quarterly
Onboarding Workflow
Document this process for new developers:
- User is added to IdP group
- SCIM provisions user to GitHub organization
- Admin assigns Copilot seat (or auto-assign via team)
- User runs
gh auth login --web - User completes SAML authentication
- User authorizes token for SSO at github.com/settings/tokens
- User can now use Copilot CLI
Offboarding Workflow
When users leave:
- Remove from IdP group
- SCIM deprovisions from GitHub (if configured)
- Copilot seat is automatically released
- Revoke any active SSO sessions manually if immediate
Next Steps
- Configure enterprise Copilot settings for additional policies
- Set up MCP servers for extended Copilot capabilities
- Learn to fix authorization errors when they occur
- Explore Copilot CLI slash commands for productivity
Need help configuring SSO for GitHub Copilot? Inventive HQ provides enterprise identity management and Copilot deployment services. Contact us for assistance with your SSO integration.