Security updates - app visibility and internal behavior for tokens (#56240)

Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2025-06-30 06:33:05 -07:00
parent 4b5ad76fe1
commit 0b291aae6c
8 changed files with 32 additions and 24 deletions
--- a/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md
+++ b/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md
@@ -1,6 +1,6 @@
 ---
 title: About authentication with SAML single sign-on
-intro: 'You can access an organization that uses SAML single sign-on (SSO) by authenticating through an identity provider (IdP).'
+intro: 'You can access an organization that uses single sign-on (SSO) by authenticating through an identity provider (IdP).'
 redirect_from:
  - /articles/about-authentication-with-saml-single-sign-on
  - /github/authenticating-to-github/about-authentication-with-saml-single-sign-on
@@ -11,13 +11,15 @@ topics:
  - SSO
 shortTitle: SAML single sign-on
 ---
-## About authentication with SAML SSO
+## About authentication with SSO

-{% data reusables.saml.dotcom-saml-explanation %} Organization owners can invite your personal account on {% data variables.product.prodname_dotcom %} to join their organization that uses SAML SSO, which allows you to contribute to the organization and retain your existing identity and contributions on {% data variables.product.prodname_dotcom %}.
+{% data reusables.saml.dotcom-saml-explanation %} Organization owners can invite your personal account on {% data variables.product.prodname_dotcom %} to join their organization that uses SSO, which allows you to contribute to the organization and retain your existing identity and contributions on {% data variables.product.prodname_dotcom %}.
+
+Access to SSO protected `internal` resources in an enterprise, such as repositories, projects, and packages, requires an SSO session for any organization in the enterprise. This allows code and work to be shared across organizations in an enterprise without requiring users to join each organization.

 If you're a member of an {% data variables.enterprise.prodname_emu_enterprise %}, you will instead use a new account that is provisioned for you and controlled by your enterprise. {% data reusables.enterprise-accounts.emu-more-info-account %}

-When you attempt to access most resources within an organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} will redirect you to the organization's SAML IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to {% data variables.product.prodname_dotcom %}, where you can access the organization's resources.
+When you attempt to access most resources within an organization that uses SSO, {% data variables.product.prodname_dotcom %} will redirect you to the organization's SSO IdP to authenticate. After you successfully authenticate with your account on the IdP, the IdP redirects you back to {% data variables.product.prodname_dotcom %}, where you can access the organization's resources.

 {% data reusables.saml.resources-without-sso %}

@@ -45,9 +47,9 @@ To use a new or existing {% data variables.product.pat_generic %} or SSH key wit

 ## About {% data variables.product.prodname_oauth_apps %}, {% data variables.product.prodname_github_apps %}, and SAML SSO

-You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} to access an organization that uses or enforces SAML SSO. You can create an active SAML session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser.
+You must have an active SSO session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} in order to access an organization that uses or enforces SSO. If you do not have an active session for an organization that requires SSO when you sign into the app, the app will be unable to access that organization. You can create an active SSO session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` or `https://github.com/enterprises/ENTERPRISE-NAME/sso` in your browser.

-After an enterprise or organization owner enables or enforces SAML SSO for an organization, and after you authenticate via SAML for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization.
+After an enterprise or organization owner enables or enforces SSO for an organization, and after you authenticate via SSO for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization.

 To see the {% data variables.product.prodname_oauth_apps %} you've authorized, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications). To see the {% data variables.product.prodname_github_apps %} you've authorized, visit your [{% data variables.product.prodname_github_apps %} page](https://github.com/settings/apps/authorizations).

--- a/content/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on.md
+++ b/content/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on.md
@@ -12,7 +12,7 @@ topics:
  - SSO
 shortTitle: '{% data variables.product.pat_generic_caps %} with SAML'
 ---
-You must authorize your {% data variables.product.pat_v1 %} after creation before the token can access an organization that uses SAML single sign-on (SSO). For more information about creating a new {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). {% data variables.product.pat_v2_caps %}s are authorized during token creation, before access to the organization is granted.
+You must authorize your {% data variables.product.pat_v1 %} after creation before the token can access an organization that uses SAML single sign-on (SSO). Access to `internal` resources (repositories, projects, and packages) in an enterprise requires an SSO authorization for an organization within an enterprise. For more information about creating a new {% data variables.product.pat_v1 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). {% data variables.product.pat_v2_caps %}s are authorized during token creation, before access to the organization is granted.

 {% data reusables.saml.must-authorize-linked-identity %}