docs/content/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization.md

title	intro	redirect_from	versions	topics	shortTitle
Enabling and testing SAML single sign-on for your organization	Organization owners and admins can enable SAML single sign-on to add an extra layer of security to their organization.	/articles/enabling-and-testing-saml-single-sign-on-for-your-organization /github/setting-up-and-managing-organizations-and-teams/enabling-and-testing-saml-single-sign-on-for-your-organization	ghec *	Organizations Teams	Enable & test SAML SSO

About SAML single sign-on

You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not enforcing SAML SSO in your organization can help smooth your organization's SAML SSO adoption. Once a majority of your organization's members use SAML SSO, you can enforce it within your organization.

{% data reusables.saml.ghec-only %}

If you enable but don't enforce SAML SSO, organization members who choose not to use SAML SSO can still be members of the organization. For more information on enforcing SAML SSO, see "AUTOTITLE."

{% data reusables.saml.outside-collaborators-exemption %}

{% data reusables.saml.saml-disabled-linked-identities-removed %}

{% data reusables.apps.reauthorize-apps-saml %}

Enabling and testing SAML single sign-on for your organization

Before your enforce SAML SSO in your organization, ensure that you've prepared the organization. For more information, see "AUTOTITLE."

For more information about the identity providers (IdPs) that {% data variables.product.company_short %} supports for SAML SSO, see "AUTOTITLE."

{% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} {% data reusables.organizations.security %}

1. Under "SAML single sign-on", select Enable SAML authentication.

   [!NOTE] After enabling SAML SSO, you can download your single sign-on recovery codes so that you can access your organization even if your IdP is unavailable. For more information, see "AUTOTITLE."

2. In the "Sign on URL" field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.

3. Optionally, in the "Issuer" field, type your SAML issuer's name. This verifies the authenticity of sent messages.

   [!NOTE] If you want to enable team synchronization for your organization, the "Issuer" field is a required. For more information, see "AUTOTITLE."

4. Under "Public Certificate," paste a certificate to verify SAML responses. {% data reusables.saml.edit-signature-and-digest-methods %}

5. Before enabling SAML SSO for your organization, to ensure that the information you've entered is correct, click Test SAML configuration. {% data reusables.saml.test-must-succeed %}

   [!TIP] {% data reusables.saml.testing-saml-sso %}

6. To enforce SAML SSO and remove all organization members who haven't authenticated via your IdP, select Require SAML SSO authentication for all members of the organization name organization. For more information on enforcing SAML SSO, see "AUTOTITLE."

7. Click Save.

Further reading

• "AUTOTITLE"
• "AUTOTITLE"