You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/organizations/managing-programmatic-access-to-your-organization/github-credential-types.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -59,15 +59,15 @@ The following sections describe revocation options for each credential type base
59
59
***Users** can revoke their authorization to an {% data variables.product.prodname_oauth_app %} in their personal account settings, which will revoke any tokens associated with the app. See [AUTOTITLE](/apps/oauth-apps/using-oauth-apps/reviewing-your-authorized-oauth-apps).
60
60
{% data reusables.credentials.revoke-via-api %}
61
61
***Organization owners** can deny a previously approved {% data variables.product.prodname_oauth_app %}'s access to the organization. See [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization).
62
-
*Enterprise and organization owners cannot directly revoke SSO authorization for individual {% data variables.product.prodname_oauth_app %} tokens.
62
+
*On {% data variables.product.prodname_ghe_cloud %}, enterprise and organization owners cannot directly revoke SSO authorization for individual {% data variables.product.prodname_oauth_app %} tokens. SSO credential authorization does not apply to {% data variables.product.prodname_ghe_server %}.
63
63
***Revoked automatically** if pushed to a public repository or gist, or if unused for one year. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation).
64
64
65
65
### {% data variables.product.prodname_github_app %} user access tokens
66
66
67
67
***Users** can revoke their authorization to an {% data variables.product.prodname_github_app %} in their personal account settings. Note that this revokes authorization for **all** organizations, not just a specific one. See [AUTOTITLE](/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps).
68
68
{% data reusables.credentials.revoke-via-api %}
69
69
***Organization owners** can't revoke user authorizations directly, but can suspend or uninstall the app to prevent access to organization resources. See [AUTOTITLE](/apps/using-github-apps/reviewing-and-modifying-installed-github-apps).
70
-
*Enterprise and organization owners cannot directly revoke SSO authorization for individual {% data variables.product.prodname_github_app %} user access tokens.
70
+
*On {% data variables.product.prodname_ghe_cloud %}, enterprise and organization owners cannot directly revoke SSO authorization for individual {% data variables.product.prodname_github_app %} user access tokens. SSO credential authorization does not apply to {% data variables.product.prodname_ghe_server %}.
71
71
***Automatically expires** after 8 hours by default. See [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#user-token-expired-due-to-github-app-configuration).
72
72
73
73
### {% data variables.product.prodname_github_app %} refresh tokens
@@ -106,7 +106,7 @@ For more information on `GITHUB_TOKEN`, see [AUTOTITLE](/actions/concepts/securi
106
106
107
107
## SSO authorization
108
108
109
-
When single sign-on (SSO) is required at the enterprise level, enforced at the organization level, or enabled for an organization and a member has linked an identity, certain credential types must be authorized for an organization before they can access organization resources. The following table indicates which credential types can be authorized for an organization.
109
+
On {% data variables.product.prodname_ghe_cloud %}, when single sign-on (SSO) is required at the enterprise level, enforced at the organization level, or enabled for an organization and a member has linked an identity, certain credential types must be authorized for an organization before they can access organization resources. The following table indicates which credential types can be authorized for an organization. SSO credential authorization does not apply to {% data variables.product.prodname_ghe_server %}.
110
110
111
111
| Token type | Supports SSO authorization | Admins can revoke SSO authorization |
@@ -120,9 +120,9 @@ When single sign-on (SSO) is required at the enterprise level, enforced at the o
120
120
| Deploy key | {% octicon "x" aria-label="No" %} (repository-scoped) | Not applicable |
121
121
|`GITHUB_TOKEN` ({% data variables.product.prodname_actions %}) | {% octicon "x" aria-label="No" %} (repository-scoped) | Not applicable |
122
122
123
-
[^1]: SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [List SAML SSO authorizations for an organization](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint.
123
+
[^1]: On {% data variables.product.prodname_ghe_cloud %}, SSO authorization is granted automatically when the user authorizes the app during an active SAML or OIDC session. These authorizations are not visible to users or admins in the {% data variables.product.github %} UI, and are not returned by the [List SAML SSO authorizations for an organization](/rest/orgs/orgs#list-saml-sso-authorizations-for-an-organization) REST API endpoint.
124
124
125
-
For information on how to authorize a credential for SSO, see [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-single-sign-on/authorizing-a-personal-access-token-for-use-with-single-sign-on), [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), and [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-single-sign-on/authorizing-an-ssh-key-for-use-with-single-sign-on).
125
+
On {% data variables.product.prodname_ghe_cloud %}, for information on how to authorize a credential for SSO, see [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-single-sign-on/authorizing-a-personal-access-token-for-use-with-single-sign-on), [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token), and [AUTOTITLE](/enterprise-cloud@latest/authentication/authenticating-with-single-sign-on/authorizing-an-ssh-key-for-use-with-single-sign-on).
126
126
127
127
### Revoking SSO authorization
128
128
@@ -131,14 +131,14 @@ On {% data variables.product.prodname_ghe_cloud %} with SSO enforced, when a cre
131
131
***Delete or revoke the credential itself**: Permanently removes all access associated with the credential. See the individual credential type sections above for who can perform this action.
132
132
***Revoke the credential's SSO authorization**: Blocks the credential from accessing a specific organization's resources without deleting it. Once revoked, the user cannot re-authorize the same credential; they must create a new one.
133
133
134
-
Enterprise administrators and organization owners can revoke SSO authorization for the credential types marked in the table above:
134
+
On {% data variables.product.prodname_ghe_cloud %}, enterprise administrators and organization owners can revoke SSO authorization for the credential types marked in the table above:
135
135
136
136
***Organization owners** can manage SSO authorizations for organizations with organization-level SSO via the {% data variables.product.github %} UI. See [AUTOTITLE](/enterprise-cloud@latest/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization).
137
137
***Enterprise owners** can manage SSO authorizations for enterprises with enterprise-level SSO (including {% data variables.product.prodname_emus %}) via the {% data variables.product.github %} UI. See [AUTOTITLE](/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-and-revoking-authorized-credentials).
138
138
139
-
You can also manage SSO authorizations via the REST API. See [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#list-saml-sso-authorizations-for-an-organization).
139
+
On {% data variables.product.prodname_ghe_cloud %}, you can also manage SSO authorizations via the REST API. See [AUTOTITLE](/rest/orgs/orgs?apiVersion=2022-11-28#list-saml-sso-authorizations-for-an-organization).
140
140
141
-
During a security incident, enterprise owners can revoke SSO authorizations in bulk. See [Bulk actions for security incidents](#bulk-actions-for-security-incidents).
141
+
On {% data variables.product.prodname_ghe_cloud %}, during a security incident, enterprise owners can revoke SSO authorizations in bulk. See [Bulk actions for security incidents](#bulk-actions-for-security-incidents).
0 commit comments