Fix GitHub's "organization has enabled or enforced SAML SSO" push error by authorizing your PAT/SSH key for SSO. Step-by-step fix.
The organization you are pushing to or cloning from has SAML single sign-on (SSO) enforcement turned on. GitHub treats SSO enforcement as two separate requirements that must BOTH be satisfied. First, your GitHub identity must be linked to the organization's identity provider (IdP) through an active SAML session — you sign in to the IdP (Okta, Azure AD/Entra ID, OneLogin, etc.) and GitHub records a session that ties your GitHub account to the external identity. Second, the specific credential you are using for Git — a classic personal access token, an SSH key, or an OAuth app — must be individually authorized for that organization. A credential being valid for your account in general is not enough. Even a working SSH key or token will be refused by an SSO-protected org until it has been explicitly authorized for that org. This is why a credential can succeed against your personal repos and other orgs but fail against one specific organization. The message 'Resource protected by organization SAML enforcement' or 'The organization has enabled SAML SSO. Please authorize your credential' is GitHub telling you that one of those two requirements is missing: either your SAML session has expired/never existed, or the credential itself has not been authorized for the org.
SSO enforcement requires an active SAML session that links your GitHub account to the organization's identity provider. Establish one before authorizing any credential:
1. Visit the organization in your browser: https://github.com/YOUR_ORG
2. GitHub will show a 'Single sign-on to YOUR_ORG' prompt. Click Continue / Sign in via your identity provider.
3. Complete authentication at your IdP (Okta, Azure AD/Entra ID, OneLogin, etc.).
4. You are redirected back to GitHub with an active SAML session.
If you do not see a prompt, you can trigger SSO directly:
https://github.com/orgs/YOUR_ORG/ssoThis session is what makes the Configure SSO controls available for your credentials in the next steps.
If you authenticate over HTTPS with a classic personal access token, authorize that token for the org:
1. Go to [github.com/settings/tokens](https://github.com/settings/tokens).
2. Find the token you use for Git (it needs the repo scope for private repos).
3. Click the Configure SSO dropdown shown next to the token.
4. Find your organization in the list and click Authorize.
5. If prompted, complete IdP authentication to confirm.
For a brand-new token, generate it via Generate new token (classic), then immediately use its Configure SSO dropdown to authorize it for the org.
Retry your Git command afterward:
git push origin mainNote: this Configure SSO → Authorize flow applies only to classic PATs (and OAuth apps). Fine-grained PATs use a different mechanism — see the dedicated step below.
If you authenticate over SSH, authorize the specific key for the org:
1. Go to Settings → SSH and GPG keys ([github.com/settings/keys](https://github.com/settings/keys)).
2. Locate the SSH key you use for Git.
3. Click the key's Configure SSO button/dropdown.
- If it is missing, complete Step 1 first so you have an active SAML session.
4. Click Authorize next to your organization (complete IdP auth if prompted).
There is no separate per-key 'Enabled' status label to look for. Once you authorize the key, it simply works against that org's repositories — verify by running a real operation:
# Test connectivity
ssh -T [email protected]
# Hi USERNAME! You've successfully authenticated...
# Confirm access to an org repo
git ls-remote [email protected]:YOUR_ORG/YOUR_REPO.gitIf an admin previously revoked the key's SSO authorization, you do not need to generate a new key. Just open Configure SSO again and re-authorize the same key for the org.
Fine-grained personal access tokens do NOT use the classic Configure SSO toggle. Their access to an org is governed by the org's own policies:
1. Go to [github.com/settings/tokens?type=beta](https://github.com/settings/tokens?type=beta) and create or edit a fine-grained token.
2. Set Resource owner to the SSO-protected organization (you may need an active SAML session for the org to appear).
3. Select the repositories and the minimum required repository/organization permissions.
4. Submit the token. Depending on the org's policy, an organization admin must approve the token before it can access org resources.
5. Until approved, the token will be rejected for that org even though it exists.
If the org is not listed as a possible resource owner, complete Step 1 to start a SAML session, then retry. If the token is pending approval, ask an org owner to approve it under the org's Personal access tokens settings.
SAML sessions expire on a schedule set by your IdP. When a session lapses, an already-authorized credential will start being refused again until you re-authenticate.
1. Re-establish the session by visiting https://github.com/orgs/YOUR_ORG/sso and signing in through your IdP again.
2. Retry the Git operation — no re-authorization of the credential is needed if it was already authorized.
If a credential helper is caching a stale or wrong credential, clear it so the SSO flow can re-run:
# macOS Keychain
printf 'protocol=https\nhost=github.com\n' | git credential-osxkeychain erase
# Linux store
rm -f ~/.git-credentials
# Git Credential Manager
git credential-manager unconfigure
git credential-manager configureOn Windows, open Control Panel → Credential Manager → Windows Credentials and remove git:https://github.com entries, then retry.
Automated systems hit the same two SSO requirements, so they need a credential that is authorized for the org:
GitHub Actions (same org): the built-in GITHUB_TOKEN works automatically for repos in the same organization — no SSO step needed.
Cross-org access: use a token that has been authorized for the target org and store it as a secret:
steps:
- uses: actions/checkout@v4
with:
repository: other-org/repo
token: ${{ secrets.SSO_AUTHORIZED_PAT }}The stored token must be created by a user who has SSO access and, if classic, authorized via Configure SSO → Authorize (or, if fine-grained, owned by the org and admin-approved).
Deploy keys (recommended for single-repo automation): a deploy key is scoped to one repository and does not require SSO authorization. This is the simplest option for CI that only needs one org repo:
ssh-keygen -t ed25519 -f ./deploy_key -C 'ci-deploy-key'
# Add deploy_key.pub under the repo's Settings → Deploy keys### The two independent requirements
SSO enforcement = (active SAML session linking your GitHub identity to the IdP) AND (the specific credential authorized for the org). A failure means at least one is missing. A session can be valid while a credential is unauthorized, and a credential can be authorized while the session has expired — diagnose which one applies.
### Credential types and how SSO applies
| Credential | How it gets SSO access |
|------------|------------------------|
| Classic PAT | Settings → Tokens → Configure SSO → Authorize for the org |
| SSH key | Settings → SSH keys → Configure SSO → Authorize for the org |
| OAuth app token | Granted/authorized for the org when you authorize the OAuth app |
| Fine-grained PAT | Org set as resource owner; org admin approves the token; governed by org PAT policy, NOT the classic Configure SSO toggle |
| GITHUB_TOKEN (Actions) | Automatic for repos in the same org |
| Deploy key | Exempt — repo-scoped, no SSO authorization required |
### Revocation is reversible
If an admin revokes a credential's SSO authorization, the authorization is simply removed — the credential itself is untouched. Re-authorize the same classic PAT or the same SSH key via Configure SSO; you do NOT need to generate a new SSH key or mint a new token.
### API responses
When the GitHub API rejects an unauthorized credential it returns a 403 and an X-GitHub-SSO response header containing a URL where you can authorize the credential or start a session. Following that URL is the programmatic equivalent of the Configure SSO flow.
### IP allow lists
Separate from SSO, some orgs/enterprises enforce IP allow lists. If your credential is authorized and your session is active but access still fails, confirm your source IP (or VPN egress) is permitted by the org's allow list.
ssh: Could not resolve hostname github.com: Name or service not known
How to fix 'ssh: Could not resolve hostname github.com: Name or service not known' in Git
error: insufficient permission for adding an object to repository database .git/objects
How to fix "insufficient permission for adding an object to repository database" in Git
fatal: could not create work tree dir 'repo': Permission denied
How to fix "could not create work tree dir: Permission denied" in Git
Smudge error: Error downloading object: The requested URL returned error
How to fix Git LFS 'Smudge error: Error downloading object' error
fetch-pack: unexpected disconnect while reading sideband packet
How to fix 'unexpected disconnect while reading sideband packet' in Git