From 62c4be72039478097ad0793b1781e4b07bd0eeb6 Mon Sep 17 00:00:00 2001 From: Jzilla Date: Wed, 14 Sep 2022 10:49:52 -0700 Subject: [PATCH] Update 360043002793-Troubleshooting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html --- ...oting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/articles/html/360043002793-Troubleshooting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html b/data/articles/html/360043002793-Troubleshooting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html index 0f822071ed..619d8d17d4 100644 --- a/data/articles/html/360043002793-Troubleshooting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html +++ b/data/articles/html/360043002793-Troubleshooting-CircleCI-Access-After-Enabling-Github-SSO_en-us.html @@ -1,5 +1,5 @@

Org SAML Protection

-

A GitHub organization owner can enable SAML protection for their org, which requires members to authenticate via SSO (e.g. Okta) before they are able to access any resources associated with that organization. When SSO/SAML protection is enabled, previously issued OAuth tokens for applications such as CircleCI become invalid for that organization, and future user GitHub authentication to CircleCI without an active SAML session will result in a loss of access to protected orgs.

+

A GitHub organization owner can enable SAML protection for their org, which requires members to authenticate via SSO (e.g. Okta) before they are able to access any resources associated with that organization. When SSO/SAML protection is enabled, previously issued OAuth tokens for applications such as CircleCI become invalid for that organization, and future user GitHub authentication to CircleCI without an active SAML session will result in a loss of access to protected orgs.

When CircleCI attempts to fetch the config.yml of a project or read other org resources on behalf of a user, and that user has not authorized access to the SAML-protected org as part of the GitHub OAuth flow (see below), the operation will fail. This can impact UI/API interactions, as well as pipeline creation. In the case of VCS-initiated pipelines, GitHub will show a successful webhook delivery in the repository settings, but CircleCI will not be able to fetch the config and a pipeline will not be created.

 

Solution: Re-Authentication

@@ -23,4 +23,4 @@

Solution: Re-Authentication

It’s important to note that CircleCI only stores a single OAuth token for each GitHub user, regardless of how many orgs they interact within CircleCI. This means that, if a user regularly interacts with multiple orgs, and does not want to re-authenticate when switching between them, it is recommended that they authorize SAML-protected orgs on every re-authentication to CircleCI via GitHub, including when switching devices. This will prevent access-related problems arising from that user’s actions on either platform, e.g. failure to create CircleCI pipelines based when pushing commits.

Sometimes when you switch to SSO, due to how CircleCI handles permissions, all projects will then be unfollowed, and deploy keys will be deleted. Please follow projects in order to add a deploy key and start building on CircleCI.

If you are an org admin and are interested in some preventative steps or how you can avoid common pitfalls when you set up GitHub SSO, check out this article here.

-

 

\ No newline at end of file +