I've been trying for some time to figure out an api call to get back a list of Organization members and thier 'Linked SSO identity'. We are preparing to enable SSO SAML enforcement and before doing so I want to reach out to users who haven't clicked the optional sign-on with SSO button.
Tonight I noticed some extra text I hand't spotted in the help page about enabling enforcement. https://help.github.com/en/articles/enforcing-saml-single-sign-on-for-your-organization
In step 2. it reads "After you select Require SAML SSO authentication for all members of the SAML SSO Org organization, organization members who haven't authenticated via your IdP will be shown. If you enforce SAML SSO, these members will be removed from the organization."
This leads me to believe it is safe to check the checkbox to enable enforcement I may then be presented with the list I've been trying to produce. "organization members who haven't authenticated via your IdP will be shown"
Then perhaps I'll have the option to continue or not continue enabling enforcment. But I do not want to negatively impact users by checking this box to find out.
Part of what gives me hesitation is the text that is provided directly with the checkbox which reads:
"Requiring SAML SSO will remove all members (excluding outside collaborators) who have not authenticated their accounts. Members will receive an email notifying them about the change. Leaving this option unchecked will allow you to test before requiring"
Does anyone know if it's safe to move past the first checkbox without actually enforcing SSO and if this will produce the list of users who haven't authenticated via SSO yet?
There is another way to view a list of those who have not signed in to your account via SAML. Navigate to https://github.com/orgs/<yourOrgName>/people?utf8=✓&query=+sso%3Aunlinked. This will show you a filtered view of all members of your org without a linked SAML identity and who would be removed if SAML enforcement is enabled.
If one or more users are removed by this process they can simply be re-invited to the org. When they accept the invitation they will be redirected to your IdP's sign in page before being allowed back in.