SamlSso

Monday, the 13th of April, 2026
Mickaël CANOUIL, Ph.D. ORCID
Independent Contractor

SAML SSO Detection

Detects GitHub SAML SSO enforcement responses.

GitHub signals that a token is blocked by organisation SAML SSO with HTTP 403 and an X-GitHub-SSO header containing a url=... directive pointing at the authorisation page the user must visit.

The header comes from a remote server and must be treated as untrusted input. This module:

  • only inspects 403 responses (SAML enforcement is strictly a 403),

  • parses the header with a boundary-anchored regex so that directives

    like partial_results_url=... cannot collide with url=...,

  • validates that the extracted URL is https://github.com/... before

    trusting it, rejecting anything else (javascript:, file:, phishing hostnames, …).

Functions

detectSamlSsoError

TypeScript
function detectSamlSsoError(response, messagePrefix): SamlSsoError | undefined;

Defined in: packages/core/src/samlSso.ts:68

Detect a SAML SSO enforcement error from a non-ok HTTP response.

Returns a SamlSsoError when the response is a 403 and the X-GitHub-SSO header contains a trustworthy authorisation URL, otherwise undefined so the caller can fall back to a plain import(“./errors.js”).NetworkError.

Parameters

Parameter Type Description
response Response The failing HTTP response.
messagePrefix string Prefix for the error message (e.g. the caller context such as "HTTP 403" or "Failed to download: HTTP 403").

Returns

SamlSsoError | undefined

Back to top

Reuse

MIT