Document how to fix "Resource protected by organization SAML enforcement"

[hoxu]

When an organization enables SAML enforcement, gh starts giving the following error:

$ gh pr create ...
GraphQL error: Resource protected by organization SAML enforcement. You must grant your OAuth token access to this organization.

This is confusing, because if you check your https://github.com/settings/tokens page, the gh token is not there, so it's not immediately obvious what the user should do.

What is required is re-authentication, but it would be a good idea to cover this in a FAQ entry:

$ gh auth login
? What account do you want to log into? GitHub.com
- Logging into github.com
? You're already logged into github.com as XXX. Do you want to re-authenticate? Yes

Or maybe just tell the user to run gh auth login when the command fails with that error.

[viliam-durina]

Thankfully google took me here so this issue already acts as a FAQ entry.

[leiflundberg]

Bumping this as it fixed my problem 👍🏼

[imonkia]

This was super helpful. Spent an unnecessary amount of time trying to "fix" this "issue". Thanks!

[AnkurAgarwal-ST]

Super helpful, fixed my issue immediately.

[rkaurSFDX]

Fixed my issue as well, thanks a ton!

[D99013682]

I have a service connection between Azure DevOps and GitHub for the pipelines to communicate with. It isn't possible to have the user re-authorize with a command. How do I fix the service connection to be re-authorized so when the pipeline is triggered it doesn't need this?

[ffisc]

Thanks for the solution.
@mislav I'm not sure why this issue is closed, since I just got the error and didn't get any suggestions of what to do.
In fact the behavior was misleading: I got a link to authorize in my browser, followed the authorization, but continued to get an error. Only gh auth login fixed it.

[zyrain]

This is not fixed. Re-open please.

[andyfeller]

for posterity, I'm explicitly linking this back to #5054 where the original solution was reworked to give users direction to authorize the organization associated with the PAT within the web browser:

cli/cmd/gh/main.go

Lines 158 to 166 in 6f558c9

	var httpErr api.HTTPError
	if errors.As(err, &httpErr) && httpErr.StatusCode == 401 {
	fmt.Fprintln(stderr, "Try authenticating with: gh auth login")
	} else if u := factory.SSOURL(); u != "" {
	// handles organization SAML enforcement error
	fmt.Fprintf(stderr, "Authorize in your web browser: %s\n", u)
	} else if msg := httpErr.ScopesSuggestion(); msg != "" {
	fmt.Fprintln(stderr, msg)
	}

[andyfeller]

This is not fixed. Re-open please.

@zyrain : Please create a new issue including terminal commands, output, gh version, and any verbose / debug information so we can triage and prioritize! ❤