Mood: 😊
Category: Bugs
Title: GitHub Copilot desktop app token not SAML-authorized for enterprise organizations
Body:
Environment: GitHub Copilot desktop app, Windows, Enterprise Managed User (EMU) account, organization with SAML SSO enforcement (advania-ccoe)
Problem:
The Copilot desktop app injects its own GH_TOKEN environment variable into all spawned sessions. This token has limited scopes (gist, repo, user) and is missing read:org. It is also not SAML-authorized for the organization.
This causes all GitHub API calls from within sessions (reading issues, Inbox, MCP server) to fail with:
"Resource protected by organization SAML enforcement. You must grant your OAuth token access to this organization."
Impact:
- Inbox fails to load ("Couldn't load items")
- Sessions cannot read issues or create PRs via API
- Visiting the SAML authorization URL does not resolve the issue because the token lacks
read:org scope
Workaround found:
Unsetting GH_TOKEN before gh CLI calls forces use of the keyring token (obtained via gh auth login), which has correct scopes and SAML authorization. This works but requires manual intervention every session.
Expected behavior:
The app's injected token should either have read:org scope and be SAML-authorized, or the app should fall back to the user's keyring token when the injected token fails SAML checks.
| Field |
Value |
| App version |
0.2.9 |
| OS |
Windows 10.0.26200 |
| Theme |
Notionish |
| Path |
/chat |
| Tenure |
Day 7 (Week 1) |
Mood: 😊
Category: Bugs
Title: GitHub Copilot desktop app token not SAML-authorized for enterprise organizations
Body: