SSO is important for enterprise.. but github presents a challenge where devs usually have pre-existing personal accounts which are added to company github accounts, rather than the company account being used.
Well, won't that require a different identity? My personal email account is funny-nickname@gmail but my work email is my-real-name@work. Github used to allow/encourage multiple identities but then changed it because it was super confusing and hard to manage. Maybe they've fixed that now. :/
They fixed some awkward "custom routing" screens a while ago. I've been using my single account with different companies for years now. I just make sure my git `config.email` is set right, set GitHub to route notifications for work repos to my work email, and it's done.
I've also been the admin on those Business accounts. It's easy.
That's what people used to do before because there were no good options to provision separate work accounts for people. With the new for business model I'm guessing we'll see people being issued work accounts and keeping their personal GitHub accounts completely separate, which might be a good thing.
Developers have the same identity no matter who they work for.
It makes sense to separate access ("this person has access to Example Corp's repos only as long as they work for Example Corp") from identity ("this person owns this account").
Introducing single-sign-on as one way to simplify login, and potentially as a second-factor for gaining access to repositories run by the business, makes sense. Making developers create entirely separate accounts doesn't.
But it's not just about having access to example corp. If I log in to GitHub from my work laptop then my company technically has access to my personal GitHub account and the repos of any other organization I happen to belong to. It goes the other way around to. If an attacker hacks my personal laptop and I'm logged into GitHub then they have access to all of my companies repositories.
There are perfectly valid reasons for segregating accounts so that there is complete separation between them.
It does if I am logged in on a company laptop and they control access to that laptop. (This is hypothetical in this case, I happen to know that the particular company I work at does not have any backdoors on my laptop).
It is the first scenario not the second. The person is gaining access to the GitHub organization via SAML SSO. They are bringing their own identity and do not lose access.