Stack: GitHub + Okta SSO
Restore the Okta side of GitHub + Okta SSO
If you have a GitHub Enterprise org wired into Okta for SSO, the Okta-side SAML or OIDC app, the SCIM feed, the assigned groups, and the sign-on policies are the recovery surface that matters. GitHub itself has Git as its own recovery layer for source code — but the access layer is in Okta, and the access layer is what Butterfly captures.
Butterfly captures versioned snapshots of every Okta-side resource that gates GitHub login and team assignment. Restore preview shows the exact diff before any revert.
What you get
How Butterfly fits GitHub + Okta SSO
GitHub Okta SSO app is versioned
Every backup captures the Okta-side GitHub app integration — SAML signing certificate, attribute mapping, assigned groups, and sign-on policy.
SCIM-driven GitHub team membership is versioned
The Okta-to-GitHub SCIM connection is part of every snapshot. Team mappings and license-tier assignment are restorable per scope.
Group rules that drive GitHub access are versioned
Restore preview shows which GitHub-bound groups would change before any commit.
What goes wrong
Three incidents you have already seen variations of
SAML signing-cert rotation breaks GitHub SSO mid-release
A scheduled signing-cert rotation was not coordinated with the GitHub SSO trust. Engineers hit a SAML error during a deploy. Restore preview retrieves the prior certificate as a known-good fallback.
Group rule cleanup drops a sub-team from GitHub repos
A directory cleanup removed a group rule feeding the engineering-payments-team group. The team lost access to the payments-service repos. Restore preview surfaces the rule and the membership delta.
SCIM-driven license downgrade strips Copilot access
A SCIM attribute mapping change moved a population from a GitHub license tier that included Copilot to one that did not. Restore preview surfaces the mapping diff.
Honest scope
What Butterfly captures — and what it does not
In scope
The Okta-side configuration governing GitHub SSO: the GitHub SAML / OIDC app integration, attribute mappings, SCIM provisioning configuration, assigned users and groups, group rules driving GitHub team membership, sign-on policies, and Workflows automations that touch GitHub-bound groups.
Out of scope
We do not back up GitHub repositories (git itself is the backup surface for that), branch protection rules, GitHub Actions secrets, or any GitHub-side state.
Plans
Free, Standard, or Business
Free
$0 / forever
- 1 Okta connection
- 7-day retention
- 1 total backup
- No credit card
Standard
$1 / user / month — $99 minimum
- 2 Okta connections
- 90-day retention
- Restore preview + dry-run
- Audit Pack PDF (framework-filterable)
Business
$2 / user / month — $299 minimum
- Unlimited Okta connections
- Unlimited retention
- Continuity (warm standby)
- Priority restore support
Pricing reference: /upgrade. Provider coverage today: Okta, Okta Workflows, Auth0.
Regulatory shape
Compliance and audit angle
SOC 2 CC6 (logical access), ISO 27001 A.5.16 (identity management), and SLSA / supply-chain expectations all assume the identity layer governing source-control access is restorable.
Butterfly's own SOC 2 Type II work is in progress; current status lives in the Trust Center.
Frequently asked
FAQ
How is this different from your GitHub Enterprise stack page?
This page focuses on the SSO link specifically — the SAML / OIDC app, attribute statement, and SCIM feed. The Enterprise stack page is broader and covers the operational scenarios across the GitHub deployment.
Does Butterfly back up Git repositories?
No. Git itself is the backup surface for repositories. Butterfly backs up the Okta-side access layer.
Can we revert the SCIM connection independently?
Yes. Restore preview lets you pick the scope before committing.
Recover your Okta org in minutes, not hours
Talk to Mick (the founder) for a 30-minute demo, or start the free trial. No credit card for the free tier.
More stacks
Okta DR for other stacks
Trust posture, subprocessors, and security details: Trust Center.