feat(platform): unified enterprise SSO + provisioning (OIDC/OAuth2/SAML/SCIM)#1936
Merged
Conversation
…ML/SCIM)
Replace the legacy `sso_providers` module with one unified `enterprise_sso`
integration: a single connection per org carrying protocol-discriminated
sign-in (OIDC, OAuth2, Microsoft Entra, SAML 2.0) plus SCIM 2.0 provisioning
for users AND groups, with a shared role-mapping + group-to-team policy.
- Backend: ported OIDC/OAuth2/Entra adapters + login flow; new OAuth2 adapter;
SAML 2.0 (node-saml node action, SP metadata, IdP- and SP-initiated flows,
signed/encrypted assertion validation); SCIM Users+Groups (soft-disable,
org-from-token); adapter-free provisioning orchestrator.
- Data: `ssoConnections` + `ssoProvisioningLinks` tables; reversible migration
0.2.85/04 carrying `ssoProviders` across; legacy module + duplicate SSO UI
removed; login / trusted-headers / entra-matcher repointed.
- Frontend: dedicated "Enterprise SSO" settings page in its own feature folder
with a per-provider setup guide (Microsoft/Google/OIDC/SAML); i18n en/de/fr.
- Mocks/docs/tests: OpenAPI IdP mock in lib/mocks (+ @tale/mocks -> lib/mocks
reference updates); docs/{en,de,fr}/platform/admin/enterprise-sso; ~90 unit/
integration tests (SCIM HTTP, mappers, provisioning, migration up/down,
a11y, mock contract).
Note: this commit also bundles other uncommitted working-tree changes present
on the branch (CLI dev-mode rework, docs, UI, scripts) at the maintainer's
request.
yannickmonney
force-pushed
the
feat/enterprise-sso
branch
from
8af7eb8 to
2e97485
Compare
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
| @@ -0,0 +1,116 @@ | |||
| 'use node'; | |||
…hema snapshot - Un-export internal-only members in lib/shared/schemas/enterprise_sso.ts (view sub-schemas/types used only to build SsoConnectionView) — knip clean. - Un-export internal helpers in lib/shared/config/config_fingerprint.ts (stripAnnotations/canonical/ConfigVerdict/ConfigSchemaChange) — knip clean. - Refresh convex/migrations/schema.snapshot.json baseline to record the new ssoConnections/ssoProvisioningLinks tables and the bundled sandbox field rename (bifrostKeyId -> llmGatewayKeyId on ephemeral session tables).
…eleased) The v0.2.85 release was tagged today and already shipped v0_2_85/01-03; a migration added now belongs in the next unreleased version. Move 04_enterprise_sso_unify -> v0_2_86/01_enterprise_sso_unify (id/semver/numericId updated, down floor 0.2.84 -> 0.2.85) and repoint the registry import. Ledger is per-migration-id so application is unaffected; this keeps the folder=next-unreleased-version convention correct.
| @@ -0,0 +1,402 @@ | |||
| 'use node'; | |||
| @@ -0,0 +1,101 @@ | |||
| 'use node'; | |||
| @@ -0,0 +1,196 @@ | |||
| 'use node'; | |||
| @@ -0,0 +1,66 @@ | |||
| 'use node'; | |||
| @@ -0,0 +1,62 @@ | |||
| 'use node'; | |||
| export type SsoConnectionSecrets = z.infer<typeof ssoConnectionSecretsSchema>; | ||
|
|
||
| /** Effective, defaulted connection used when the org has no `connection.json`. */ | ||
| function emptySsoConnectionFile(): SsoConnectionFile { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Unified Enterprise SSO + Provisioning
Replaces the legacy
sso_providersmodule with one unifiedenterprise_ssointegration — a single connection per org carrying protocol-discriminated
OIDC / OAuth2 / Microsoft Entra / SAML 2.0 sign-in plus SCIM 2.0
provisioning for users and groups, behind one adapter-free provisioning
policy (role mapping + group→team sync).
Highlights
convex/enterprise_sso/): ported OIDC/OAuth2/Entra adapters + login flow; new OAuth2 adapter; SAML 2.0 (node-saml node action, SP metadata, IdP- and SP-initiated flows, signed/encrypted assertion validation); SCIM Users+Groups with soft-disable and org-from-token; shared provisioning orchestrator.ssoConnections+ssoProvisioningLinkstables; reversible migration0.2.85/04carrying existingssoProvidersrows across; legacy module + duplicate SSO settings UI removed; login / trusted-headers / Entra-matcher repointed.lib/mocksfor offline SSO e2e (+@tale/mocks→lib/mocksreference updates);docs/{en,de,fr}/platform/admin/enterprise-sso.Tests
~230 green: SCIM HTTP (auth/isolation/discovery), mappers, provisioning policy, migration up/down, frontend a11y (all protocols), mock contract, docs structural.
tsc+ type-aware lint clean;migrations:checkOK.Caveats
Note on scope
Per request, this PR also bundles other uncommitted working-tree changes present on the branch (CLI dev-mode rework, docs, UI, scripts) beyond the SSO feature.