feat(sso): add support for login with SAML/SSO #1489
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ing either one with script and UI form
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Greptile Overview
Summary
This PR implements comprehensive SAML/SSO authentication support for enterprise users and self-hosted deployments. The implementation adds dynamic SSO provider registration capabilities by upgrading better-auth to version 1.3.12 and integrating the `@better-auth/sso` plugin.The feature introduces several key components: a new sso_provider database table to store SSO configurations, API endpoints for provider registration and management, SSO login components that integrate seamlessly with existing authentication flows, and comprehensive settings UI for configuring both OIDC and SAML 2.0 providers. The solution addresses better-auth's limitation of not exposing dynamic SSO provider registration by providing both a web interface and a direct database script for initial setup.
The authentication flow supports flexible deployment scenarios through environment variables - SSO can be configured as the primary authentication method (with email/password disabled), as an additional option alongside social logins, or completely disabled. The implementation includes extensive provider support for common enterprise identity providers like Okta, Azure AD, Auth0, and custom SAML 2.0 providers.
The codebase changes span authentication configuration, database schema, UI components, and API endpoints. New SSO-related pages and forms follow the established patterns of existing authentication components, maintaining visual and functional consistency. The implementation includes proper role-based access control, with different permission models for SaaS (enterprise plan + admin/owner roles) versus self-hosted deployments (user-based ownership).
Important Files Changed
Changed Files
| Filename | Score | Overview |
|---|---|---|
| apps/sim/app/api/auth/sso/register/route.ts | 2/5 | New API endpoint for dynamic SSO provider registration with security vulnerabilities and type safety issues |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsx | 3/5 | Comprehensive SSO settings component with complex state management and potential error handling issues |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/settings-navigation/settings-navigation.tsx | 3/5 | SSO navigation integration with complex permission logic and API calls in useEffect |
| apps/sim/app/api/auth/sso/providers/route.ts | 3/5 | SSO providers endpoint with data consistency and security concerns |
| apps/sim/app/(auth)/sso/sso-form.tsx | 4/5 | SSO authentication form with comprehensive validation and error handling |
| apps/sim/lib/auth.ts | 4/5 | Better-auth configuration with SSO plugin integration and trusted provider patterns |
| apps/sim/lib/env.ts | 4/5 | Comprehensive SSO environment configuration with 38 new variables |
| apps/sim/app/(auth)/login/login-form.tsx | 4/5 | Login form integration with conditional SSO rendering logic |
| apps/sim/app/(auth)/signup/signup-form.tsx | 4/5 | Signup form integration with complex conditional authentication method rendering |
| packages/db/scripts/register-sso-provider.ts | 4/5 | Database script for SSO provider registration with comprehensive configuration options |
| packages/db/schema.ts | 4/5 | New sso_provider table with proper relationships and indexing |
| packages/db/migrations/0095_cheerful_albert_cleary.sql | 4/5 | Database migration creating SSO provider infrastructure |
| packages/db/migrations/meta/0095_snapshot.json | 4/5 | Migration snapshot with comprehensive database schema additions |
| apps/sim/lib/auth-client.ts | 4/5 | SSO client configuration with conditional plugin loading |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx | 4/5 | Browser autocomplete prevention for sensitive environment variables |
| apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/components/sub-block/components/webhook/components/ui/webhook-url.tsx | 4/5 | Minor icon consistency improvement unrelated to main SSO feature |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx | 4/5 | Settings modal integration with new SSO section |
| apps/sim/package.json | 4/5 | Better-auth dependency upgrades to enable SSO functionality |
| apps/sim/app/(auth)/components/sso-login-button.tsx | 5/5 | Clean SSO login button component with proper environment variable handling |
| apps/sim/app/(auth)/sso/page.tsx | 5/5 | SSO page with proper environment validation and Next.js app router integration |
| apps/sim/app/(auth)/components/social-login-buttons.tsx | 5/5 | Extended social login component to support additional SSO children |
| apps/sim/app/theme-provider.tsx | 5/5 | Theme configuration update to include SSO pages in light mode forcing |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/team-management.tsx | 5/5 | Layout improvements for better scrollability and information hierarchy |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/team-seats-overview/team-seats-overview.tsx | 5/5 | Minor text correction for enterprise support message clarity |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts | 5/5 | Added SSO component export to settings modal components |
| packages/db/migrations/meta/_journal.json | 5/5 | Migration journal update tracking new SSO provider table creation |
Confidence score: 2/5
- This PR introduces complex SSO functionality with several security vulnerabilities and type safety issues that require immediate attention
- Score reflects critical issues in API endpoints including unsafe type assertions, header copying without validation, and potential sensitive data logging
- Pay close attention to
apps/sim/app/api/auth/sso/register/route.tsandapps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsxwhich contain the most problematic code
Sequence Diagram
sequenceDiagram
participant User
participant LoginForm as "Login Form"
participant AuthClient as "Auth Client"
participant SSOButton as "SSO Button"
participant LoginAPI as "Login API"
participant SSOForm as "SSO Form"
participant AuthService as "Auth Service"
participant Database as "Database"
User->>LoginForm: "Navigate to login page"
LoginForm->>AuthClient: "Check SSO enabled"
AuthClient-->>LoginForm: "SSO configuration"
alt SSO Only Mode
LoginForm->>SSOButton: "Show primary SSO button"
User->>SSOButton: "Click Sign in with SSO"
SSOButton->>SSOForm: "Redirect to SSO form"
User->>SSOForm: "Enter work email"
SSOForm->>AuthClient: "signIn.sso({email, callbackURL})"
AuthClient->>AuthService: "Process SSO request"
AuthService->>Database: "Find SSO provider by domain"
Database-->>AuthService: "Provider configuration"
AuthService-->>User: "Redirect to identity provider"
else Email/Password with SSO
LoginForm->>LoginForm: "Show email/password form"
LoginForm->>SSOButton: "Show SSO as additional option"
User->>LoginForm: "Enter email and password"
User->>LoginForm: "Submit form"
LoginForm->>AuthClient: "signIn.email({email, password})"
AuthClient->>LoginAPI: "POST /api/auth/signin"
LoginAPI->>AuthService: "Validate credentials"
AuthService->>Database: "Check user credentials"
Database-->>AuthService: "User data"
AuthService-->>LoginAPI: "Authentication result"
LoginAPI-->>AuthClient: "Success/error response"
AuthClient-->>LoginForm: "Handle response"
alt Authentication Success
LoginForm->>User: "Redirect to workspace"
else Authentication Failed
LoginForm->>User: "Show error message"
end
end
26 files reviewed, 25 comments
...aceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
Outdated
Show resolved
Hide resolved
...aceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
add support for login with SAML/SSO for enterprise users, or self-hosted users with the option to register the provider using a script since better-auth doesn't expose dynamic SSO/SAML provider registration.
Type of Change
Testing
Tested registration with the form and with the script for OIDC/SSO provider, and for SAML 2.0 providers as well. Everything works.
Checklist
Screenshots/Videos
Login page:
Login page for users with only SSO login enabled (social + email login disabled):
