Skip to content

feat: add SAML 2.0 support for workspace SSO#113

Merged
alexneamtu merged 14 commits intomainfrom
feat/saml
Mar 6, 2026
Merged

feat: add SAML 2.0 support for workspace SSO#113
alexneamtu merged 14 commits intomainfrom
feat/saml

Conversation

@alexneamtu
Copy link
Contributor

@alexneamtu alexneamtu commented Mar 6, 2026
edited
Loading

Summary

  • Add SAML 2.0 as an alternative to OIDC for workspace SSO (Business plan)
  • New SAMLProvider implements existing Provider interface (AuthURL/Exchange)
  • SAML metadata parsing from URL or XML upload, with crewjam/saml library
  • ACS callback endpoint (POST /api/auth/saml/{orgId}/acs) and SP metadata endpoint (GET /api/auth/saml/{orgId}/metadata)
  • Frontend protocol toggle (OIDC/SAML) in workspace SSO settings
  • Migration 000056 adds SAML columns to organization_sso_configs

Test Plan

  • 53 Go SSO tests pass (metadata parsing, provider, handler, ACS callback, SP metadata)
  • 728 frontend tests pass (4 new SAML toggle tests)
  • TypeScript typecheck clean
  • Manual: configure Auth0 SAML app with SP metadata URL, verify SP-initiated login flow

@github-actions
Copy link

github-actions bot commented Mar 6, 2026

Preview deployed: https://pr-113.app.sendrec.eu

@alexneamtu
fix: address code review issues in SAML implementation
d251e05 
- Use SameSite=None; Secure for SAML state cookie (cross-origin POST)
- Add 1MB body size limit on metadata URL fetch
- Accept KeyDescriptors with unspecified use attribute (Azure AD compat)
- Scan nullable OIDC columns into pointer types in OrgCallback
- Add happy-path test for InitiateOrgSSO with SAML config
- Add test for unspecified KeyDescriptor use attribute
@alexneamtu alexneamtu self-assigned this Mar 6, 2026
@alexneamtu
fix: track SAML AuthnRequest ID for InResponseTo validation
7099ccc 
crewjam/saml requires the AuthnRequest ID to validate the response's
InResponseTo attribute. Store the request ID alongside the state in the
sso_state cookie (state|requestID format) and pass it to ParseResponse.
@alexneamtu alexneamtu merged commit 54dfd15 into main Mar 6, 2026
4 checks passed
@alexneamtu alexneamtu deleted the feat/saml branch March 6, 2026 20:21
@github-actions
Copy link

github-actions bot commented Mar 6, 2026

Preview environment cleaned up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@alexneamtu alexneamtu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexneamtu