Skip to content

feat(sso): SAML/OIDC single sign-on#3911

Open
0ski wants to merge 1 commit into
mainfrom
oskar/feat-sso
Open

feat(sso): SAML/OIDC single sign-on#3911
0ski wants to merge 1 commit into
mainfrom
oskar/feat-sso

Conversation

@0ski

@0ski 0ski commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@changeset-bot

changeset-bot Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 08a9e68

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR introduces end-to-end SSO support across the monorepo. A new @trigger.dev/sso internal package provides a lazy plugin loader with a full OSS fallback controller. The webapp gains SSO environment variables, a database AuthenticationMethod.SSO enum value, a ssoController singleton, and new user/org-member server models for SSO-based JIT provisioning. Authentication services are extended with a SsoStrategy, auto-discovery helpers, and Redis-backed rate limiting. New Remix routes handle the SSO login page, authorization action, and callback with MFA carry-through. Existing GitHub, Google, and magic-link auth flows add domain-policy enforcement gates. Server-side SSO session revalidation runs on every authenticated request via a Redis-throttled check, with client-side window.fetch interception and EventSource probing for expired sessions. A new organization SSO settings route and updated navigation expose configuration to Enterprise org admins. An accounts webhook route and background worker process inbound IdP events.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch oskar/feat-sso

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@0ski 0ski marked this pull request as ready for review June 11, 2026 17:24
@0ski 0ski self-assigned this Jun 11, 2026
@pkg-pr-new

pkg-pr-new Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@08a9e68

trigger.dev

npm i https://pkg.pr.new/trigger.dev@08a9e68

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@08a9e68

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@08a9e68

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@08a9e68

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@08a9e68

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@08a9e68

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@08a9e68

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@08a9e68

commit: 08a9e68

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch from 6bc31eb to 39e498a Compare June 12, 2026 10:34
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch 2 times, most recently from f0185b2 to fbf8172 Compare June 15, 2026 17:28
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch 2 times, most recently from 5a2cf4b to e5012c1 Compare June 16, 2026 09:27
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch from e5012c1 to 416d947 Compare June 16, 2026 13:35
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch from 416d947 to c40572c Compare June 16, 2026 14:20
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@0ski 0ski force-pushed the oskar/feat-sso branch 3 times, most recently from fa71a08 to 19289bb Compare June 16, 2026 15:36
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@0ski
feat(sso): SAML/OIDC single sign-on
08a9e68 
Vendor-neutral plugin contract plus the host
wiring that consumes it. With no SSO plugin installed, everything degrades
to a no-op fallback, so OSS deployments are unaffected.

- Plugin contract (@trigger.dev/plugins) + lazy loader/fallback in
  internal-packages/sso: status, portal-link, enforce/JIT config,
  route-decision, begin/complete authorization, identity resolution, JIT
  evaluation, and periodic session validation. All methods return
  neverthrow Results; the fallback is fail-open.
- Login: 'Sign in with SSO' entry + dedicated /login/sso flow and
  /auth/sso(.callback) routes, plus auto-discovery from magic-link/OAuth.
- Org settings -> SSO page: plan-tier upsell, connection status,
  verified-domain list, enforcement + JIT provisioning + default-role
  configuration, and an admin-portal link dialog.
- AuthUser carries an optional signed 'sso' marker; SSO-established
  sessions are periodically re-validated against the identity provider on
  a single-flight, throttled, fail-open basis and logged out only on an
  explicit invalid result.
- SSO_ENABLED gate (default off) so the feature ships dark until its
  backing plugin is available; SSO_SESSION_REVALIDATION_INTERVAL_SECONDS
  controls the cadence.
@0ski 0ski force-pushed the oskar/feat-sso branch from 19289bb to 08a9e68 Compare June 16, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@0ski 0ski

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0ski