PublicArchive/supabase
2
0
Fork 0
mirror of https://github.com/supabase/supabase.git synced 2026-05-06 08:56:46 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
supabase/supa-mdx-lint/Rule001HeadingCase.toml
T
Chris Stockton a3e71ba888 feat(sso): add IdP-initiated login support with optional domains (#44033) 
Implements comprehensive IdP-initiated login flow support, enabling
organizations to configure SSO without email domains and support
multiple SAML apps under the same domain (e.g., Dev/Staging/Prod
environments).

- Add "Enable SP-initiated login" toggle to SSOConfig.tsx
  - IdP-initiated flow is now always available (default)
  - SP-initiated flow is opt-in with domain requirement
  - Clear in-UI documentation explaining both flows
- Make domains optional (only required when SP-initiated enabled)
- Add form validation: domains required only if SP-initiated is ON
- Fix org-switching bug: form now resets when switching organizations
  - Add organization.slug to useEffect dependencies
  - Prevent stale SSO config data from previous org being displayed

- **IdP-initiated flow**: Users start login from identity provider
dashboard
  - No domain configuration required
  - Enables multiple SAML apps per domain
  - Recommended default for enterprises
- **SP-initiated flow**: Users start login at supabase.com (opt-in)
  - Requires email domain configuration
  - Maintains backward compatibility
- **Both flows**: Can be enabled simultaneously for flexible access

- Organizations can now create separate SSO providers for
Dev/Staging/Prod
  - Each environment = separate SAML app in IdP
  - All using same email domain (e.g., company.com)
  - Users access via different IdP app tiles
  - No domain conflicts or subdomain requirements

- Add 4 pages to SSO sidebar menu in NavigationMenu.constants.ts:
  - Understanding Login Flows (existing, now visible)
  - Choosing a Login Flow (existing, now visible)
  - Multiple SSO Providers (NEW comprehensive guide)
  - Testing and Best Practices (existing, now visible)

Create comprehensive guide covering:
- Multi-environment patterns (Dev/Staging/Prod with same domain)
- Team separation, migration, and acquisition scenarios
- Step-by-step setup for domainless providers
- User access management and IDP app assignment strategies
- Configuration synchronization and best practices
- Troubleshooting common multi-provider issues

Major expansion of testing-best-practices.mdx:
- Fix outdated assumptions (domains no longer always required)
- Add comprehensive login flow testing section:
  - IdP-initiated testing (no domains)
  - SP-initiated testing (with domains)
  - Domainless provider testing (multi-environment pattern)
- Enhance auto-join testing with 8 detailed test phases:
  - Idempotency testing (no duplicate memberships)
  - Domainless configuration testing
  - Re-enablement testing (works on every login)
- Add SSO account restrictions testing section
- Add safe provider deletion testing with 4 test scenarios
- Reorganize final checklist into 6 categorized sections

Update azure.mdx, gsuite.mdx, okta.mdx:
- Remove all "(coming soon)" references
- Add guidance recommending IdP-initiated for multi-environment setups
- Clarify domains are optional for IdP-initiated flow
- Link to new Multiple SSO Providers guide

**Domain Handling:**
- Domains now optional in SSO provider configuration
- Backend: `z.array(...).optional().default([])`
- UI: Domains only required when SP-initiated toggle is ON
- Empty array sent to API when SP-initiated disabled

**Login Flow Logic:**
- IdP-initiated: Always available, uses SAML assertion directly
- SP-initiated: Requires domain lookup, opt-in only
- Both flows can coexist with same SSO provider

**Multi-Provider Support:**
- Each provider has unique ACS URL
- No domain conflicts (IdP-initiated doesn't check domains)
- Enables unlimited providers per email domain

- **Simplifies SSO setup**: No domain configuration needed by default
- **Enables multi-environment**: Dev/Staging/Prod under same domain
- **Improves UX**: One-click login from IdP dashboard
- **Maintains compatibility**: SP-initiated still available as opt-in
- **Better documentation**: Comprehensive guides for all scenarios

## UI

### SSO Disabled
<img width="742" height="329" alt="sso-disabled"
src="https://github.com/user-attachments/assets/73387777-181c-4206-9798-36f0d0790e4e"
/>

### SSO Enabled - IdP-inititated (DEFAULT)
<img width="742" height="1059" alt="sso-enabled-idp"
src="https://github.com/user-attachments/assets/c189e08f-7642-4183-8853-dd5150b8a191"
/>

### SSO Enabled - SP-intitiated
<img width="727" height="1366" alt="sso-enabled-sp"
src="https://github.com/user-attachments/assets/be5ad6dc-4803-446b-ae02-9edcbb5f42cd"
/>


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Added comprehensive guides for SSO login flow selection, testing best
practices, and configuring multiple providers
* Updated provider-specific setup documentation (Okta, Azure, Google
Workspace) with refined workflows and testing recommendations
* **New Features**
* Enhanced SSO configuration interface with SP-initiated login toggle
and improved email domain management for flexible authentication flows

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Chris Chinchilla <chris@chrischinchilla.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-20 16:47:35 +00:00

278 lines
5.1 KiB
TOML
Raw Permalink Blame History

# Heading should be sentence case
# Words that may be uppercased even if they are not the first word in the sentence.
# Can also specify a regex that is compatible with the [Rust regex crate](https://docs.rs/regex/latest/regex/).
may_uppercase = [
"[A-Z0-9]{2,5}s?",
"Option [A-Z]",
"APIs",
"Add-ons?",
"Amazon RDS",
"Analytics",
"Android",
"Angular",
"Apache Spark",
"Apple",
"Assistant",
"Audit Logs?",
"Auth",
"Auth API Gateway",
"Auth0",
"Auth0 Actions?",
"AWS Marketplace",
"Azure",
"Azure Developers?",
"Azure MyApps",
"BigQuery",
"Bitbucket",
"Bitbucket Pipelines",
"Boolean",
"Branching",
"Broadcast",
"CAPTCHA",
"Catalog",
"Channel",
"ChatGPT",
"Chrome",
"Chrome Developer Tools",
"Clerk",
"Cloudflare",
"Cloudflare Workers?",
"Claude Code",
"Code Exchange",
"Colab",
"Compute",
"Compute Credits",
"Compute Hours",
"Content Delivery Network",
"Copilot",
"Cron",
"Cron Jobs?",
"Data API",
"Datadog",
"Dart",
"Dashboard",
"Database Functions?",
"Deadpool",
"Dedicated Pooler",
"Deno",
"DigitalOcean",
"Discord",
"Discord Developers?",
"Disk",
"Django",
"Docker",
"Drain",
"Drizzle",
"DuckDB",
"Edge Functions?",
"Editor",
"Egress",
"Embeddings API",
"Enterprise",
"Enterprise Plan",
"Events",
"Expo",
"Ethereum",
"Facebook",
"Facebook Developers?",
"Fair Use Policy",
"Fees",
"Figma",
"Figma Developers?",
"Firebase",
"Firebase Authentication",
"Firestore",
"Flutter",
"Functions?",
"Free Plan",
"Frequently Asked Questions",
"Git",
"GitHub",
"GitHub Actions",
"GitLab",
"GoTrue",
"Google",
"Google Workspace",
"Grafana",
"Grafana Cloud",
"GraphQL",
"Heroku",
"Homebrew",
"Hono",
"Hooks?",
"Hours",
"Hugging Face",
"I",
"IPv4",
"IPv6",
"IVFFlat",
"Iceberg",
"Identity Provider Initiated",
"IdP",
"Inbucket",
"Index Advisor",
"IntelliJ",
"Ionic Angular",
"Ionic React",
"Ionic Vue",
"JavaScript",
"JSON Web Tokens?",
"JWTs",
"Kakao",
"Kakao Developers?",
"Kakao Login",
"Keycloak",
"Kotlin",
"Kotlin Multiplatform",
"Kysely",
"Large Language Models?",
"LinkedIn",
"LinkedIn Developers?",
"Linux",
"LlamaIndex",
"Llamafile",
"Logs Explorer",
"Lovable",
"Lovable Cloud",
"Magic Link",
"Mailpit",
"Management API",
"Marketplace",
"Inspector",
"Metrics API",
"Mixpeek",
"Mixpeek Embed",
"Model Context Protocol",
"MySQL",
"Navigable Small World",
"Neon",
"Next.js",
"Node.js",
"Notion",
"Nuxt",
"OAuth",
"Okta",
"Ollama",
"OpenAI",
"OpenID Connect",
"Open ID Connect",
"OpenMetrics",
"OrbStack",
"OrioleDB",
"PGAudit",
"pgvector",
"Pandas",
"PgBouncer",
"Phoenix",
"Pro Plan",
"Podman",
"Poetry",
"Postgres",
"Postgres Changes",
"PostgreSQL",
"PostgREST",
"Presence",
"Prisma",
"PrivateLink",
"Prometheus",
"PyIceberg",
"Python",
"Qodo Gen",
"Queues?",
"Quotas",
"Query Performance",
"React",
"Rollup",
"React Email",
"React Native",
"Read Replicas?",
"Realtime API Gateway",
"Realtime",
"Reciprocal Ranked Fusion",
"Redis",
"RedwoodJS",
"Refine",
"Remix",
"Render",
"Retrieval Plugin",
"Roboflow Inference",
"Row Level Security",
"Send Email Hook",
"SendGrid",
"Sentry",
"Server-Side Auth",
"Server-Side Rendering",
"Service Provider Initiated",
"Shared Pooler",
"Single Sign-On",
"Slack",
"Slack Developers?",
"Social Login",
"SolidJS",
"Spend Cap",
"Spotify",
"Spotify Developers?",
"Sqitch",
"Storage",
"Studio",
"Supabase",
"Supabase AI Assistant",
"Supabase Marketplace",
"Supavisor('s)?",
"Svelte",
"SvelteKit",
"Swift",
"SwiftUI",
"Solana",
"Team Plan",
"Telegram",
"Third-Party Auth",
"TimescaleDB",
"TooManyChannels",
"Transformers.js",
"Twilio",
"Twitch",
"Twitch Developers?",
"Twitter",
"Twitter Developers?",
"TypeScript",
"Ubuntu",
"Uppy",
"Upstash",
"URIs",
"URLs",
"Unsplash",
"Usage",
"Xcode",
"Vault",
"VSCode",
"Vecs",
"Vector",
"Vercel",
"Vercel Fluid",
"Vercel Marketplace",
"Visual Studio Code",
"VM",
"Vite",
"Vue",
"Wasm",
"Web",
"WebAssembly",
"WebP",
"WebSockets?",
"WebStorm",
"Web3",
"Windows",
"WorkOS",
"Wrappers",
"Write-Ahead Log(s|ging)?",
"X",
"Zoom",
"Zoom Developers?",
]
# Words that may be lowercased even if they are the first word in the sentence.
# Can also specify a regex that is compatible with the [Rust regex crate](https://docs.rs/regex/latest/regex/).
may_lowercase = ["asyncpg", "iOS", "imgproxy"]
Reference in New Issue View Git Blame Copy Permalink