Single sign-on (SSO)
SAML 2.0 and OIDC config storage so an admin can wire a corporate identity provider against their tenant. Enterprise plan only.
Key points
- Stores IdP metadata only: entity id, SSO URL, cert (SAML) or issuer + client id + secret (OIDC).
- Supports an optional enforced_domain — when a login email matches the domain, the tenant must use SSO.
- OIDC client secret is write-only on the API: read endpoints return a presence indicator, never the raw value.
- Admin-only mutation: a non-admin gets a 403 even when the feature is allowed on the plan.
01
What is shipped
- Metadata storage and admin UI under /settings/sso.
- Plan-gate enforcement (Enterprise) at PUT time, with 402 PLAN_UPGRADE_REQUIRED for lower tiers.
- Audit log entry per upsert / delete so the IdP cutover is traceable.
02
What is not shipped yet
- Actual SAML assertion verification at login time — login still goes through password + Google OAuth.
- OIDC code exchange and JIT user provisioning.
- IdP-initiated login flow.