Conversation
Update documentation for SSO
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This pull request implements Single Sign-On (SSO) support for Jetstream teams, including both SAML 2.0 and OIDC protocols. The implementation adds domain verification, audit logging for team actions, security hardening, improved rate limiting, and a seamless SSO login experience with domain discovery.
Changes:
- Added SAML and OIDC SSO provider support with comprehensive configuration management
- Implemented domain verification system to validate organization ownership before enabling SSO
- Added audit logging for all team-related actions
- Enhanced security with SSRF protection, improved rate limiting, and encryption for SSO secrets
- Updated authentication flows to support two-step login (email → discovery → password/SSO)
- Added comprehensive E2E test coverage for SSO authentication paths
Reviewed changes
Copilot reviewed 132 out of 160 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| prisma/migrations/20260224004359_single_sign_on/migration.sql | Adds database schema for SSO configurations, domain verification, and audit logs |
| libs/auth/server/src/lib/sso-*.ts | Core SSO service implementations for SAML, OIDC, and authentication flows |
| libs/auth/server/src/lib/sso-crypto.util.ts | Encryption utilities for storing sensitive SSO credentials |
| apps/api/src/app/utils/network.utils.ts | SSRF protection for validating external URLs |
| apps/api/src/app/routes/auth.routes.ts | New SSO authentication endpoints |
| apps/api/src/app/routes/team.routes.ts | Team SSO configuration and domain verification endpoints |
| libs/features/teams/src/lib/TeamDashboard/sso-configuration/* | UI components for SSO configuration |
| apps/jetstream-e2e/src/tests/authentication/team/sso/* | Comprehensive E2E tests for SSO flows |
| apps/docs/docs/team-management/sso/* | Documentation for SSO setup with various providers |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Added support for SAML and OIDC SSO providers for teams 🚀 Audit logs are now created for all team related record updates. Added some security hardening measures and improved rate limit. Updated login experience to handle domain discovery for a seamless SSO login experience. Added e2e coverage for SSO paths and increased coverage for other areas.
paustint
force-pushed
the
feature/sso
branch
from
f1ea778 to
11fcba7
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 132 out of 160 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (5)
apps/jetstream/src/app/components/core/AppInitializer.tsx:64
- Calling setSearchParams({}) clears all query params after showing an auth error toast. This can drop unrelated parameters needed for deep-links or in-app flows. Consider removing only the
errorparameter (preserving any others) when cleaning up the URL.
libs/features/teams/src/lib/TeamDashboard/team-members/TeamMemberRow.tsx:152 - The tooltip message for doesNotHaveValidProvider has incorrect wording/grammar and appears to refer to a “provider” rather than the user/account. Also “login” should be “log in”. Please rephrase to clearly describe the user impact (e.g., user lacks an allowed non-SSO provider but can still sign in via SSO) and fix the grammar.
libs/features/teams/src/lib/TeamDashboard/sso-configuration/ConfigureSsoModal.tsx:65 - The Cancel button in the modal footer doesn’t specify type="button". If this footer is ever rendered inside a (or ends up nested within one), the default type="submit" can cause accidental submits. Set type="button" to make the intent explicit (similar to other UI components in this PR).
libs/features/teams/src/lib/TeamDashboard/sso-configuration/ConfigureSsoModal.tsx:109 - testResult state is only ever reset to null and is never set to a non-null value, so the ScopedNotification block is currently dead code. Either wire this up (set testResult from the OIDC/SAML forms) or remove the unused state/rendering to keep the modal maintainable.
libs/audit-logs/src/lib/audit-logs.ts:145 - Cursor pagination is ordered only by createdAt. If multiple audit_log rows share the same createdAt, pagination with a cursor by id can skip/duplicate rows because the ordering is not deterministic. Add a secondary orderBy on id (and consider matching the cursor field to the composite order) so results are stable across pages.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paustint
force-pushed
the
feature/sso
branch
2 times, most recently
from
84c3104 to
3e72dbb
Compare
paustint
force-pushed
the
feature/sso
branch
from
3e72dbb to
ef48aca
Compare
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 133 out of 162 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Allow totp verification to be more forgiving with a 30 second grace period
paustint
force-pushed
the
feature/sso
branch
from
692a7c5 to
aba04a7
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 137 out of 166 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Added a database backed cache to allow for cross-instance / cross-process cache for a limited number of use-cases
paustint
force-pushed
the
feature/sso
branch
from
45e8177 to
e72546e
Compare
Added support for SAML and OIDC SSO providers for teams 🚀
Audit logs are now created for all team related record updates.
Added some security hardening measures and improved rate limit.
Updated login experience to handle domain discovery for a seamless SSO login experience.
Added e2e coverage for SSO paths and increased coverage for other areas.