feat: comprehensive SSO/OIDC upgrade with enterprise features

Multi-provider SSO support: - Database-backed SSO provider management with admin UI - Support for OpenID Connect, Google OAuth2, GitHub, and SAML 2.0 - Flipper feature flag (db_sso_providers) for dynamic provider loading - ProviderLoader service for YAML or database configuration Admin functionality: - Admin::SsoProvidersController for CRUD operations - Admin::UsersController for super_admin role management - Pundit policies for authorization - Test connection endpoint for validating provider config User provisioning improvements: - JIT (just-in-time) account creation with configurable default role - Changed default JIT role from admin to member (security) - User attribute sync on each SSO login - Group/role mapping from IdP claims SSO identity management: - Settings::SsoIdentitiesController for users to manage connected accounts - Issuer validation for OIDC identities - Unlink protection when no password set Audit logging: - SsoAuditLog model tracking login, logout, link, unlink, JIT creation - Captures IP address, user agent, and metadata Advanced OIDC features: - Custom scopes per provider - Configurable prompt parameter (login, consent, select_account, none) - RP-initiated logout (federated logout to IdP) - id_token storage for logout SAML 2.0 support: - omniauth-saml gem integration - IdP metadata URL or manual configuration - Certificate and fingerprint validation - NameID format configuration
2026-04-21 21:14:17 +00:00 · 2026-01-03 17:56:42 -05:00
parent 836bf665ac
commit 14993d871c
50 changed files with 3267 additions and 34 deletions
--- a/app/views/settings/_settings_nav.html.erb
+++ b/app/views/settings/_settings_nav.html.erb
@@ -30,7 +30,9 @@ nav_sections = [
        { label: t(".api_keys_label"), path: settings_api_key_path, icon: "key" },
        { label: t(".self_hosting_label"), path: settings_hosting_path, icon: "database", if: self_hosted? },
        { label: "Providers", path: settings_providers_path, icon: "plug" },
-        { label: t(".imports_label"), path: imports_path, icon: "download" }
+        { label: t(".imports_label"), path: imports_path, icon: "download" },
+        { label: "SSO Providers", path: admin_sso_providers_path, icon: "key-round", if: Current.user&.super_admin? },
+        { label: "Users", path: admin_users_path, icon: "users", if: Current.user&.super_admin? }
      ]
    } : nil
  ),
--- a/app/views/settings/sso_identities/show.html.erb
+++ b/app/views/settings/sso_identities/show.html.erb
@@ -0,0 +1,59 @@
+<%= content_for :page_title, t(".page_title") %>
+
+<%= settings_section title: t(".identities_title"), subtitle: t(".identities_subtitle") do %>
+  <% if @oidc_identities.any? %>
+    <div class="space-y-2">
+      <% @oidc_identities.each do |identity| %>
+        <div class="flex items-center justify-between bg-container p-4 shadow-border-xs rounded-lg">
+          <div class="flex items-center gap-3">
+            <div class="w-9 h-9 shrink-0 bg-surface rounded-full flex items-center justify-center">
+              <%= icon identity.provider_config&.dig(:icon) || "key", class: "w-5 h-5 text-secondary" %>
+            </div>
+            <div>
+              <p class="font-medium text-primary"><%= identity.provider_config&.dig(:label) || identity.provider.titleize %></p>
+              <p class="text-sm text-secondary"><%= identity.info&.dig("email") || t(".no_email") %></p>
+              <p class="text-xs text-secondary">
+                <%= t(".last_used") %>:
+                <%= identity.last_authenticated_at&.to_fs(:short) || t(".never") %>
+              </p>
+            </div>
+          </div>
+          <% if @oidc_identities.count > 1 || Current.user.password_digest.present? %>
+            <%= render DS::Button.new(
+              text: t(".disconnect"),
+              variant: "outline",
+              size: "sm",
+              href: settings_sso_identity_path(identity),
+              method: :delete,
+              confirm: CustomConfirm.new(
+                title: t(".confirm_title"),
+                body: t(".confirm_body", provider: identity.provider_config&.dig(:label) || identity.provider.titleize),
+                btn_text: t(".confirm_button"),
+                destructive: true
+              )
+            ) %>
+          <% end %>
+        </div>
+      <% end %>
+    </div>
+  <% else %>
+    <div class="text-center py-6">
+      <%= icon "link", class: "w-12 h-12 mx-auto text-secondary mb-3" %>
+      <p class="text-secondary"><%= t(".no_identities") %></p>
+      <% if AuthConfig.sso_providers.any? %>
+        <p class="text-sm text-secondary mt-2"><%= t(".connect_hint") %></p>
+      <% end %>
+    </div>
+  <% end %>
+<% end %>
+
+<% if @oidc_identities.count == 1 && Current.user.password_digest.blank? %>
+  <%= settings_section title: t(".warning_title") do %>
+    <div class="p-3 bg-amber-50 border border-amber-200 rounded-lg">
+      <div class="flex items-start gap-2">
+        <%= icon "alert-triangle", class: "w-5 h-5 text-amber-600 shrink-0 mt-0.5" %>
+        <p class="text-sm text-amber-800"><%= t(".warning_message") %></p>
+      </div>
+    </div>
+  <% end %>
+<% end %>