Skip to content

[ENG-715] feat: Add SAML SSO support#25

Merged
twk3 merged 3 commits into
mainfrom
feat/add-saml-sso
Jul 9, 2026
Merged

[ENG-715] feat: Add SAML SSO support#25
twk3 merged 3 commits into
mainfrom
feat/add-saml-sso

Conversation

@twk3

@twk3 twk3 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Add new feature from the upcoming release, SAML SSO support.

Users just need to provide their idp metadata file and a matching issuer id and SSO is enabled. Also includes support for restricting to specific domains, and auth signing. Tested with Okta.

Checklist

  • PR title is Changelog-friendly: (fix|feat|chore): title [CSR-xxx]
  • User-friendly and meaningful description of the changes
  • Documentation was updated

Summary by CodeRabbit

  • New Features
    • Added optional SAML 2.0 SSO for self-hosted and on-prem deployments, with a read-only SSO volume mount.
  • Documentation
    • Updated quickstart, configuration, and backup/restore guides with SAML SSO setup steps, required environment variables, signing options, and restore procedures.
    • Added a dedicated SAML SSO walkthrough and linked it from the main getting started page.
  • Chores
    • Synced on-prem Compose templates to mount the new SSO directory.
    • Bumped GitHub Actions to newer checkout/action versions.

- For the upcoming release
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds SAML SSO documentation and compose/configuration support for mounting SSO files, plus related quickstart and backup/restore updates. It also updates several GitHub Actions references and one Podman validation step.

Changes

SAML SSO Documentation and Volume Wiring

Layer / File(s) Summary
Standalone SAML SSO setup guide
docs/sso-saml.md
New guide covering SAML overview, IdP setup steps, required/optional env variables, signed AuthnRequests, cert rotation, and troubleshooting.
Documentation index links to SAML guide
docs/README.md, docs/index.md
Adds “Enable SAML SSO” resource links pointing to the new guide.
Configuration reference and env example for SSO variables
docs/configuration.md, on-prem/.env.example
Documents SSO environment variables and adds DC_SSO_VOLUME volume configuration entries.
Docker Compose SSO volume mounts
on-prem/docker-compose.cache.yml, on-prem/docker-compose.database.yml, on-prem/docker-compose.full.yml, on-prem/templates/compose.currents.yml
Adds api service volume mounting DC_SSO_VOLUME read-only into /etc/currents/sso, and bumps version headers to 2026-01-26-001.
Quickstart and backup/restore procedures for SSO data
docs/quickstart.md, docs/backup-restore.md
Updates Podman directory creation/permissions/SELinux steps and volume reference table for data/sso; adds backup and restore sections for SSO data.
GitHub Actions checkout and credentials updates
.github/workflows/check-compose-sync.yml, .github/workflows/smoke-test-services.yml, .github/workflows/validate-compose.yml
Updates checkout to v5 in three workflows, updates AWS credentials to v6 in smoke-test-services, and adds a timeout in the Podman validation job.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is specific and matches the main change: adding SAML SSO support.
Description check ✅ Passed The description is clear, user-friendly, and covers the key change plus docs update, matching the template's intent.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-saml-sso

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/check-compose-sync.yml:
- Line 28: The checkout step in the check-compose-sync workflow is persisting
credentials unnecessarily. Update the existing actions/checkout@v5 step to
disable credential persistence by setting persist-credentials to false, since
this job only generates and diffs compose files and does not need authenticated
git access.

In @.github/workflows/smoke-test-services.yml:
- Line 29: The checkout step in this workflow currently keeps repository
credentials available even though the job does not perform any authenticated git
operations afterward. Update the actions/checkout usage in the smoke test job to
disable credential persistence by setting persist-credentials to false so the
job does not retain unnecessary git auth access.

In @.github/workflows/validate-compose.yml:
- Around line 22-23: The Checkout steps in both validation jobs are leaving
repository credentials persisted by default; update the actions/checkout usage
in the validate-compose workflow to disable persisted credentials. Add
persist-credentials set to false on each checkout step so the validation jobs
only fetch the repo without exposing the token to later steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d218abf2-3111-46f5-9ce9-4dad993a3c75

📥 Commits

Reviewing files that changed from the base of the PR and between c1e3148 and 3a52439.

📒 Files selected for processing (3)
  • .github/workflows/check-compose-sync.yml
  • .github/workflows/smoke-test-services.yml
  • .github/workflows/validate-compose.yml

Comment thread .github/workflows/check-compose-sync.yml
Comment thread .github/workflows/smoke-test-services.yml
Comment thread .github/workflows/validate-compose.yml
@twk3 twk3 changed the title feat: Add SAML SSO support [ENG-715] feat: Add SAML SSO support Jul 8, 2026
@twk3 twk3 merged commit 1e727ea into main Jul 9, 2026
5 checks passed
@twk3 twk3 deleted the feat/add-saml-sso branch July 9, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant