Phase 4c: Intercept non-SSO logins for enforced domains#2798
Open
GregorShear wants to merge 1 commit intomasterfrom
Open
Phase 4c: Intercept non-SSO logins for enforced domains#2798GregorShear wants to merge 1 commit intomasterfrom
GregorShear wants to merge 1 commit intomasterfrom
Conversation
GregorShear
force-pushed
the
greg/sso-phase-4/b
branch
3 times, most recently
from
0adfd5f to
825b209
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
4bf050a to
2b993cd
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/b
branch
6 times, most recently
from
7cb615f to
6b4fe9d
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
4 times, most recently
from
8a8f8f5 to
9479354
Compare
GregorShear
changed the title
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
9479354 to
e8081ab
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
2 times, most recently
from
2a41825 to
78c163b
Compare
GregorShear
commented
Mar 24, 2026
| exception when others then | ||
| -- Never block login due to a bug in this hook. | ||
| raise warning 'check_sso_requirement failed for user %: %', target_user_id, SQLERRM; | ||
| return event; |
Contributor
Author
There was a problem hiding this comment.
Looking for input here - should we block or pass users on exception? do we favor breaking login, or adding a security hole?
either way i'll need help setting up an alert for that warning.
GregorShear
changed the title
GregorShear
force-pushed
the
greg/sso-phase-4/b
branch
3 times, most recently
from
8e55746 to
15109f7
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
78c163b to
6fab103
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
2 times, most recently
from
73fbcc9 to
33c62d9
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
33c62d9 to
13db094
Compare
GregorShear
commented
Mar 26, 2026
Contributor
Author
There was a problem hiding this comment.
100% claude generated script for setting up mocksaml in a dev environment. it works on my machine... :)
GregorShear
commented
Mar 26, 2026
Contributor
Author
There was a problem hiding this comment.
will probably remove this skill in favor of the start-with-saml.sh script below
GregorShear
commented
Mar 26, 2026
| # Allow/disallow new user signups to your project. | ||
| enable_signup = true | ||
|
|
||
| [auth.hook.custom_access_token] |
Contributor
Author
There was a problem hiding this comment.
for dev environment - will have to configure this via the supabase dashboard in production
GregorShear
commented
Mar 26, 2026
| ); | ||
| end if; | ||
|
|
||
| return event; |
Contributor
Author
There was a problem hiding this comment.
I've removed the exception handler so exceptions will bubble up to the caller - is this the right approach? is there any specific monitoring we need to set up or are all exceptions like readily visible? (where would i look for these anyway?)
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
13db094 to
894eba8
Compare
GregorShear
force-pushed
the
greg/sso-phase-4/c
branch
from
894eba8 to
f800d99
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
enforce_ssoboolean column to tenants.customize_access_tokenhook (check_sso_requirement) blocks social login for users with email covered by tenant's SSO domainsauth.users.is_sso_user— SSO users always pass through (important for token refresh).message: 'sso_required:<domain>'— the frontend parses the domain and callssupabase.auth.signInWithSSO({ domain })to redirect the user to their IdP.Users whose email domain does NOT match an enforcing tenant's SSO domain (e.g., contractors with
@gmail.com) are not blocked by the hook. Their grants on enforcing tenants are handled by grant filtering in 4d instead.Activated by
enforce_sso = true. Tenants configure SSO first, then communicate the transition to their users.enforce_ssois flipped on a hard cutoff date.Verify:
sso_required:<domain>enforce_sso = false→ not blocked@gmail.com) → not blocked (grants handled by 4d)is_sso_user = true) with matching domain → not blocked (token refresh works)signInWithSSO({ domain })→ authenticates via IdP → grant migration trigger fires