{ "feature": "single-sign-on", "version": "1.0.0", "description": "Enterprise SSO via SAML 2.0 and OIDC with JIT provisioning", "category": "auth", "tags": [ "authentication", "sso", "saml", "oidc", "enterprise", "identity", "federation" ], "fields": [ { "name": "idp_entity_id", "type": "text", "required": true, "label": "IdP Entity ID", "sensitive": false, "validation": [ { "type": "required", "message": "Identity provider entity ID is required" }, { "type": "maxLength", "value": 1024, "message": "Entity ID is too long" } ] }, { "name": "metadata_url", "type": "url", "required": false, "label": "IdP Metadata URL", "sensitive": false, "validation": [ { "type": "url", "message": "Please enter a valid URL" } ] }, { "name": "certificate", "type": "text", "required": true, "label": "X.509 Certificate", "sensitive": true, "validation": [ { "type": "required", "message": "Signing certificate is required" } ] }, { "name": "attribute_mapping", "type": "json", "required": true, "label": "Attribute Mapping", "sensitive": false }, { "name": "enabled", "type": "boolean", "required": true, "label": "SSO Enabled", "default": false }, { "name": "sso_protocol", "type": "select", "required": true, "label": "SSO Protocol", "options": [ { "value": "saml", "label": "SAML" }, { "value": "oidc", "label": "OIDC" } ], "validation": [ { "type": "required", "message": "SSO protocol is required" }, { "type": "oneOf", "value": [ "saml", "oidc" ], "message": "Protocol must be SAML or OIDC" } ] }, { "name": "organization_id", "type": "text", "required": true, "label": "Organization ID", "sensitive": false, "validation": [ { "type": "required", "message": "Organization ID is required" } ] }, { "name": "default_role", "type": "text", "required": false, "label": "Default Role for JIT-Provisioned Users", "sensitive": false }, { "name": "domain_whitelist", "type": "text", "required": false, "label": "Allowed Email Domains", "sensitive": false }, { "name": "sign_requests", "type": "boolean", "required": false, "label": "Sign Authentication Requests", "default": true }, { "name": "sp_entity_id", "type": "text", "required": true, "label": "Service Provider Entity ID", "sensitive": false }, { "name": "acs_url", "type": "url", "required": true, "label": "Assertion Consumer Service URL", "sensitive": false, "validation": [ { "type": "required", "message": "ACS URL is required" }, { "type": "url", "message": "Please enter a valid URL" } ] }, { "name": "slo_url", "type": "url", "required": false, "label": "Single Logout URL", "sensitive": false } ], "rules": { "security": { "assertion_validation": { "verify_signature": true, "verify_issuer": true, "verify_audience": true, "verify_destination": true, "verify_conditions": true, "clock_skew_seconds": 120, "replay_prevention": true }, "certificate_management": { "allow_multiple_certs": true, "validate_expiry": true, "expiry_warning_days": 30, "min_key_size_bits": 2048 }, "encryption": { "encrypt_assertions": false, "sign_requests": true, "algorithm": "RSA_SHA256" }, "rate_limit": { "window_seconds": 60, "max_requests": 20, "scope": "per_organization" } }, "jit_provisioning": { "enabled": true, "default_role": "member", "sync_attributes_on_login": true, "deactivate_on_removal": false }, "session": { "bridge_idp_session": true, "max_session_hours": 8, "force_reauth_on_sensitive_action": true }, "saml": { "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "authn_context": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" }, "oidc": { "response_type": "code", "scopes": [ "openid", "email", "profile" ], "pkce_required": true, "token_endpoint_auth": "client_secret_post" } }, "outcomes": { "rate_limited": { "priority": 1, "error": "SSO_RATE_LIMITED", "given": [ { "field": "request_count", "source": "computed", "operator": "gt", "value": 20, "description": "More than 20 SSO requests in 60 seconds from this organization" } ], "result": "show \"Too many authentication attempts. Please wait a moment.\"" }, "sso_not_configured": { "priority": 2, "error": "SSO_NOT_CONFIGURED", "given": [ { "any": [ { "field": "sso_config", "source": "db", "operator": "not_exists", "description": "No SSO configuration for this organization" }, { "field": "enabled", "source": "db", "operator": "eq", "value": false, "description": "SSO is disabled for this organization" } ] } ], "result": "show \"SSO is not configured for your organization. Please contact your administrator.\"" }, "invalid_assertion": { "priority": 3, "error": "SSO_INVALID_ASSERTION", "given": [ { "any": [ { "field": "assertion_signature", "source": "computed", "operator": "neq", "value": "valid", "description": "Assertion signature verification failed" }, { "field": "assertion_audience", "source": "computed", "operator": "neq", "value": "sp_entity_id", "description": "Audience does not match SP entity ID" }, { "field": "assertion_not_on_or_after", "source": "computed", "operator": "lt", "value": "now", "description": "Assertion has expired" } ] } ], "then": [ { "action": "emit_event", "event": "sso.failed", "payload": [ "organization_id", "idp_entity_id", "timestamp", "reason" ] } ], "result": "show \"Authentication failed. Please try again or contact your administrator.\"" }, "replay_attack_detected": { "priority": 4, "error": "SSO_REPLAY_DETECTED", "given": [ { "field": "assertion_id", "source": "computed", "operator": "exists", "description": "Assertion ID already seen" } ], "then": [ { "action": "emit_event", "event": "sso.replay_detected", "payload": [ "organization_id", "assertion_id", "timestamp", "ip_address" ] } ], "result": "show \"Authentication failed. Please try again.\"" }, "domain_not_allowed": { "priority": 5, "error": "SSO_DOMAIN_NOT_ALLOWED", "given": [ { "field": "domain_whitelist", "source": "db", "operator": "exists", "description": "Organization has domain restrictions" }, { "field": "user_email_domain", "source": "computed", "operator": "not_in", "value": "domain_whitelist", "description": "User email domain not in allowed list" } ], "then": [ { "action": "emit_event", "event": "sso.failed", "payload": [ "organization_id", "email_domain", "timestamp", "reason" ] } ], "result": "show \"Your email domain is not authorized for this organization.\"" }, "jit_provision_new_user": { "priority": 6, "transaction": true, "given": [ { "field": "assertion_valid", "source": "computed", "operator": "eq", "value": true, "description": "SAML assertion or OIDC token is valid" }, { "field": "local_user", "source": "db", "operator": "not_exists", "description": "No local user matches the IdP identity" }, { "field": "jit_provisioning_enabled", "source": "db", "operator": "eq", "value": true } ], "then": [ { "action": "create_record", "type": "user", "target": "user", "description": "Create local user from IdP attributes via JIT provisioning" }, { "action": "set_field", "target": "role", "value": "default_role", "description": "Assign default organization role" }, { "action": "create_record", "type": "session", "target": "session", "description": "Create authenticated session" }, { "action": "emit_event", "event": "sso.provisioned", "payload": [ "user_id", "organization_id", "idp_entity_id", "timestamp" ] }, { "action": "emit_event", "event": "sso.authenticated", "payload": [ "user_id", "organization_id", "protocol", "timestamp" ] } ], "result": "new user provisioned and authenticated — redirect to application" }, "existing_user_login": { "priority": 10, "transaction": true, "given": [ { "field": "assertion_valid", "source": "computed", "operator": "eq", "value": true, "description": "SAML assertion or OIDC token is valid" }, { "field": "local_user", "source": "db", "operator": "exists", "description": "Local user matches the IdP identity" }, { "field": "status", "source": "db", "operator": "neq", "value": "disabled" } ], "then": [ { "action": "set_field", "target": "user_attributes", "value": "idp_attributes", "description": "Sync user attributes from IdP (name, email, groups)", "when": "sync_attributes_on_login == true" }, { "action": "create_record", "type": "session", "target": "session", "description": "Create authenticated session bridged to IdP session" }, { "action": "emit_event", "event": "sso.authenticated", "payload": [ "user_id", "organization_id", "protocol", "timestamp" ] } ], "result": "redirect to application" } }, "errors": [ { "code": "SSO_RATE_LIMITED", "status": 429, "message": "Too many authentication attempts. Please wait a moment.", "retry": true }, { "code": "SSO_NOT_CONFIGURED", "status": 404, "message": "SSO is not configured for your organization", "retry": false }, { "code": "SSO_INVALID_ASSERTION", "status": 401, "message": "Authentication failed. Please try again or contact your administrator.", "retry": true }, { "code": "SSO_REPLAY_DETECTED", "status": 403, "message": "Authentication failed. Please try again.", "retry": true }, { "code": "SSO_DOMAIN_NOT_ALLOWED", "status": 403, "message": "Your email domain is not authorized for this organization.", "retry": false }, { "code": "SSO_CERTIFICATE_EXPIRED", "status": 500, "message": "SSO configuration error. Please contact your administrator.", "retry": false }, { "code": "SSO_PROVISIONING_DISABLED", "status": 403, "message": "Automatic account provisioning is not enabled. Contact your administrator.", "retry": false }, { "code": "SSO_ACCOUNT_DISABLED", "status": 403, "message": "This account has been disabled. Please contact your administrator.", "retry": false } ], "events": [ { "name": "sso.authenticated", "description": "User authenticated via SSO", "payload": [ "user_id", "organization_id", "protocol", "timestamp" ] }, { "name": "sso.provisioned", "description": "New user provisioned via JIT from IdP", "payload": [ "user_id", "organization_id", "idp_entity_id", "timestamp" ] }, { "name": "sso.failed", "description": "SSO authentication attempt failed", "payload": [ "organization_id", "idp_entity_id", "timestamp", "reason" ] }, { "name": "sso.replay_detected", "description": "SAML assertion replay attack detected", "payload": [ "organization_id", "assertion_id", "timestamp", "ip_address" ] }, { "name": "sso.certificate_expiring", "description": "IdP signing certificate nearing expiry", "payload": [ "organization_id", "certificate_expiry", "days_remaining" ] } ], "related": [ { "feature": "login", "type": "recommended", "reason": "SSO is an alternative to password-based login for enterprise users" }, { "feature": "oauth-social-login", "type": "optional", "reason": "Organizations may use OAuth for non-enterprise social login alongside SSO" }, { "feature": "session-management", "type": "recommended", "reason": "SSO sessions need tracking, bridging, and revocation" }, { "feature": "multi-factor-auth", "type": "optional", "reason": "MFA may be enforced at the IdP level or additionally at SP" }, { "feature": "logout", "type": "required", "reason": "Single logout (SLO) must terminate both SP and IdP sessions" } ], "agi": { "goals": [ { "id": "reliable_single_sign_on", "description": "Enterprise SSO via SAML 2.0 and OIDC with JIT provisioning", "success_metrics": [ { "metric": "unauthorized_access_rate", "target": "0%", "measurement": "Failed authorization attempts that succeed" }, { "metric": "response_time_p95", "target": "< 500ms", "measurement": "95th percentile response time" } ], "constraints": [ { "type": "security", "description": "Follow OWASP security recommendations", "negotiable": false }, { "type": "security", "description": "Sensitive fields must be encrypted at rest and never logged in plaintext", "negotiable": false } ] } ], "autonomy": { "level": "supervised", "human_checkpoints": [ "before modifying sensitive data fields" ], "escalation_triggers": [ "error_rate > 5", "consecutive_failures > 3" ] }, "safety": { "action_permissions": [ { "action": "rate_limited", "permission": "autonomous" }, { "action": "sso_not_configured", "permission": "autonomous" }, { "action": "invalid_assertion", "permission": "autonomous" }, { "action": "replay_attack_detected", "permission": "autonomous" }, { "action": "domain_not_allowed", "permission": "autonomous" }, { "action": "jit_provision_new_user", "permission": "autonomous" }, { "action": "existing_user_login", "permission": "autonomous" } ] }, "tradeoffs": [ { "prefer": "security", "over": "performance", "reason": "authentication must prioritize preventing unauthorized access" } ], "verification": { "invariants": [ "sensitive fields are never logged in plaintext", "all data access is authenticated and authorized", "error messages never expose internal system details" ] }, "coordination": { "protocol": "request_response", "consumes": [ { "capability": "logout", "from": "logout", "fallback": "fail" } ] } }, "ui_hints": { "layout": "single_column_centered", "max_width": "480px", "show_logo": true, "login_discovery": { "email_domain_detection": true, "prompt": "Enter your work email to continue" }, "admin_configuration": { "show_metadata_upload": true, "show_manual_config": true, "show_test_connection": true, "show_certificate_status": true }, "actions": { "primary": { "label": "Continue with SSO", "type": "submit", "full_width": true } }, "links": [ { "label": "Sign in with password instead", "target": "login", "position": "below_form" } ], "accessibility": { "autofocus": "email", "aria_live_region": true }, "loading": { "disable_button": true, "show_spinner": true, "redirect_message": "Redirecting to your identity provider..." } } }