Summary
Support SSO/SAML identity providers as an authentication option alongside GitHub OAuth, for enterprise self-hosted deployments.
Motivation
Enterprise organizations often require all internal tools to authenticate through their corporate IdP (Okta, Azure AD, etc.). Without SSO support, self-hosted CLAHub can't meet enterprise security requirements.
Implementation notes
- Auth.js supports SAML and OIDC providers
- Add a generic OIDC provider configuration via environment variables
- Map IdP user attributes to CLAHub user records
- Contributor signing can remain GitHub OAuth (they need GitHub identity for PR matching)
- Owner/admin login can use SSO
- Consider: SCIM provisioning for user lifecycle management
Phase
Phase 7: Enterprise (v3.0 roadmap)
Summary
Support SSO/SAML identity providers as an authentication option alongside GitHub OAuth, for enterprise self-hosted deployments.
Motivation
Enterprise organizations often require all internal tools to authenticate through their corporate IdP (Okta, Azure AD, etc.). Without SSO support, self-hosted CLAHub can't meet enterprise security requirements.
Implementation notes
Phase
Phase 7: Enterprise (v3.0 roadmap)