Problem
We run a self-hosted Breeze deployment (v0.88.0, Docker Compose, on-prem)
Current SSO (/api/v1/sso/*) is fully org-scoped: every provider requires an org_id, defaultRoleId must resolve to an org-scoped role, and /sso/check/:orgId needs an orgId just to know whether to show a login button. This works for end-customers logging into their own org, but there's no way for our own internal team (20 technicians) to SSO into the Partner-level dashboard with orgAccess: all — which is what we actually need day to day.
We noticed partners.ssoConfig (jsonb) is documented as a field but has no endpoint, no login flow, and isn't referenced anywhere in the SSO reference doc — looks like a placeholder rather than something wired up end-to-end.
Related: because SSO buttons only resolve per-org, the top-level login page has no way to show partner branding or a partner SSO entry point before the user's org is known. It also hardcodes generic marketing copy ("10,000+ endpoints" etc.), which reads oddly on a single-partner self-hosted instance.
Proposed Solution
A partner-scoped SSO provider + login entry point (e.g. /sso/partner-login/:partnerId) that accepts partner-scoped roles (Partner Admin/Technician/etc.) as the default role instead of requiring an org-scoped role.
Same safety model as org SSO: testing > active status, break-glass password login preserved unless explicitly enforced.
A basic partner_branding config (logo, accent color, headline override, optional /login/:partnerSlug) so the login page can reflect the partner and surface the partner SSO button.
Alternatives Considered
No response
Component
Web Dashboard
Scope
Medium (new feature within existing module)
Problem
We run a self-hosted Breeze deployment (v0.88.0, Docker Compose, on-prem)
Current SSO (/api/v1/sso/*) is fully org-scoped: every provider requires an org_id, defaultRoleId must resolve to an org-scoped role, and /sso/check/:orgId needs an orgId just to know whether to show a login button. This works for end-customers logging into their own org, but there's no way for our own internal team (20 technicians) to SSO into the Partner-level dashboard with orgAccess: all — which is what we actually need day to day.
We noticed partners.ssoConfig (jsonb) is documented as a field but has no endpoint, no login flow, and isn't referenced anywhere in the SSO reference doc — looks like a placeholder rather than something wired up end-to-end.
Related: because SSO buttons only resolve per-org, the top-level login page has no way to show partner branding or a partner SSO entry point before the user's org is known. It also hardcodes generic marketing copy ("10,000+ endpoints" etc.), which reads oddly on a single-partner self-hosted instance.
Proposed Solution
A partner-scoped SSO provider + login entry point (e.g. /sso/partner-login/:partnerId) that accepts partner-scoped roles (Partner Admin/Technician/etc.) as the default role instead of requiring an org-scoped role.
Same safety model as org SSO: testing > active status, break-glass password login preserved unless explicitly enforced.
A basic partner_branding config (logo, accent color, headline override, optional /login/:partnerSlug) so the login page can reflect the partner and surface the partner SSO button.
Alternatives Considered
No response
Component
Web Dashboard
Scope
Medium (new feature within existing module)