Skip to content

Partner-level SSO + login page branding for self-hosted MSP deployments #2183

Description

@win-wxx

Problem

We run a self-hosted Breeze deployment (v0.88.0, Docker Compose, on-prem)

Current SSO (/api/v1/sso/*) is fully org-scoped: every provider requires an org_id, defaultRoleId must resolve to an org-scoped role, and /sso/check/:orgId needs an orgId just to know whether to show a login button. This works for end-customers logging into their own org, but there's no way for our own internal team (20 technicians) to SSO into the Partner-level dashboard with orgAccess: all — which is what we actually need day to day.

We noticed partners.ssoConfig (jsonb) is documented as a field but has no endpoint, no login flow, and isn't referenced anywhere in the SSO reference doc — looks like a placeholder rather than something wired up end-to-end.

Related: because SSO buttons only resolve per-org, the top-level login page has no way to show partner branding or a partner SSO entry point before the user's org is known. It also hardcodes generic marketing copy ("10,000+ endpoints" etc.), which reads oddly on a single-partner self-hosted instance.

Proposed Solution

A partner-scoped SSO provider + login entry point (e.g. /sso/partner-login/:partnerId) that accepts partner-scoped roles (Partner Admin/Technician/etc.) as the default role instead of requiring an org-scoped role.

Same safety model as org SSO: testing > active status, break-glass password login preserved unless explicitly enforced.

A basic partner_branding config (logo, accent color, headline override, optional /login/:partnerSlug) so the login page can reflect the partner and surface the partner SSO button.

Alternatives Considered

No response

Component

Web Dashboard

Scope

Medium (new feature within existing module)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions