amyjko / adminima

An app for streamlining repeating solo and administrative administrative activities.
https://adminima.app
MIT License
0 stars 0 forks source link

Single sign on #12

Open amyjko opened 4 months ago

amyjko commented 4 months ago

What are you trying to do that you can't?

Many organizations use Microsoft 365, Google, or other identity providers, but can't use them for logging in. University of Washington, the first adopter, is one of them, where we could use the UW NetID provider, or Google, or Microsoft.

What is your idea?

Add Microsoft 365, Google, and other SSO support.

Design

Supabase supports SAML 2.0. The documentation is thorough and relatively straightforward. UW also supports SAML 2.0, and has an elaborate consultation process for adding support.

amyjko commented 2 months ago

Submitted an SSO consultation with UW IT.

amyjko commented 14 hours ago

A reply from UW IT:

Any UW Entra (member) user can register an application. ‘Member’ is a special term that generally denotes whether a user is considered part of the organization or not. ‘Guest users’ by default are not members (but that can be changed on a case-by-case basis). All UW NetIDs would be considered a ‘member’.

In this step, you’re choosing which identities are eligible to use your application.

Who can use this application or access this API?

Accounts in this organizational directory only (UW only - Single tenant) Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal > Microsoft accounts (e.g. Skype, Xbox) Personal Microsoft accounts only

where:

only UW Entra accounts UW Entra or other organization's Entra accounts b) + personal Microsoft accounts only personal Microsoft accounts

Entra ‘guest users’ are not part of personal Microsoft accounts. In other words, if you pick a), you'd get UW Entra accounts which would include:

UW NetIDs with an active UW Microsoft account UW Microsoft only accounts (e.g. r_ accounts and some others) UW Entra guest users, whose home IdP can generally be anything that talks SAML or OIDC, including all social IdP providers

Only option d) wouldn't get what you want. Option b) is closest to the use case you’re describing, c) would also work.

Let us know if you have any other questions.

In Supabase’s doc you would start the process to register an application in UW Entra here:

https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false