-
-
Notifications
You must be signed in to change notification settings - Fork 2
plugin auth enterprise
github-actions[bot] edited this page Jun 26, 2026
·
1 revision
MFA enforcement (TOTP + recovery codes) and SSO via SAML 2.0 + OIDC for Google Workspace, Okta, and Microsoft Entra ID. Pro max-tier plugin.
Requires: ɳSelf+ license.
nself license set nself_plus_...
nself license set nself_plus_xxxxx...
nself plugin install auth-enterpriseAdds enterprise authentication controls to your nSelf deployment. MFA (TOTP + recovery codes) is always active for all users at no cost — it cannot be paywalled per the Security-Always-Free doctrine. SSO (SAML 2.0 + OIDC) requires NSELF_SSO=true.
- TOTP MFA — RFC 6238, 30-second window, 1-step drift tolerance. Backup via single-use recovery codes (bcrypt-hashed).
-
MFA policy — per-tenant enforcement:
optional,required, orrole-gated. - SAML 2.0 SSO — SP-initiated flow with Okta, Google Workspace, Microsoft Entra ID, and any SAML 2.0 IdP.
- OIDC SSO — Authorization code flow for Google Workspace and OIDC-compliant providers.
| Env Var | Default | Description |
|---|---|---|
NSELF_SSO |
false |
Enable SSO endpoints (true to activate) |
AUTH_ENTERPRISE_TOTP_ISSUER |
nSelf |
Name shown in authenticator apps |
AUTH_ENTERPRISE_SSO_SP_ENTITY_ID |
— | SAML SP entity ID URI (required for SAML) |
AUTH_ENTERPRISE_SSO_ACS_URL |
— | SAML Assertion Consumer Service URL |
AUTH_ENTERPRISE_SSO_OIDC_CALLBACK_URL |
— | OIDC redirect URI |
| Port | Purpose |
|---|---|
| 3826 | Auth Enterprise REST API |
| Table | Purpose |
|---|---|
np_mfa_enrollments |
TOTP and WebAuthn enrollment records |
np_mfa_recovery_codes |
Single-use bcrypt-hashed recovery codes |
np_mfa_policies |
Per-tenant MFA enforcement policy |
np_sso_providers |
SAML/OIDC IdP configuration |
np_sso_sessions |
Active SSO sessions |
np_sso_state_cache |
OIDC/SAML state nonce cache |
- Create OAuth2 credentials in Google Cloud Console.
- Add your
AUTH_ENTERPRISE_SSO_OIDC_CALLBACK_URLas an authorized redirect URI. - Register the provider:
POST /auth/sso/providerswith"type": "oidc","issuer_url": "https://accounts.google.com".
- Create a SAML app in Okta. Set the ACS URL and SP entity ID to match your env vars.
- Download the IdP metadata XML from Okta.
- Register:
POST /auth/sso/providerswith"type": "saml"and the metadata XML.
- Register an enterprise application in Entra ID.
- For SAML: set the identifier (entity ID) and reply URL (ACS URL) in the SAML settings.
- For OIDC: copy the client ID + secret and set the redirect URI.
GET /health — Liveness check
GET /auth/mfa/status — MFA enrollment status
POST /auth/mfa/totp/setup — Begin TOTP enrollment
POST /auth/mfa/totp/verify — Confirm enrollment with live code
POST /auth/mfa/totp/challenge — Verify TOTP code during login
POST /auth/mfa/recovery — Consume a recovery code
GET /auth/mfa/recovery/codes — List masked recovery codes
POST /auth/mfa/recovery/regenerate — Replace all recovery codes
GET /auth/mfa/policy — Get tenant MFA policy
PUT /auth/mfa/policy — Set tenant MFA policy (mfa:admin)
GET /auth/sso/providers — List SSO providers (SSO-gated)
POST /auth/sso/providers — Create SSO provider (SSO-gated)
DELETE /auth/sso/providers/{id} — Remove SSO provider
GET /auth/sso/providers/{id}/saml/metadata — SP SAML metadata XML
GET /auth/sso/oidc/{id}/begin — Start OIDC authorization flow
GET /auth/sso/oidc/callback — OIDC authorization code callback
POST /auth/sso/saml/{id}/acs — SAML ACS endpoint
- MFA is always free and cannot be disabled per the Security-Always-Free doctrine.
- TOTP secrets are stored as plaintext base32; enable pgcrypto for at-rest encryption in production.
- Recovery codes are bcrypt-hashed (cost 10) and never stored in plaintext.
- SSO client secrets should be encrypted by the application before persistence in
np_sso_providers.
ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.
GitHub · Issues · Discussions · nself.org · docs.nself.org
Getting Started
Commands
- Commands, Overview
- Lifecycle: cmd-init · cmd-build · cmd-start · cmd-stop · cmd-restart · cmd-dev
- Monitoring: cmd-status · cmd-logs · cmd-health · cmd-urls · cmd-doctor · cmd-monitor · cmd-alerts · cmd-sentry · cmd-watchdog · cmd-dogfood
- Data: cmd-db · cmd-backup · cmd-dr · cmd-queue · cmd-webhooks
- Config: cmd-config · cmd-service · cmd-env · cmd-promote
- Networking: cmd-ssl · cmd-trust · cmd-dns-setup
- Security: cmd-security · cmd-secrets · cmd-waf
- Tenancy: cmd-tenant · cmd-billing
- Plugins: cmd-plugin · cmd-license
- AI: cmd-ai · cmd-claw · cmd-model
- Templates: cmd-template
- Utilities: cmd-exec · cmd-clean · cmd-reset · cmd-update · cmd-upgrade · cmd-version · cmd-admin · cmd-migrate · cmd-migrate-firebase · cmd-migrate-supabase · cmd-completion
Features
- Features, Overview
- Feature-Auth
- Feature-Storage
- Feature-Search
- Feature-Functions
- Feature-Email
- Feature-Monitoring
- Feature-Plugins
- Feature-ɳClaw, AI Assistant
- Feature-ɳChat, Messaging
- Feature-ɳTV, Media Player
- Feature-ɳFamily, Family Social
- Feature-ɳCloud, Managed Hosting
- Feature-Memory-Rooms, Knowledge Organization
- Feature-Agent-Dashboard, Agent Metrics
- Feature-Image-Generation, AI Image Generation
Configuration
- Configuration, Overview
- Config-Env-Vars
- Config-Postgres
- Config-Hasura
- Config-Auth
- Config-Nginx
- Config-Optional-Services
- Config-Custom-Services
- Config-System
Plugins (87 + 10 monitoring)
Free (25)
- plugin-backup
- plugin-content-acquisition
- plugin-content-progress
- plugin-cron
- plugin-donorbox
- plugin-feature-flags
- plugin-github
- plugin-github-runner
- plugin-invitations
- plugin-jobs
- plugin-link-preview
- plugin-mdns
- plugin-mlflow
- plugin-monitoring
- plugin-notifications
- plugin-notify
- plugin-paypal
- plugin-search
- plugin-shopify
- plugin-stripe
- plugin-subtitle-manager
- plugin-tokens
- plugin-torrent-manager
- plugin-vpn
- plugin-webhooks
Pro (62)
- plugin-access-controls
- plugin-activity-feed
- plugin-admin-api
- nself-ai-gateway
- nself-ai-cc
- nself-ai-mcp
- plugin-analytics
- plugin-auth
- plugin-backup-pro
- plugin-bots
- plugin-browser
- plugin-calendar
- plugin-cdn
- plugin-chat
- plugin-claw
- plugin-claw-budget
- plugin-claw-news
- plugin-claw-web
- plugin-cloudflare
- plugin-cms
- plugin-compliance
- plugin-cron-pro
- plugin-ddns
- plugin-devices
- plugin-documents
- plugin-donorbox-pro
- plugin-entitlements
- plugin-epg
- plugin-file-processing
- plugin-game-metadata
- plugin-geocoding
- plugin-geolocation
- plugin-google
- plugin-home
- plugin-idme
- plugin-knowledge-base
- plugin-linkedin
- plugin-livekit
- plugin-media-processing
- plugin-meetings
- plugin-moderation
- plugin-mux
- plugin-notify-pro
- plugin-object-storage
- plugin-observability
- plugin-paypal-pro
- plugin-photos
- plugin-podcast
- plugin-post
- plugin-realtime
- plugin-recording
- plugin-retro-gaming
- plugin-rom-discovery
- plugin-shopify-pro
- plugin-social
- plugin-sports
- plugin-stream-gateway
- plugin-streaming
- plugin-stripe-pro
- plugin-support
- plugin-tmdb
- plugin-voice
- plugin-web3
- plugin-workflows
Planned (26)
plugin-auditplugin-blogplugin-checkoutplugin-commerceplugin-drmplugin-exportplugin-flowplugin-importplugin-ldapplugin-mailgunplugin-mediaplugin-oauth-providersplugin-pagesplugin-postmarkplugin-rate-limitplugin-reportsplugin-samlplugin-schedulerplugin-sendgridplugin-ssoplugin-subscriptionplugin-thumbplugin-transcoderplugin-twilioplugin-wafplugin-watermark
Guides
- Guide-Production-Deployment
- Guide-SSL-Setup
- Guide-Multi-Tenancy
- Guide-Security-Hardening
- Guide-Monitoring-Setup
- Guide-Backup-Restore
- Guide-Custom-Services
- Guide-Migration-from-v1
Architecture
Reference
- API-Reference
- reference-error-codes, Error Codes
Licensing
Security
Brand
Operations
- operations/release-cascade, Release Cascade
- operations/self-healing, Self-Healing Schema
- operations/redis-tuning, Redis Pool Tuning
- operations/meilisearch-warmup, MeiliSearch Warm-Up
- operations/jwt-rotation, JWT Key Rotation
- operations/windows-wsl2-setup, Windows / WSL2 Setup
- operations/gemini-oauth-reauth, Gemini OAuth Reauth
Contributing
Admin
- USER-ACTION-QUEUE, Pending Admin Actions