Skip to content

[TW-5801] feat(dashboard): add SAML Enterprise SSO login via --provider saml#117

Merged
AaronDDM merged 2 commits into
mainfrom
ad-TW-5801-saml-sso-login
Jul 7, 2026
Merged

[TW-5801] feat(dashboard): add SAML Enterprise SSO login via --provider saml#117
AaronDDM merged 2 commits into
mainfrom
ad-TW-5801-saml-sso-login

Conversation

@AaronDDM

@AaronDDM AaronDDM commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds SAML Enterprise SSO to CLI dashboard auth. nylas dashboard sso login --provider saml --email you@company.com starts a device-style flow against dashboard-account: the server does home-realm discovery from the email domain, the browser confirms the one-time code and completes the SP-initiated SAML login, and the CLI's poll returns DPoP-bound tokens. The existing poll loop, MFA handling, and org sync are unchanged.

Changes

  • saml_SSO login type constant; saml accepted by --provider (login only)
  • --email flag for home-realm discovery; interactive prompt when omitted
  • SSOStart gains an email param (ports, adapter, app service, mock); sent only when non-empty
  • sso register --provider saml returns guidance instead — SAML accounts are JIT-provisioned on first login

Testing

  • go test ./... passes; new adapter test asserts the SAML start request carries email and omits privacyPolicyAccepted
  • gofmt/go vet clean

Related

  • TW-5801 (epic TW-5704)
  • Server-side counterpart: nylas/dashboard-v3#2026

🤖 Generated with Claude Code

…er saml

- Add saml_SSO login type and map 'saml' provider in sso login
- Add --email flag for home-realm discovery; prompt interactively when omitted
- Thread email through SSOStart (ports, adapter, app service, mock)
- Reject 'sso register --provider saml' with guidance (accounts are JIT-provisioned
  on first SAML login)
- Server flow: dashboard-account mints a device-style flow; browser confirms the
  one-time code and completes SP-initiated SAML; poll returns DPoP-bound tokens

Server-side counterpart: nylas/dashboard-v3#2026

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3df93f1170

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/cli/dashboard/sso.go Outdated
@AaronDDM AaronDDM self-assigned this Jul 7, 2026
…the placeholder

InputPrompt returns the placeholder in non-TTY runs and on empty submit, so
'you@company.com' became the HRD email. Use an empty placeholder so those
paths fall through to the required-email error.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@AaronDDM AaronDDM requested a review from qasim-nylas July 7, 2026 19:27

@qasim-nylas qasim-nylas left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@AaronDDM AaronDDM merged commit 5cafa57 into main Jul 7, 2026
7 checks passed
@AaronDDM AaronDDM deleted the ad-TW-5801-saml-sso-login branch July 7, 2026 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants