Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single sign on #12

Open
amyjko opened this issue Jun 22, 2024 · 2 comments
Open

Single sign on #12

amyjko opened this issue Jun 22, 2024 · 2 comments
Assignees
@amyjko
Labels
enhancement Proposal for new or changed functionality

Comments

@amyjko
Copy link
Owner

amyjko commented Jun 22, 2024
edited
Loading

What are you trying to do that you can't?

Many organizations use Microsoft 365, Google, or other identity providers, but can't use them for logging in. University of Washington, the first adopter, is one of them, where we could use the UW NetID provider, or Google, or Microsoft.

What is your idea?

Add Microsoft 365, Google, and other SSO support.

Design

Supabase supports SAML 2.0. The documentation is thorough and relatively straightforward. UW also supports SAML 2.0, and has an elaborate consultation process for adding support.
@amyjko amyjko added enhancement Proposal for new or changed functionality triage This needs to be evaluated or needs more information. labels Jun 22, 2024
@amyjko amyjko self-assigned this Jun 22, 2024
@amyjko amyjko removed the triage This needs to be evaluated or needs more information. label Jun 22, 2024
@amyjko amyjko changed the title Microsoft 365 login Single sign on Aug 30, 2024
@amyjko
Copy link
Owner Author

amyjko commented Aug 30, 2024

Submitted an SSO consultation with UW IT.

@amyjko
Copy link
Owner Author

amyjko commented Nov 9, 2024

A reply from UW IT:

Any UW Entra (member) user can register an application. ‘Member’ is a special term that generally denotes whether a user is considered part of the organization or not. ‘Guest users’ by default are not members (but that can be changed on a case-by-case basis). All UW NetIDs would be considered a ‘member’.

In this step, you’re choosing which identities are eligible to use your application.

Who can use this application or access this API?

Accounts in this organizational directory only (UW only - Single tenant)
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal > Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only

where:

only UW Entra accounts
UW Entra or other organization's Entra accounts
b) + personal Microsoft accounts
only personal Microsoft accounts

Entra ‘guest users’ are not part of personal Microsoft accounts. In other words, if you pick a), you'd get UW Entra accounts which would include:

UW NetIDs with an active UW Microsoft account
UW Microsoft only accounts (e.g. r_ accounts and some others)
UW Entra guest users, whose home IdP can generally be anything that talks SAML or OIDC, including all social IdP providers

Only option d) wouldn't get what you want. Option b) is closest to the use case you’re describing, c) would also work.

Let us know if you have any other questions.

In Supabase’s doc you would start the process to register an application in UW Entra here:

https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amyjko amyjko

Labels
enhancement Proposal for new or changed functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@amyjko