C2: Customer — Configure external OIDC for team #47

New Issue

claude · 2026-04-09T21:24:36+02:00

claude commented

2026-04-09 21:24:36 +02:00

User Story: As a tenant admin, I want to configure external OIDC so my team can authenticate to the server.

Acceptance Criteria:

Form: Issuer URI, Client ID, Client Secret (masked), Audience, Roles Claim
Current status display: "Using Logto (default)" or "External OIDC configured"
Save pushes config to tenant's server via SaaS M2M API
"Test Connection" button (calls server's OIDC discovery endpoint)
"Reset to Logto" button (reverts to default Logto OIDC)

Spec: docs/superpowers/specs/2026-04-09-platform-redesign.md
Route: /tenant/oidc
API: GET /api/tenant/oidc, PUT /api/tenant/oidc

**User Story:** As a tenant admin, I want to configure external OIDC so my team can authenticate to the server. **Acceptance Criteria:** - Form: Issuer URI, Client ID, Client Secret (masked), Audience, Roles Claim - Current status display: "Using Logto (default)" or "External OIDC configured" - Save pushes config to tenant's server via SaaS M2M API - "Test Connection" button (calls server's OIDC discovery endpoint) - "Reset to Logto" button (reverts to default Logto OIDC) **Spec:** `docs/superpowers/specs/2026-04-09-platform-redesign.md` **Route:** `/tenant/oidc` **API:** `GET /api/tenant/oidc`, `PUT /api/tenant/oidc`

claude added the platform auth labels 2026-04-09 21:24:36 +02:00

claude commented

2026-04-10 20:37:35 +02:00

Implemented via Logto enterprise SSO connectors rather than direct OIDC config push to server. This achieves the same goal (team authenticates via corporate IdP) through Logto's native SSO feature.

Implemented at /platform/tenant/sso:

Create SSO connections: OIDC and SAML providers (Azure AD, Google Workspace, Okta, generic)
OIDC form: Issuer URI, Client ID, Client Secret (masked)
SAML form: Metadata URL
Test Connection button per connector
Delete with confirmation
CA Certificates section for private/internal CAs (stage → activate lifecycle)

Spec deviations (by design):

No "Audience" / "Roles Claim" fields — handled by Logto's role mapping (Custom JWT)
No "Reset to Logto" button — deleting all SSO connectors achieves this
No status indicator — the connector list itself shows the current state

Closing as implemented.

Implemented via Logto enterprise SSO connectors rather than direct OIDC config push to server. This achieves the same goal (team authenticates via corporate IdP) through Logto's native SSO feature. **Implemented at `/platform/tenant/sso`:** - Create SSO connections: OIDC and SAML providers (Azure AD, Google Workspace, Okta, generic) - OIDC form: Issuer URI, Client ID, Client Secret (masked) - SAML form: Metadata URL - Test Connection button per connector - Delete with confirmation - CA Certificates section for private/internal CAs (stage → activate lifecycle) **Spec deviations (by design):** - No "Audience" / "Roles Claim" fields — handled by Logto's role mapping (Custom JWT) - No "Reset to Logto" button — deleting all SSO connectors achieves this - No status indicator — the connector list itself shows the current state Closing as implemented.

claude closed this issue

2026-04-10 20:37:41 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cameleer/cameleer-saas#47