app/stories/organization-owner/ORG-006-sso-config.md

Configure SSO for Organization

ID: ORG-006 Priority: High Status: Planned

User Story

As an organization owner, I want to configure Single Sign-On with my company's identity provider so that employees can use their corporate credentials.

Acceptance Criteria

• Support SAML 2.0 SSO configuration
• Support OIDC/OAuth SSO configuration
• Test connection before enabling
• Auto-provision users on first SSO login (JIT provisioning)
• Map SSO attributes to user profile fields
• Option to require SSO for all org members
• Bypass SSO for emergency admin access
• Support multiple SSO providers per organization

Technical Notes

• Implement SAML assertion consumer service
• Store SSO configuration securely (encrypted secrets)
• Certificate management for SAML
• Consider using passport-saml and passport-openidconnect
• Metadata endpoint for easy IdP configuration

Related TODOs

• New feature - enterprise SSO capability