Merge pull request #5903 from FlowFuse/direct-sso-login

hardillb · web-flow · commit cf47841b6734 · 2025-08-15T17:45:08.000+01:00
Allow Direct SSO login
diff --git a/docs/admin/sso/saml.md b/docs/admin/sso/saml.md
@@ -181,6 +181,12 @@ that will be used to identify whether a user is an admin or not.
 on the platform. It is *strongly* recommended to have an admin user on the system that is not
 managed via SSO to ensure continued access in case of any issues with the SSO provider.
 
+## Direct SSO Login
+
+For Self Hosted users there is an option in the Admin Settings to enable buttons on the login page for each active SAML SSO provider.
+
+These buttons will redirect to the SSO provider rather than requiring users to enter and email address in the username field to select the correct provider.
+
 ## Providers
 
 The following is a non-exhaustive list of the providers that are known to work
diff --git a/forge/ee/routes/sso/auth.js b/forge/ee/routes/sso/auth.js
@@ -68,6 +68,20 @@ module.exports = fp(async function (app, opts) {
                     done(new Error(`No matching SAML provider for email ${request.query.u}`))
                     return
                 }
+            } else if (request.query.p) {
+                const providerId = request.query.p
+                const opts = await app.sso.getProviderOptions(providerId)
+                if (opts) {
+                    request.query.RelayState = JSON.stringify({
+                        provider: providerId,
+                        redirectTo: decodeURIComponent(request.query.r || '/')
+                    })
+                    done(null, opts)
+                    return
+                } else {
+                    done(new Error(`SAML provider for id ${request.query.p} not found`))
+                    return
+                }
             }
             done(new Error('Missing u query parameter'))
         }
diff --git a/forge/routes/api/settings.js b/forge/routes/api/settings.js
@@ -94,6 +94,9 @@ module.exports = async function (app) {
                 response['platform:sso:google'] = true
                 response['platform:sso:google:clientId'] = app.settings.get('platform:sso:google:clientId')
             }
+            if (app.config.features.enabled('sso')) {
+                response['platform:sso:direct'] = app.settings.get('platform:sso:direct')
+            }
             reply.send(response)
         } else {
             // This is for an unauthenticated request. Return settings related
@@ -139,6 +142,16 @@ module.exports = async function (app) {
                 publicSettings['platform:sso:google'] = true
                 publicSettings['platform:sso:google:clientId'] = app.settings.get('platform:sso:google:clientId')
             }
+            if (app.config.features.enabled('sso') && app.settings.get('platform:sso:direct')) {
+                const providers = await app.db.models.SAMLProvider.getAll({}, { active: true, type: 'saml' })
+                const SSOList = providers.providers.map((prov) => {
+                    return {
+                        name: prov.name,
+                        id: prov.hashid
+                    }
+                })
+                publicSettings['platform:sso:direct:list'] = SSOList
+            }
 
             reply.send(publicSettings)
         }
diff --git a/forge/settings/defaults.js b/forge/settings/defaults.js
@@ -68,5 +68,7 @@ module.exports = {
     'team:broker:topics': null,
 
     'platform:sso:google': false, // Is Google SSO enabled?
-    'platform:sso:google:clientId': null // Client ID for Google SSO
+    'platform:sso:google:clientId': null, // Client ID for Google SSO
+
+    'platform:sso:direct': false
 }
diff --git a/frontend/src/pages/Login.vue b/frontend/src/pages/Login.vue
@@ -50,6 +50,16 @@
                         </GoogleLogin>
                         <span class="ff-error-inline" data-el="errors-googleSSO">{{ errors.googleSSO }}</span>
                     </template>
+                    <template v-if="directSSOEnabled">
+                        <hr class="mb-4">
+                        <ul>
+                            <li v-for="{name, id} in settings['platform:sso:direct:list']" :key="id">
+                                <ff-button kind="secondary" :data-action="`direct-sso-${id}`" @click="directSSO(id)">
+                                    <span>SIGN IN WITH {{ name.toUpperCase() }}</span>
+                                </ff-button>
+                            </li>
+                        </ul>
+                    </template>
                 </div>
             </template>
             <template v-else>
@@ -118,6 +128,11 @@ export default {
         },
         googleSSOEnabled () {
             return this.settings['platform:sso:google'] && this.settings['platform:sso:google:clientId']
+        },
+        directSSOEnabled () {
+            return !!this.settings['platform:sso:direct:list'] &&
+                Array.isArray(this.settings['platform:sso:direct:list']) &&
+                this.settings['platform:sso:direct:list'].length >= 1
         }
     },
     watch: {
@@ -229,6 +244,9 @@ export default {
                 // Handle error response - not sure what this will look like yet
                 console.error(result)
             }
+        },
+        async directSSO (id) {
+            window.location = `/ee/sso/login?p=${id}${this.$route.query.r ? `&r=${this.$route.query.r}` : ''}`
         }
     }
 }
diff --git a/frontend/src/pages/admin/Settings/General.vue b/frontend/src/pages/admin/Settings/General.vue
@@ -189,6 +189,16 @@
             </FormRow>
         </template>
 
+        <template v-if="ssoEnabled">
+            <FormHeading>Direct SSO Login</FormHeading>
+            <FormRow v-model="input['platform:sso:direct']" type="checkbox" data-el="direct-sso">
+                Show buttons on Login page to jump directly to a SAML SSO provider
+                <template #description>
+                    Allows bypassing email matching for SAML SSO logins. Read more about how to setup SAML SSO <a class="forge-link" href="https://flowfuse.com/docs/admin/sso/saml/" target="_blank">here</a>
+                </template>
+            </FormRow>
+        </template>
+
         <div class="pt-8">
             <ff-button :disabled="!saveEnabled" data-action="save-settings" @click="saveChanges">Save settings</ff-button>
         </div>
@@ -227,7 +237,8 @@ const validSettings = [
     'branding:account:signUpLeftBanner',
     'platform:stats:token',
     'platform:sso:google',
-    'platform:sso:google:clientId'
+    'platform:sso:google:clientId',
+    'platform:sso:direct'
 ]
 
 export default {

Original file line number	Diff line number	Diff line change
`@@ -68,5 +68,7 @@ module.exports = {`
`68`	`68`	`'team:broker:topics': null,`
`69`	`69`
`70`	`70`	`'platform:sso:google': false, // Is Google SSO enabled?`
`71`		`- 'platform:sso:google:clientId': null // Client ID for Google SSO`
	`71`	`+ 'platform:sso:google:clientId': null, // Client ID for Google SSO`
	`72`	`+`
	`73`	`+ 'platform:sso:direct': false`
`72`	`74`	`}`