feat(sso): remove SSO surface from open source — Pro only as of 2.58

Strips dojo/sso/ wholesale (the consolidated SSO package merged from origin/dev) and
unwires every call site:

- dojo/settings/settings.dist.py: drops the SSO_ENV_SCHEMA env merge, the
  apply_sso_settings(env, globals()) call, the DD_SOCIAL_AUTH_SHOW_LOGIN_FORM /
  DD_SOCIAL_LOGIN_AUTO_REDIRECT defaults and their derived SHOW_LOGIN_FORM /
  SOCIAL_LOGIN_AUTO_REDIRECT settings, and the saml2 logger entry. The
  _DOJO_EXTRA_TEMPLATE_DIRS hook stays — it's still load-bearing for the
  notifications and github sub-package template trees.
- dojo/urls.py: drops the dojo.sso.urls inclusion (which mounted social_django.urls
  and the conditional ^saml2/ route).
- dojo/user/views.py: removes the get_sso_auto_redirect chain in login_view and
  the SHOW_LOGIN_FORM short-circuit in logout_view.
- dojo/context_processors.py: removes SHOW_LOGIN_FORM from the global template
  context.
- dojo/templates/dojo/login.html (Tailwind) and dojo/templates_classic/dojo/login.html
  (Classic): strip the inline SSO button blocks and the SHOW_LOGIN_FORM gating,
  leaving the local username/password form, password-toggle, and forgot-password /
  forgot-username links.
- requirements.txt: drops social-auth-app-django, social-auth-core, and djangosaml2;
  these now ship in DefectDojo Pro's own dependency manifest.
- unittests/test_remote_user.py and unittests/test_social_auth_failure_handling.py:
  removed; the equivalent coverage was ported into Pro's unit_tests/sso/ tree against
  pro.sso.remote_user and pro.sso.middleware.

The only authentication surfaces that remain on open source are the local Django
auth login form and the password-reset flow. Pro carries forward — and now owns —
the entire SSO surface (SAML, OIDC, Google, Okta, Azure AD, GitLab, Auth0, Keycloak,
GitHub Enterprise, remote-user) under pro/sso/, configured via the existing tuner.

Upgrade notes in docs/content/releases/os_upgrading/2.58.md describe the cutover at
a high level for OS upgraders; the Pro changelog at docs/content/releases/pro/
changelog.md v2.58.0 calls out that Pro's SSO surface is unchanged and now lives
in pro/sso/ alongside the dependency move.

Author: devGregA

docs/content/releases/os_upgrading/2.58.md

@@ -2,7 +2,7 @@
 title: 'Upgrading to DefectDojo Version 2.58.x'
 toc_hide: true
 weight: -20260504
-description: Authorized Users panel replaces Members/Groups under legacy authorization; Notification .tpl templates relocated under dojo/notifications/
+description: Authorized Users panel replaces Members/Groups under legacy authorization; SSO providers move to DefectDojo Pro; Notification .tpl templates relocated under dojo/notifications/
 ---
 
 ## Authorized Users panel replaces Members/Groups under legacy authorization
@@ -30,6 +30,15 @@ Both endpoints are gated so only `is_staff` / `is_superuser` users can add or re
 
 DefectDojo Pro deployments retain full RBAC. The Pro UX is unchanged — same Members/Groups management surface as before.
 
+## SSO providers are available in DefectDojo Pro only
+
+Single sign-on (SAML, OIDC, Google, Okta, Azure AD, GitLab, Auth0, Keycloak, GitHub Enterprise, and remote-user header authentication) has been consolidated into DefectDojo Pro. Open source DefectDojo now exposes only local username/password login and the password-reset flow.
+
+### Required actions
+
+- **No customizations or local-only login:** No action required.
+- **Currently logging in via SSO on open source:** Existing user accounts and group memberships are preserved on upgrade, but SSO sign-in will no longer work after 2.58. To keep an SSO-driven login experience, switch to [DefectDojo Pro](https://defectdojo.com), which carries forward and extends the SSO surface (provider configuration moves to a UI-managed tuner).
+
 ## Notification `.tpl` templates relocated
 
 The notification domain has been consolidated under a new `dojo/notifications/` package, and the 62 channel `.tpl` templates that drive alert, mail, MS Teams, Slack, and webhook notifications have moved on disk. The Django template lookup name (e.g. `notifications/mail/scan_added.tpl`) is unchanged, so most customizations keep working without any edits — but operators who override `.tpl` files by mounting them into the source tree need to update their paths.

docs/content/releases/pro/changelog.md

@@ -15,6 +15,7 @@ For Open Source release notes, please see the [Releases page on GitHub](https://
 ### May 4, 2026: v2.58.0
 
 * **(Authorization)** Pro deployments are **not impacted** by the OS legacy authorization rewrite. Pro retains full RBAC: the Members / Groups panels on Product and Product Type detail, the Groups panel + Global Role fieldset on the user view / profile / add user pages, the Group Members panel on the user view, the Groups link in the left-nav, and the System Settings default-group fields all continue to render unchanged, driven by Pro RBAC via template overrides at `pro/templates/dojo/`. The eight RBAC v2 API endpoints (`/api/v2/dojo_groups/`, `/api/v2/dojo_group_members/`, `/api/v2/global_roles/`, `/api/v2/product_groups/`, `/api/v2/product_members/`, `/api/v2/product_type_groups/`, `/api/v2/product_type_members/`, `/api/v2/roles/`) are re-registered by Pro's `add_*_urls` hooks. Pro's runtime authorization shadowing in `pro/apps.py:DojoProConfig.ready()` continues to govern object, global, and configuration permissions, so the OS-side `is_staff` bypass for configuration permissions does not affect Pro semantics.
+* **(SSO)** SSO providers (SAML, OIDC, Google, Okta, Azure AD, GitLab, Auth0, Keycloak, GitHub Enterprise, and remote-user header auth) are **Pro-only** as of 2.58. The implementation that previously shipped in open source (`dojo/sso/`) was consolidated into Pro at `pro/sso/`, and the social-auth and djangosaml2 dependencies moved to Pro's package. Pro deployments continue to expose the full SSO surface — login buttons, the tuner-driven runtime configuration, and the `remove_sso` management command — unchanged. Open source customers using SSO need to migrate to Pro to retain SSO sign-in.
 
 ## Apr 2026: v2.57
 

dojo/context_processors.py

@@ -13,7 +13,6 @@
 def globalize_vars(request):
     # return the value you want as a dictionnary. you may add multiple values in there.
     context = {
-        "SHOW_LOGIN_FORM": settings.SHOW_LOGIN_FORM,
         "FORGOT_PASSWORD": settings.FORGOT_PASSWORD,
         "FORGOT_USERNAME": settings.FORGOT_USERNAME,
         "CLASSIC_AUTH_ENABLED": settings.CLASSIC_AUTH_ENABLED,

dojo/settings/settings.dist.py

@@ -30,16 +30,8 @@
 
 root = environ.Path(__file__) - 3  # Three folders back
 
-# SSO env schema is merged in if dojo.sso is available
-_sso_env_schema = {}
-try:
-    from dojo.sso.settings import SSO_ENV_SCHEMA
-    _sso_env_schema = SSO_ENV_SCHEMA
-except ImportError:
-    pass
-
 # reference: https://pypi.org/project/django-environ/
-env = environ.FileAwareEnv(**{**dict(
+env = environ.FileAwareEnv(
     # Set casting and default values
     DD_SITE_URL=(str, "http://localhost:8080"),
     DD_DEBUG=(bool, False),
@@ -140,8 +132,6 @@
     DD_FORGOT_PASSWORD=(bool, True),  # do we show link "I forgot my password" on login screen
     DD_PASSWORD_RESET_TIMEOUT=(int, 259200),  # 3 days, in seconds (the deafult)
     DD_FORGOT_USERNAME=(bool, True),  # do we show link "I forgot my username" on login screen
-    DD_SOCIAL_AUTH_SHOW_LOGIN_FORM=(bool, True),  # do we show user/pass input
-    DD_SOCIAL_LOGIN_AUTO_REDIRECT=(bool, False),  # auto-redirect if there is only one social login method
     # Some security policies require allowing users to have only one active session
     DD_SINGLE_USER_SESSION=(bool, False),
     # if somebody is using own documentation how to use DefectDojo in his own company
@@ -246,7 +236,6 @@
     # possible to create new and it will not be possible to use exising.
     DD_API_TOKENS_ENABLED=(bool, True),
     # Enable endpoint which allow user to get API token when user+pass is provided
-    # It is useful to disable when non-local authentication (like SAML, Azure, ...) is in place
     DD_API_TOKEN_AUTH_ENDPOINT_ENABLED=(bool, True),
     # You can set extra Jira headers by suppling a dictionary in header: value format (pass as env var like "headr_name=value,another_header=anohter_value")
     DD_ADDITIONAL_HEADERS=(dict, {}),
@@ -273,7 +262,7 @@
     DD_ENABLE_V3_ORGANIZATION_ASSET_RELABEL=(bool, False),
     # Notification env-vars (SLA notify, alert refresh/counter/cap, system-level trump). Defined in dojo.notifications.settings.
     **NOTIFICATIONS_ENV_DEFAULTS,
-), **_sso_env_schema})
+)
 
 
 def generate_url(scheme, double_slashes, user, password, host, port, path, params):
@@ -479,9 +468,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 REQUIRE_PASSWORD_ON_USER = env("DD_REQUIRE_PASSWORD_ON_USER")
 FORGOT_USERNAME = env("DD_FORGOT_USERNAME")
 PASSWORD_RESET_TIMEOUT = env("DD_PASSWORD_RESET_TIMEOUT")
-# Showing login form (form is not needed for external auth: OKTA, Google Auth, etc.)
-SHOW_LOGIN_FORM = env("DD_SOCIAL_AUTH_SHOW_LOGIN_FORM")
-SOCIAL_LOGIN_AUTO_REDIRECT = env("DD_SOCIAL_LOGIN_AUTO_REDIRECT")
 
 DOCUMENTATION_URL = env("DD_DOCUMENTATION_URL")
 
@@ -708,10 +694,10 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 # UIPreferenceLoader; see dojo/template_loaders.py.
 _DOJO_TAILWIND_TEMPLATES_DIR = root("dojo/templates")
 _DOJO_CLASSIC_TEMPLATES_DIR = root("dojo/templates_classic")
-# Sub-package template dirs (dojo/notifications, dojo/github, dojo/sso, ...)
-# share a single list that the FilesystemLoader below reads by reference, so
-# late-binding appenders like dojo/sso/settings.py:apply_sso_settings can add
-# their template dir at startup and have it picked up at render time.
+# Sub-package template dirs (dojo/notifications, dojo/github, ...) share a
+# single list that the FilesystemLoader below reads by reference, so any
+# late-binding settings can append a template dir at startup and have it
+# picked up at render time.
 _DOJO_EXTRA_TEMPLATE_DIRS = [
     root("dojo/notifications/templates"),
     root("dojo/github/templates"),
@@ -725,7 +711,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
         "DIRS": _DOJO_EXTRA_TEMPLATE_DIRS,
         # APP_DIRS is False because dojo's templates are loaded explicitly via
         # UIPreferenceLoader; the FilesystemLoader entry below picks up
-        # template dirs from the dojo/notifications, dojo/github, and dojo/sso
+        # template dirs from the dojo/notifications and dojo/github
         # consolidations; other apps' templates are loaded via the
         # app_directories.Loader entry.
         "APP_DIRS": False,
@@ -839,15 +825,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 vars().update(EMAIL_CONFIG)
 
-# ------------------------------------------------------------------------------
-# SSO (loaded from dojo.sso if available)
-# ------------------------------------------------------------------------------
-try:
-    from dojo.sso.settings import apply_sso_settings
-    apply_sso_settings(env, globals())
-except ImportError:
-    pass
-
 # ------------------------------------------------------------------------------
 # SINGLE_USER_SESSION
 # ------------------------------------------------------------------------------
@@ -1521,11 +1498,6 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
             "level": str(LOG_LEVEL),
             "propagate": False,
         },
-        "saml2": {
-            "handlers": [rf"{LOGGING_HANDLER}"],
-            "level": str(LOG_LEVEL),
-            "propagate": False,
-        },
         "MARKDOWN": {
             # The markdown library is too verbose in it's logging, reducing the verbosity in our logs.
             "handlers": [rf"{LOGGING_HANDLER}"],