BranchPy
Log in

Docs-Builder

# SSO (Enterprise)

Version: 1.1.1
Status: Planned (no current implementation)
Last Updated: January 23, 2026

Planned Scope

  • Enterprise SSO for website and rc-backend using OIDC/OAuth2.
  • Targets: Microsoft Entra ID, Google Workspace (priority), SAML 2.0 (future).
  • Audience: Enterprise plan customers; requires enterprise contract.

Proposed Flow (Future)

  1. User selects SSO provider from dashboard.
  2. Browser completes OIDC auth → returns ID token to backend.
  3. Backend issues BranchPy access + refresh + license tokens bound to website_user_id.
  4. Device/CLI uses device approval flow to link tokens to local auth.json (no direct SSO inside extension).

Integration Considerations

  • SSO does not alter license token schema; it changes identity proofing.
  • License issuance still uses plan/feature mapping; SSO only affects authentication and session management.
  • Governance events should include auth.sso_login with provider metadata.
  • Enforce domain allowlist per enterprise tenant.

Current Status

  • No SSO endpoints live in v1.1.1.
  • Enterprise feature key sso exists for gating; keep hidden/locked in clients until implemented.

References

  • Enterprise feature keys in ENTITLEMENTS_MAPPING_v2.md
  • Token specs in TOKEN_SPEC.md