feat(sso): SAML/OIDC single sign-on

[0ski]

SAML/OIDC Single Sign-On

Vendor-neutral SSO feature for Trigger.dev, built as a plugin contract + host wiring. With no SSO plugin installed, everything degrades to a no-op fallback — OSS / self-hosted deployments are completely unaffected.

Plugin contract + fail-open fallback

• Contract in @trigger.dev/plugins (packages/plugins/src/sso.ts) — the vendor-neutral interface.
• Lazy loader + OSS fallback in the new internal-packages/sso package. It dynamically imports the cloud plugin on first use; if absent, it swaps in a no-op SsoFallback. Every method returns a neverthrow Result, and the fallback is fail-open (decideRouteForEmail → no_sso, mutations → feature_disabled).
• Gated behind SSO_ENABLED (default off) so the feature ships dark until its backing plugin is available.

Login & sign-in flows

• A "Sign in with SSO" entry on the login page, plus a dedicated /login/sso flow and /auth/sso + /auth/sso/callback routes (SP- and IdP-initiated).
• Auto-discovery: magic-link, GitHub, Google, and Vercel onboarding all check whether the email's domain requires SSO and reroute into the SSO flow before establishing a session.
• IP + email rate limiting on the SSO entry point, reusing the magic-link limiter infrastructure.

Org settings → SSO page

Delivers plan-tier upsell, connection status, verified-domain list, enforcement toggle, JIT provisioning config, default-role selection, and an admin-portal link dialog.

Session lifecycle & enforcement

• AuthUser carries an optional signed sso marker, so SSO-established sessions are self-describing.
• Those sessions are periodically re-validated against the IdP — single-flight (Redis SET NX), hard-timeout, fail-open, logging out only on an explicit invalid result. Cadence via SSO_SESSION_REVALIDATION_INTERVAL_SECONDS.
• JIT org provisioning via a new ensureOrgMember helper (idempotent, seat-check-exempt, RBAC-role-aware).

Data model

A new UserSsoIdentity-style relation (Prisma schema + migration) linking host users to IdP identities, enabling the fast existing-user-by-IdP login path.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0d5f19d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR introduces end-to-end SSO support across the monorepo. A new @trigger.dev/sso internal package provides a lazy plugin loader with a full OSS fallback controller. The webapp gains SSO environment variables, a database AuthenticationMethod.SSO enum value, a ssoController singleton, and new user/org-member server models for SSO-based JIT provisioning. Authentication services are extended with a SsoStrategy, auto-discovery helpers, and Redis-backed rate limiting. New Remix routes handle the SSO login page, authorization action, and callback with MFA carry-through. Existing GitHub, Google, and magic-link auth flows add domain-policy enforcement gates. Server-side SSO session revalidation runs on every authenticated request via a Redis-throttled check, with client-side window.fetch interception and EventSource probing for expired sessions. A new organization SSO settings route and updated navigation expose configuration to Enterprise org admins. An accounts webhook route and background worker process inbound IdP events.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch oskar/feat-sso

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@44a124f

trigger.dev

npm i https://pkg.pr.new/trigger.dev@44a124f

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@44a124f

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@44a124f

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@44a124f

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@44a124f

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@44a124f

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@44a124f

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@44a124f

commit: 44a124f

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 1 additional finding in Devin Review.