SAML SSO (dashboard users)
Per-org SAML SSO for dashboard login. Password auth stays available for users outside configured SSO domains. Signers and API keys are unchanged.
Environment variables
| Variable | Required | Description |
|---|---|---|
SSO_ENABLED | Production | Set to true to expose SSO login APIs and callback provisioning. |
NEXT_PUBLIC_SSO_ENABLED | Production | Client mirror of SSO_ENABLED for the login page SSO button. |
SSO_PROVISIONING_ENABLED | Production IdP sync | Set to true when Supabase Auth SAML admin API is available (Supabase Pro/Enterprise or self-hosted SAML). Registers IdP metadata on save. |
NEXT_PUBLIC_SUPABASE_URL | Yes | Supabase project URL (SP metadata: {url}/sso/saml/metadata). |
SUPABASE_SERVICE_ROLE_KEY | Yes | Used for IdP registration and server-side SSO initiation. |
NEXT_PUBLIC_BASE_URL | Recommended | Canonical app URL for SAML redirect (e.g. https://atlaswork.ai). Falls back to request origin. |
Admin setup
- Team → Settings → SAML single sign-on
- Paste IdP metadata URL (HTTPS)
- Add email domain(s)
- Choose JIT (auto member) or invite-only
- Configure your IdP with Atlas SP metadata from Supabase
Data model
organizations.sso_config JSONB:
enabled,metadata_url,entity_id,supabase_provider_iddomains[](exclusive with domain auto-join for those domains)jit_enabled(default true)
Routes
GET/PATCH /api/org/sso— admin settingsGET /api/auth/sso/lookup?email=— login domain routingPOST /api/auth/sso— start SAML redirectPOST /api/auth/sso/complete— post-callback org membership/auth/callback— client session handoff
OAuth MCP routes under /api/oauth/* are untouched.