feat(schemas): add SAML SSO IdP initated auth config table (#6659)

feat(schemas): add idp initiated sso auth configs table

add idp initiated sso auth configs table

packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts

@@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+    await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    await pool.query(sql`
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+  },
+};
+
+export default alteration;

packages/schemas/src/foundations/jsonb-types/sso-connector.ts

@@ -10,4 +10,13 @@ export const ssoBrandingGuard = z.object({
   darkLogo: z.string().optional(),
 });
 
+export const idpInitiatedAuthParamsGuard = z
+  .object({
+    resources: z.array(z.string()).optional(),
+    scopes: z.array(z.string()).optional(),
+  })
+  .catchall(z.string());
+
+export type IdpInitiatedAuthParams = z.infer<typeof idpInitiatedAuthParamsGuard>;
+
 export type SsoBranding = z.infer<typeof ssoBrandingGuard>;

packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql

@@ -0,0 +1,20 @@
+/** init_order = 2 */
+create table sso_connector_idp_initiated_auth_configs (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The default Logto application id. */
+  default_application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** OIDC sign-in redirect URI. */
+  redirect_uri text,
+  /** Additional OIDC auth parameters. */
+  auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  primary key (tenant_id, connector_id),
+  /** Insure the application type is Traditional. */
+  constraint application_type
+    check (check_application_type(default_application_id, 'Traditional'))
+);