package sso import ( "time" "github.com/google/uuid" ) // ============================================================================ // Constants / Enums // ============================================================================ // ProviderType represents the SSO authentication protocol. type ProviderType string const ( // ProviderTypeOIDC represents OpenID Connect authentication. ProviderTypeOIDC ProviderType = "oidc" // ProviderTypeSAML represents SAML 2.0 authentication. ProviderTypeSAML ProviderType = "saml" ) // ============================================================================ // Main Entities // ============================================================================ // SSOConfig represents a per-tenant SSO provider configuration supporting // OIDC and SAML authentication protocols. type SSOConfig struct { ID uuid.UUID `json:"id" db:"id"` TenantID uuid.UUID `json:"tenant_id" db:"tenant_id"` ProviderType ProviderType `json:"provider_type" db:"provider_type"` Name string `json:"name" db:"name"` Enabled bool `json:"enabled" db:"enabled"` // OIDC settings OIDCIssuerURL string `json:"oidc_issuer_url,omitempty" db:"oidc_issuer_url"` OIDCClientID string `json:"oidc_client_id,omitempty" db:"oidc_client_id"` OIDCClientSecret string `json:"oidc_client_secret,omitempty" db:"oidc_client_secret"` OIDCRedirectURI string `json:"oidc_redirect_uri,omitempty" db:"oidc_redirect_uri"` OIDCScopes []string `json:"oidc_scopes,omitempty" db:"oidc_scopes"` // SAML settings (for future use) SAMLEntityID string `json:"saml_entity_id,omitempty" db:"saml_entity_id"` SAMLSSOURL string `json:"saml_sso_url,omitempty" db:"saml_sso_url"` SAMLCertificate string `json:"saml_certificate,omitempty" db:"saml_certificate"` SAMLACS_URL string `json:"saml_acs_url,omitempty" db:"saml_acs_url"` // Role mapping: maps SSO group/role names to internal role IDs RoleMapping map[string]string `json:"role_mapping" db:"role_mapping"` DefaultRoleID *uuid.UUID `json:"default_role_id,omitempty" db:"default_role_id"` AutoProvision bool `json:"auto_provision" db:"auto_provision"` // Audit CreatedAt time.Time `json:"created_at" db:"created_at"` UpdatedAt time.Time `json:"updated_at" db:"updated_at"` } // SSOUser represents a JIT-provisioned user authenticated via an SSO provider. type SSOUser struct { ID uuid.UUID `json:"id" db:"id"` TenantID uuid.UUID `json:"tenant_id" db:"tenant_id"` SSOConfigID uuid.UUID `json:"sso_config_id" db:"sso_config_id"` ExternalID string `json:"external_id" db:"external_id"` Email string `json:"email" db:"email"` DisplayName string `json:"display_name" db:"display_name"` Groups []string `json:"groups" db:"groups"` LastLogin *time.Time `json:"last_login,omitempty" db:"last_login"` IsActive bool `json:"is_active" db:"is_active"` // Audit CreatedAt time.Time `json:"created_at" db:"created_at"` UpdatedAt time.Time `json:"updated_at" db:"updated_at"` } // ============================================================================ // API Request Types // ============================================================================ // CreateSSOConfigRequest is the API request for creating an SSO configuration. type CreateSSOConfigRequest struct { ProviderType ProviderType `json:"provider_type" binding:"required"` Name string `json:"name" binding:"required"` Enabled bool `json:"enabled"` OIDCIssuerURL string `json:"oidc_issuer_url"` OIDCClientID string `json:"oidc_client_id"` OIDCClientSecret string `json:"oidc_client_secret"` OIDCRedirectURI string `json:"oidc_redirect_uri"` OIDCScopes []string `json:"oidc_scopes"` RoleMapping map[string]string `json:"role_mapping"` DefaultRoleID *uuid.UUID `json:"default_role_id"` AutoProvision bool `json:"auto_provision"` } // UpdateSSOConfigRequest is the API request for partially updating an SSO // configuration. Pointer fields allow distinguishing between "not provided" // (nil) and "set to zero value". type UpdateSSOConfigRequest struct { Name *string `json:"name"` Enabled *bool `json:"enabled"` OIDCIssuerURL *string `json:"oidc_issuer_url"` OIDCClientID *string `json:"oidc_client_id"` OIDCClientSecret *string `json:"oidc_client_secret"` OIDCRedirectURI *string `json:"oidc_redirect_uri"` OIDCScopes []string `json:"oidc_scopes"` RoleMapping map[string]string `json:"role_mapping"` DefaultRoleID *uuid.UUID `json:"default_role_id"` AutoProvision *bool `json:"auto_provision"` } // ============================================================================ // JWT / Session Types // ============================================================================ // SSOClaims holds the claims embedded in JWT tokens issued after successful // SSO authentication. These are used for downstream authorization decisions. type SSOClaims struct { UserID uuid.UUID `json:"user_id"` TenantID uuid.UUID `json:"tenant_id"` Email string `json:"email"` DisplayName string `json:"display_name"` Roles []string `json:"roles"` SSOConfigID uuid.UUID `json:"sso_config_id"` } // ============================================================================ // List / Filter Types // ============================================================================ // SSOConfigFilters defines filters for listing SSO configurations. type SSOConfigFilters struct { ProviderType ProviderType Enabled *bool Search string Limit int Offset int } // SSOUserFilters defines filters for listing SSO users. type SSOUserFilters struct { SSOConfigID *uuid.UUID Email string IsActive *bool Limit int Offset int } // SSOConfigListResponse is the API response for listing SSO configurations. type SSOConfigListResponse struct { Configs []SSOConfig `json:"configs"` Total int `json:"total"` } // SSOUserListResponse is the API response for listing SSO users. type SSOUserListResponse struct { Users []SSOUser `json:"users"` Total int `json:"total"` }