alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
PSA/docs/integrations/msp-sso-domain-claims.md
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

51 lines
2.6 KiB
Markdown
Raw Blame History

# MSP SSO Domain Claims and Routing
This guide describes how MSP SSO domain-based routing works for Enterprise Edition (EE) and Community Edition (CE), including ownership verification and fallback behavior.
## EE Domain Takeover Lifecycle (Request, Verify, Revoke)
In EE, a tenant can only take over SSO routing for a domain after ownership verification succeeds.
1. Open `Settings -> Integrations -> Providers`.
2. In the MSP SSO domain claims section, request a claim for your domain (for example `acme.com`).
3. Copy the DNS TXT challenge value shown by the UI.
4. Publish the TXT record at your DNS provider using the host/key shown in the UI.
5. Wait for DNS propagation, then run Verify from the same claim row.
6. After verification succeeds, claim status becomes `verified` and tenant-scoped Google/Microsoft provider eligibility is used for that domain.
7. If you need to remove takeover eligibility, use Revoke. The claim transitions to `revoked` and routing falls back to app-level provider readiness.
Operational notes:
- Pending, rejected, revoked, or ambiguous claims do not activate tenant takeover in EE.
- Resolver re-checks eligibility at resolve-time, so stale pre-auth discovery context cannot force unauthorized tenant takeover.
## CE Advisory Domain Registration
In CE, domain registration is advisory and does not require ownership proof.
1. Open `Settings -> Integrations -> Providers`.
2. Add or remove domains in the MSP SSO advisory domain list.
3. Save changes.
Behavior notes:
- Advisory registrations can enable tenant-scoped provider routing when tenant credentials exist.
- Ownership verification is intentionally non-blocking in CE for this phase.
- Removing an advisory registration makes the domain ineligible for tenant routing and discovery falls back to app-level providers.
## App-Level Fallback (Nine Minds Standard Providers)
When a domain is unmanaged/unregistered, ambiguous, or ineligible for tenant takeover, discovery resolves against app-level fallback provider availability.
Fallback prerequisites:
- `GOOGLE_OAUTH_CLIENT_ID`
- `GOOGLE_OAUTH_CLIENT_SECRET`
- `MICROSOFT_OAUTH_CLIENT_ID`
- `MICROSOFT_OAUTH_CLIENT_SECRET`
If fallback credentials are configured, eligible app providers are returned by discovery and can be used by resolver/start flow. If not configured, provider buttons remain disabled.
## Security and UX Contracts
- Discovery and resolve responses preserve anti-enumeration semantics and do not expose user existence.
- Discovery and resolution cookies are signed, short-lived, and do not contain OAuth client secrets.
- MSP credentials sign-in and client portal auth flows remain unchanged by domain claim lifecycle behavior.
Reference in New Issue View Git Blame Copy Permalink