Add External Identity Provider (IdP) Federation Support

[poyrazK]

Summary

• Add external IdP federation supporting both OIDC and SAML 2.0 protocols
• Implement Just-In-Time (JIT) user provisioning on first SSO login
• Add JWT service for optional token-based sessions alongside API keys
• Add hybrid IdP scope: global (platform admin) and per-tenant identity providers
• Add role mapping from IdP groups to TheCloud RBAC roles

Changes

• Domain: New IdentityProvider and FederatedIdentity models with OIDC/SAML configuration
• Ports: IdentityProviderRepository, FederatedIdentityRepository, IdentityProviderService interfaces
• Service: IdentityProviderService with OIDC callback handling, JIT provisioning, and group-to-role mapping
• JWT: New JWTService for token generation/validation supporting SSO sessions
• Handler: IdentityProviderHandler with SSO endpoints and admin CRUD operations
• Middleware: JWTAuth middleware supporting both Authorization: Bearer and X-API-Key authentication
• Database: Migration for identity_providers and federated_identities tables
• Routing: New /auth/sso/oidc/*, /auth/sso/saml/*, and /admin/identity-providers routes

API Endpoints

Method	Endpoint	Description
GET	/auth/sso/oidc/:idp_id	Initiate OIDC login
GET	/auth/sso/oidc/:idp_id/callback	OIDC callback handler
GET	/auth/sso/saml/:idp_id	Initiate SAML login
POST	/auth/sso/saml/:idp_id/acs	SAML Assertion Consumer Service
POST	/admin/identity-providers	Create IdP
GET	/admin/identity-providers	List IdPs
GET/PUT/DELETE	/admin/identity-providers/:id	Manage IdP

Notes

• SAML parsing requires crewjam/saml dependency for full SAML SP support
• JWT uses golang-jwt/jwt/v4 already in go.mod

[coderabbitai]

Warning

Rate limit exceeded

@poyrazK has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 31 minutes and 19 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c1674d94-20b3-4442-876f-d9ae1aea0df6

📥 Commits

Reviewing files that changed from the base of the PR and between c2fe0ee and f0caaae.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (12)

• go.mod
• internal/api/setup/dependencies.go
• internal/api/setup/router.go
• internal/core/domain/identity_provider.go
• internal/core/ports/identity_provider.go
• internal/core/services/identity_provider.go
• internal/core/services/jwt_service.go
• internal/handlers/identity_provider_handler.go
• internal/repositories/postgres/federated_identity_repo.go
• internal/repositories/postgres/identity_provider_repo.go
• internal/repositories/postgres/migrations/110_identity_providers.up.sql
• pkg/httputil/auth.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/iam-federation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.