Skip to content

v0.9: SAML SSO, User Export

Compare
Choose a tag to compare
@FlxMgdnz FlxMgdnz released this 19 Oct 09:42
· 337 commits to main since this release
4144c2c

Product news_ 0 9

This release includes two exciting features that further expand the scope of Hanko:

SAML Enterprise SSO

  • We've added support for external SAML identity providers (IdP). That means the Hanko login can now be configured to redirect email addresses of certain domains to connected SAML IdPs. This is useful for Hanko deployments targeting B2B scenarios where customers request the ability for their employees to sign in with their company-managed single sign-on (SSO) service such as Okta, Onelogin, Keycloak, and others.
  • The SAML feature is implemented per domain, i.e. each SAML connection is associated with an email domain. Given a valid SAML connection for, e.g., example.com, each user that enters an @example.com email address into the username field of the hanko-auth element will be redirected to the respective SAML IdP. If the user can be authenticated by the IdP, they will get directed back to Hanko and a regular Hanko JWT will be issued.
  • In the current implementation, all hanko-profile actions are still possible for SAML-provisioned users. That means that a SAML user can still create a passkey directly with the service running Hanko and will be able to use this passkey to authenticate without being redirected to the IdP. We are aware that this may not be the desired behavior and we're open to hear your thoughts moving forward.
  • See the updated backend docs to learn about all new SAML config options.
  • Thanks @shentschel for your work on this!

Important

We've introduced the /ee folder in the Hanko backend that has a different proprietary license for the code that handles SAML SSO connections. Self-hosting a Hanko production deployment that uses /ee code requires a commercial agreement with us. If the SAML feature is not used / configured, the code won't be executed and there's no risk of a license violation.

User Export

  • In the same spirit of our existing user import feature, there's now a user export subcommand made available by Hanko backend.
  • The exported data is in the same format / schema that's used for user import (i.e. exported Hanko data is importable to another Hanko without any modifications)
  • Thanks @IgnisDa for your contribution!

What's Changed

New Contributors

Full Changelog: https://github.com/teamhanko/hanko/compare/@teamhanko/[email protected]/v0.9.0