dashboard: add ui for configuring sso (#41986)

--- > [!NOTE] > Adds a new SSO settings page with enable/disable and domain management, gated by a feature flag, plus minor design-system tweaks. > > - **Dashboard** > - **SSO Settings UI**: New `TeamSSO` component (`components/teamSettings/TeamSSO.tsx`) with enable/disable and domain configuration, including validation against verified email domains. > - **API Hooks**: Add `useGetSSO`, `useEnableSSO`, `useUpdateSSODomain`, `useDisableSSO` in `api/teams.ts` with corresponding mutate keys. > - **Navigation & Page**: Add `settings/sso` route (`pages/t/[team]/settings/sso.tsx`) and sidebar link in `TeamSettingsLayout` when enabled. > - **Feature Flag**: Introduce `singleSignOn` flag via `useLaunchDarkly` for conditional SSO UI. > - **Design System** > - **TextInput**: `error` prop accepts `React.ReactNode` (was `string`). > - **Checkbox**: Improve disabled styles (`disabled:bg-background-primary`, `disabled:cursor-not-allowed`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 490ec4984b042a68f54b40f16b6a61cbe85466fa. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> GitOrigin-RevId: 2ff63ad4e58d410f59037882c13a9c8200378f75

Author: atrakh

npm-packages/@convex-dev/design-system/src/Checkbox.tsx

@@ -31,7 +31,7 @@ export function Checkbox({
  tabIndex={0}
  type="checkbox"
  className={classNames(
- "size-3.5 form-checkbox enabled:cursor-pointer rounded-sm disabled:opacity-50 enabled:hover:text-content-link enabled:hover:outline enabled:hover:outline-content-primary",
+ "size-3.5 form-checkbox enabled:cursor-pointer rounded-sm disabled:opacity-50 disabled:bg-background-primary disabled:cursor-not-allowed enabled:hover:text-content-link enabled:hover:outline enabled:hover:outline-content-primary",
  "focus:outline-0 focus:ring-0",
  "bg-background-secondary ring-offset-background-secondary checked:bg-util-accent text-util-accent",
  className,

npm-packages/@convex-dev/design-system/src/TextInput.tsx

@@ -19,7 +19,7 @@ type InputProps = {
  iconTooltip?: string;
  /** The action on `Icon`. */
  action?: () => void;
- error?: string;
+ error?: React.ReactNode;
  description?: React.ReactNode;
  id: string;
  type?: "text" | "search" | "email" | "time" | "password" | "number";

npm-packages/dashboard/src/api/teams.ts

@@ -131,3 +131,55 @@ export function useUnpauseTeam(teamId: number) {
  successToast: "Your team has been restored.",
  });
 }
+
+export function useGetSSO(teamId: number | undefined) {
+ const { data: ssoOrganization } = useBBQuery({
+ path: "/teams/{team_id}/get_sso",
+ pathParams: {
+ team_id: teamId?.toString() || "",
+ },
+ });
+ return ssoOrganization;
+}
+
+export function useEnableSSO(teamId: number) {
+ return useBBMutation({
+ path: `/teams/{team_id}/enable_sso`,
+ pathParams: {
+ team_id: teamId.toString(),
+ },
+ mutateKey: "/teams/{team_id}/get_sso",
+ mutatePathParams: {
+ team_id: teamId.toString(),
+ },
+ successToast: "SSO has been enabled for your team.",
+ });
+}
+
+export function useUpdateSSODomain(teamId: number) {
+ return useBBMutation({
+ path: `/teams/{team_id}/update_sso_domain`,
+ pathParams: {
+ team_id: teamId.toString(),
+ },
+ mutateKey: "/teams/{team_id}/get_sso",
+ mutatePathParams: {
+ team_id: teamId.toString(),
+ },
+ successToast: "SSO domain has been updated.",
+ });
+}
+
+export function useDisableSSO(teamId: number) {
+ return useBBMutation({
+ path: `/teams/{team_id}/disable_sso`,
+ pathParams: {
+ team_id: teamId.toString(),
+ },
+ mutateKey: "/teams/{team_id}/get_sso",
+ mutatePathParams: {
+ team_id: teamId.toString(),
+ },
+ successToast: "SSO has been disabled for your team.",
+ });
+}

npm-packages/dashboard/src/components/teamSettings/TeamSSO.tsx

@@ -0,0 +1,224 @@
+import { Team } from "generatedApi";
+import { Sheet } from "@ui/Sheet";
+import { Callout } from "@ui/Callout";
+import { Checkbox } from "@ui/Checkbox";
+import { Spinner } from "@ui/Spinner";
+import { TextInput } from "@ui/TextInput";
+import { Button } from "@ui/Button";
+import { useIsCurrentMemberTeamAdmin } from "api/roles";
+import {
+ useTeamEntitlements,
+ useGetSSO,
+ useEnableSSO,
+ useUpdateSSODomain,
+ useDisableSSO,
+} from "api/teams";
+import { useState, useMemo } from "react";
+import { Tooltip } from "@ui/Tooltip";
+import { useProfileEmails } from "api/profile";
+
+export function TeamSSO({ team }: { team: Team }) {
+ const hasAdminPermissions = useIsCurrentMemberTeamAdmin();
+ const entitlements = useTeamEntitlements(team.id);
+ const ssoOrganization = useGetSSO(team.id);
+ const enableSSO = useEnableSSO(team.id);
+ const updateSSODomain = useUpdateSSODomain(team.id);
+ const disableSSO = useDisableSSO(team.id);
+ const profileEmails = useProfileEmails();
+
+ const [isSubmitting, setIsSubmitting] = useState(false);
+ const [showDomainForm, setShowDomainForm] = useState(false);
+ const [domain, setDomain] = useState("");
+ const [domainError, setDomainError] = useState<React.ReactNode>(null);
+
+ const ssoEnabled = entitlements?.ssoEnabled ?? false;
+ const isSSOConfigured = !!ssoOrganization;
+ const currentDomain = ssoOrganization?.domains?.[0]?.domain;
+
+ // Extract verified domains from team member emails
+ const verifiedDomains = useMemo(() => {
+ if (!profileEmails) return new Set<string>();
+ const domains = new Set<string>();
+ profileEmails.forEach(({ email, isVerified }) => {
+ const emailDomain = email.split("@")[1];
+ if (emailDomain && isVerified) {
+ domains.add(emailDomain.toLowerCase());
+ }
+ });
+ return domains;
+ }, [profileEmails]);
+
+ const handleDomainFormSubmit = async (e: React.FormEvent) => {
+ e.preventDefault();
+ const trimmedDomain = domain.trim().toLowerCase();
+
+ if (!trimmedDomain) {
+ setDomainError("Domain is required");
+ return;
+ }
+
+ // Validate that domain matches a verified email domain
+ if (!verifiedDomains.has(trimmedDomain)) {
+ setDomainError(
+ <div>
+ The domain "{trimmedDomain}" does not match any verified email
+ addresses on your account.{" "}
+ <a
+ href="/profile"
+ target="_blank"
+ rel="noopener noreferrer"
+ className="text-content-link underline"
+ >
+ Add a verified email
+ </a>{" "}
+ with this domain before setting up SSO.
+ </div>,
+ );
+ return;
+ }
+
+ setDomainError(null);
+ setIsSubmitting(true);
+ try {
+ if (isSSOConfigured) {
+ await updateSSODomain({ domain: trimmedDomain });
+ } else {
+ await enableSSO({ domain: trimmedDomain });
+ }
+ setShowDomainForm(false);
+ setDomain("");
+ } finally {
+ setIsSubmitting(false);
+ }
+ };
+
+ return (
+ <>
+ <h2>Single Sign-On (SSO)</h2>
+
+ {!ssoEnabled && (
+ <Callout variant="upsell">
+ SSO is not available on your plan. Upgrade your plan to use SSO.
+ </Callout>
+ )}
+
+ <Sheet>
+ <h3 className="mb-2">Configuration</h3>
+ <p className="mb-4 text-xs text-content-secondary">
+ Configure Single Sign-On (SSO) for your team to enable secure
+ authentication through your identity provider.
+ </p>
+
+ <Tooltip
+ tip={
+ !hasAdminPermissions
+ ? "You do not have permission to change SSO settings."
+ : !ssoEnabled
+ ? "SSO is not available on your plan."
+ : undefined
+ }
+ >
+ <label className="flex items-center gap-2 text-sm">
+ <Checkbox
+ checked={isSSOConfigured || showDomainForm}
+ disabled={isSubmitting || !hasAdminPermissions || !ssoEnabled}
+ onChange={async () => {
+ if (isSSOConfigured) {
+ setIsSubmitting(true);
+ try {
+ await disableSSO();
+ setShowDomainForm(false);
+ setDomain("");
+ } finally {
+ setIsSubmitting(false);
+ }
+ } else if (showDomainForm) {
+ setShowDomainForm(false);
+ setDomain("");
+ } else {
+ setShowDomainForm(true);
+ setDomain("");
+ }
+ }}
+ />
+ Enable SSO
+ {isSubmitting && (
+ <div>
+ <Spinner />
+ </div>
+ )}
+ </label>
+ </Tooltip>
+
+ {(showDomainForm || isSSOConfigured) && (
+ <div className="mt-6 space-y-4">
+ {isSSOConfigured && !showDomainForm && (
+ <div className="flex flex-col gap-2">
+ {currentDomain && (
+ <span>
+ Current domain:{" "}
+ <span className="font-semibold">{currentDomain}</span>
+ </span>
+ )}
+ <Button
+ variant="neutral"
+ className="w-fit"
+ size="sm"
+ onClick={() => {
+ setShowDomainForm(true);
+ setDomain(currentDomain || "");
+ }}
+ disabled={isSubmitting || !hasAdminPermissions}
+ >
+ {currentDomain ? "Change SSO Domain" : "Set SSO Domain"}
+ </Button>
+ </div>
+ )}
+
+ {showDomainForm && (
+ <form
+ className="max-w-[30rem] space-y-4"
+ onSubmit={handleDomainFormSubmit}
+ >
+ <TextInput
+ autoFocus
+ id="sso-domain"
+ label="Domain"
+ value={domain}
+ onChange={(e) => {
+ setDomain(e.target.value);
+ setDomainError(null);
+ }}
+ placeholder={currentDomain || "example.com"}
+ disabled={isSubmitting}
+ description="Enter the domain your team's members will use to login with SSO."
+ error={domainError}
+ />
+ <div className="flex gap-2">
+ <Button
+ variant="neutral"
+ onClick={() => {
+ setShowDomainForm(false);
+ setDomain("");
+ setDomainError(null);
+ }}
+ disabled={isSubmitting}
+ >
+ Cancel
+ </Button>
+ <Button
+ type="submit"
+ variant="primary"
+ disabled={!domain.trim() || isSubmitting}
+ >
+ Save
+ </Button>
+ </div>
+ </form>
+ )}
+ </div>
+ )}
+ </Sheet>
+ </>
+ );
+}

npm-packages/dashboard/src/generatedApi.ts

@@ -2229,8 +2229,13 @@ export interface components {
  };
  /** @enum {string} */
  Role: "admin" | "developer";
+ SSOOrganizationDomain: {
+ domain: string;
+ id: string;
+ };
  SSOOrganizationResponse: {
  createdAt: string;
+ domains: components["schemas"]["SSOOrganizationDomain"][];
  id: string;
  name: string;
  updatedAt: string;
@@ -2538,6 +2543,7 @@ export type RenameAccessTokenArgs = components['schemas']['RenameAccessTokenArgs
 export type RequestDestination = components['schemas']['RequestDestination'];
 export type RestoreFromCloudBackupArgs = components['schemas']['RestoreFromCloudBackupArgs'];
 export type Role = components['schemas']['Role'];
+export type SsoOrganizationDomain = components['schemas']['SSOOrganizationDomain'];
 export type SsoOrganizationResponse = components['schemas']['SSOOrganizationResponse'];
 export type SerializedAccessToken = components['schemas']['SerializedAccessToken'];
 export type SetSpendingLimitArgs = components['schemas']['SetSpendingLimitArgs'];

npm-packages/dashboard/src/hooks/useLaunchDarkly.tsx

@@ -4,9 +4,11 @@ import kebabCase from "lodash/kebabCase";
 const flagDefaults: {
  commandPalette: boolean;
  commandPaletteDeleteProjects: boolean;
+ singleSignOn: boolean;
 } = {
  commandPalette: false,
  commandPaletteDeleteProjects: false,
+ singleSignOn: false,
 };
 
 function kebabCaseKeys(object: typeof flagDefaults) {

npm-packages/dashboard/src/layouts/TeamSettingsLayout.tsx

@@ -7,6 +7,7 @@ import Head from "next/head";
 import React from "react";
 import { Team } from "generatedApi";
 import { SidebarLink } from "@common/elements/Sidebar";
+import { useLaunchDarkly } from "hooks/useLaunchDarkly";
 
 export function TeamSettingsLayout({
  page: selectedPage,
@@ -21,15 +22,17 @@ export function TeamSettingsLayout({
  | "audit-log"
  | "referrals"
  | "access-tokens"
- | "applications";
+ | "applications"
+ | "sso";
  Component: React.FunctionComponent<{ team: Team }>;
  title: string;
 }) {
  const selectedTeam = useCurrentTeam();
 
- const auditLogsEnabled = useTeamEntitlements(
- selectedTeam?.id,
- )?.auditLogsEnabled;
+ const entitlements = useTeamEntitlements(selectedTeam?.id);
+ const auditLogsEnabled = entitlements?.auditLogsEnabled;
+
+ const { singleSignOn } = useLaunchDarkly();
 
  const pages = [
  "general",
@@ -88,6 +91,14 @@ export function TeamSettingsLayout({
  >
  Audit Log
  </SidebarLink>
+ {singleSignOn && (
+ <SidebarLink
+ isActive={selectedPage === "sso"}
+ href={`/t/${selectedTeam?.slug}/settings/sso`}
+ >
+ Single Sign-On
+ </SidebarLink>
+ )}
  </aside>
  <div className="scrollbar w-full overflow-y-auto">
  <div className="flex max-w-[65rem] flex-col gap-6 p-6">

npm-packages/dashboard/src/pages/t/[team]/settings/sso.tsx

@@ -0,0 +1,11 @@
+import { TeamSSO } from "components/teamSettings/TeamSSO";
+import { TeamSettingsLayout } from "layouts/TeamSettingsLayout";
+import { withAuthenticatedPage } from "lib/withAuthenticatedPage";
+
+export { getServerSideProps } from "lib/ssr";
+
+function SSOPage() {
+ return <TeamSettingsLayout page="sso" Component={TeamSSO} title="SSO" />;
+}
+
+export default withAuthenticatedPage(SSOPage);