PostHog
Improve SAML support
Is your feature request related to a problem?
Getting up and running with SAML can be tedious. You have to open organisation settings, and verify a domain through a DNS record. This is the easy part.
You have to open our SSO docs (SAML part), open organisation settings, and open your SAML provider's config screen. Then copy/paste keys/values between all three places. E.g. the docs ask you to copy "your instance URL + /complete/saml" to a box.
Having set up Azure AD and JumpCloud, it seems that many settings are slightly differently named between services, and our docs don't cover the difference well.
We also had an issue, where we only supported posthog-initiated SAML, but not IdP-initiated SAML (e.g. you click "log me in" in jumpcloud/okta, and expect to be logged in). This PR exposes the right RelayState variable that makes it possible to configure IdP-initiated SAML, and also exposes one of the variables you had to copy from the docs.
Describe the solution you'd like
There is so much more we could do to provide a slick experience here. For example:
- inline docs in the app, telling me what to do to set up SAML
- adding us to a lot of different identity provider directories for easier integrations. We're in Okta... but JumpCloud, Azure AD are the two other ones that people tried to integrate us with recently.
- solve the small frustrations you experience when going through it yourself
Describe alternatives you've considered
Guide users as they experience issues.
Additional context
Thank you for your feature request – we love each and every one!
One even bigger problem: when setting up SAML incorrectly, this is all that you get when trying to log in:
If you're lucky enough to have access to Sentry, you might be lucky enough to learn what you configured wrong:
That's not slick.