mathesar icon indicating copy to clipboard operation
mathesar copied to clipboard
verified publisher icon mathesar-foundation

Hide non-SSO login when SSO variable enabled

Open bsmithuk opened this issue 7 months ago • 3 comments

Problem

Currently, the login interface displays both traditional username/password fields and the SSO login button. For organisations that want to enforce SSO-only authentication, having the username/password fields visible can be confusing for users and may encourage bypassing the preferred SSO workflow.

Proposed solution

Add a configuration variable that allows administrators to disable the traditional login fields and only display the SSO login button. When enabled, this option would:

  • Hide the username and password input fields
  • Display only the SSO login button with customizable text (default: "Login with SSO"

Minor tweak of tweak from 'Login with Openid_connect' to 'Login with {{ProviderName}}'

Image

bsmithuk avatar Aug 30 '25 17:08 bsmithuk

Thanks for opening this issue @bsmithuk! This is really valuable feedback.

The minor tweak you mentioned—showing the provider name inside the button—already works! From your recent message on the Matrix channel I noticed you are using openid_connect as the provider_name. If you change it to authentik, you’ll see the expected text on the button. The only extra step after that would be to update the callback URL in your identity provider.

In your environment variable:

OIDC_CONFIG_DICT={
   "version":1,
   "oidc_providers":{
      "authentik":{
-        "provider_name":"openid_connect",
+        "provider_name":"authentik",
         "server_url":"https://auth.domain.com/application/o/mathesar",
         "client_id":"YOUR_CLIENT_ID",
         "secret":"YOUR_CLIENT_SECRET"
      }
   }
}

In you Identity Provider configuration:

- https://[YOUR MATHESAR DOMAIN]/auth/oidc/openid_connect/login/callback/
+ https://[YOUR MATHESAR DOMAIN]/auth/oidc/authentik/login/callback/

Edit: Using sso instead of authentik above should also work and make the button say "Log in with Sso". Using the name of the IdP for provider name however, helps us to show an icon of the relevant IdP within the button. We don't seem to have an icon for authentik as of now but we might add it in our next releases :).

Anish9901 avatar Sep 04 '25 22:09 Anish9901

Fab thanks for the response - will tweak it now! Assume the other query of hiding the standard login isn't an option?

bsmithuk avatar Sep 05 '25 07:09 bsmithuk

Assume the other query of hiding the standard login isn't an option?

That's correct, not yet.

Anish9901 avatar Sep 05 '25 12:09 Anish9901