Skip to content

feat: add FGA mappings support to SSO tenant settings#1539

Merged
dorsha merged 1 commit into
mainfrom
dorsha/sso-fga-mappings
May 16, 2026
Merged

feat: add FGA mappings support to SSO tenant settings#1539
dorsha merged 1 commit into
mainfrom
dorsha/sso-fga-mappings

Conversation

@dorsha
Copy link
Copy Markdown
Member

@dorsha dorsha commented May 16, 2026
edited
Loading

Summary

  • Adds FGAGroupMapping and FGAGroupMappingRelation types to the public API
  • Wires fgaMappings (plus configFGATenantIDResourcePrefix / configFGATenantIDResourceSuffix for SAML variants) into configure_oidc_settings, configure_saml_settings, and configure_saml_settings_by_metadata, matching the management.proto contract and the Go SDK shape
  • Brings the Python SDK to parity with the backend / Go SDK so consumers can configure FGA-based group→relation mappings for SSO tenants

Closes descope/etc#15652

Test plan

  • python -m pytest tests/management/test_sso_settings.py -v — 16 passed (4 new FGA-specific tests)
  • python -m pytest tests/ — 470 passed
  • Manual smoke against staging once merged

🤖 Generated with Claude Code

@dorsha @claude
feat: add FGA mappings support to SSO tenant settings
c0f32e7 
Adds FGAGroupMapping and FGAGroupMappingRelation types and wires
fgaMappings (plus configFGATenantIDResourcePrefix/Suffix for SAML
variants) into the OIDC/SAML/SAML-by-metadata configure requests,
matching the management.proto contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 16, 2026 05:21
@shuni-bot-dev
Copy link
Copy Markdown

shuni-bot-dev Bot commented May 16, 2026
edited
Loading

🐕 Review complete — View session on Shuni Portal 🐾

@dorsha dorsha enabled auto-merge (squash) May 16, 2026 05:22
Copilot AI reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class support in the Python SDK for configuring FGA group→relation mappings in SSO tenant settings (OIDC + SAML), aligning the SDK request payload shape with the backend / Go SDK.

Changes:

  • Introduces public FGAGroupMapping and FGAGroupMappingRelation types.
  • Wires fgaMappings into OIDC/SAML SSO settings request bodies, plus SAML-specific configFGATenantIDResourcePrefix/Suffix.
  • Expands SSO settings tests to cover FGA serialization and request payloads.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
descope/management/sso_settings.py Adds FGA mapping types + serialization and includes them in SSO configure request bodies.
descope/__init__.py Exposes the new FGA mapping types in the public package exports.
tests/management/test_sso_settings.py Adds/updates tests validating FGA mapping serialization and request JSON payloads.
Comments suppressed due to low confidence (2)

descope/management/sso_settings.py:154

  • SSOSAMLSettings.__init__ adds new optional parameters before the existing migration override parameters (sp_acs_url, sp_entity_id). This changes the positional-argument order and can break existing callers that instantiate SSOSAMLSettings positionally (their old sp_acs_url value would be interpreted as fga_mappings, etc.). To preserve backward compatibility, append the new parameters after the existing ones (or otherwise keep the original positional ordering).
    def __init__(
        self,
        idp_url: str,
        idp_entity_id: str,
        idp_cert: str,
        attribute_mapping: Optional[AttributeMapping] = None,
        role_mappings: Optional[List[RoleMapping]] = None,
        default_sso_roles: Optional[List[str]] = None,
        idp_additional_certs: Optional[List[str]] = None,
        groups_priority: Optional[List[str]] = None,  # list of group names in priority order (first = highest priority)
        fga_mappings: Optional[Dict[str, FGAGroupMapping]] = None,  # map of IDP group name -> FGA relations
        config_fga_tenant_id_resource_prefix: Optional[str] = None,
        config_fga_tenant_id_resource_suffix: Optional[str] = None,
        # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
        sp_acs_url: Optional[str] = None,
        sp_entity_id: Optional[str] = None,
    ):

descope/management/sso_settings.py:188

  • SSOSAMLSettingsByMetadata.__init__ inserts new optional parameters before the migration override parameters (sp_acs_url, sp_entity_id), which changes positional-argument ordering and can break existing code that uses positional construction. Consider moving fga_mappings / config_fga_tenant_id_resource_prefix / config_fga_tenant_id_resource_suffix after the existing parameters to keep positional compatibility.
    def __init__(
        self,
        idp_metadata_url: str,
        attribute_mapping: Optional[AttributeMapping] = None,
        role_mappings: Optional[List[RoleMapping]] = None,
        default_sso_roles: Optional[List[str]] = None,
        groups_priority: Optional[List[str]] = None,  # list of group names in priority order (first = highest priority)
        fga_mappings: Optional[Dict[str, FGAGroupMapping]] = None,  # map of IDP group name -> FGA relations
        config_fga_tenant_id_resource_prefix: Optional[str] = None,
        config_fga_tenant_id_resource_suffix: Optional[str] = None,
        # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
        sp_acs_url: Optional[str] = None,
        sp_entity_id: Optional[str] = None,
    ):

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

shuni-bot-dev[bot]
shuni-bot-dev Bot reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

@shuni-bot-dev shuni-bot-dev Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐕 Shuni's Review

Adds FGAGroupMapping/FGAGroupMappingRelation types and wires fgaMappings (plus FGA tenant prefix/suffix for SAML) into the OIDC and SAML configure flows, with matching test updates.

No issues found — good bones! Wire format follows the existing camelCase pattern, edge cases (None map, empty/None relations, omitted mapping value) are handled in _fga_mappings_to_dict, and all three compose bodies + tests are kept in sync. Woof!

@dorsha dorsha requested a review from aviadl May 16, 2026 05:23
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 16, 2026

Coverage report

The coverage rate went from 98.29% to 98.31% ⬆️

100% of new lines are covered.

Diff Coverage details (click to unfold)

descope/management/sso_settings.py

100% of new lines are covered (100% of the complete file).

@dorsha dorsha requested a review from LioriE May 16, 2026 07:00
@dorsha dorsha merged commit 95bade5 into main May 16, 2026
34 checks passed
@dorsha dorsha deleted the dorsha/sso-fga-mappings branch May 16, 2026 22:52
@descope-release-bot descope-release-bot Bot mentioned this pull request May 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shuni-bot-dev shuni-bot-dev[bot] shuni-bot-dev[bot] left review comments

@aviadl aviadl aviadl approved these changes

@LioriE LioriE Awaiting requested review from LioriE

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dorsha @aviadl