Configuring Entra ID SAML SSO with Self-Hosted Supabase

This guide walks through configuring Microsoft Entra ID (formerly Azure AD) as a SAML identity provider for your self-hosted Supabase instance to enable SSO authentication with sfp pro CLI/codev

Prerequisites

Before starting the configuration, ensure you have:

• Self-Hosted Supabase Requirements:

  • Running Supabase instance (Docker or Kubernetes)

  • Access to modify environment variables and configuration files

  • SSL certificates configured (SAML requires HTTPS)

  • Ability to restart services

• Entra ID Requirements:

  • Admin access to your Microsoft Entra ID tenant

  • At least one verified domain in your Entra ID tenant

  • Ability to create Enterprise Applications

• sfp Requirements:

  • sfp CLI installed

  • Access to your sfp server instance

  • sfp server URL (e.g., https://your-sfp-server.com)

Step 1: Enable SAML in Self-Hosted Supabase

Generate Private Key

SAML requires a private key for signing. Generate one:

bash

Configure Environment Variables

Add to your .env file (in the same directory as docker-compose.yml):

bash

Update Docker Compose Configuration

In your docker-compose.yml, pass the SAML environment variables to the auth container:

yaml

Configure Kong API Gateway

Edit /docker/volumes/api/kong.yml to expose SAML endpoints:

yaml

Configure Reverse Proxy (if applicable)

If using Nginx as a reverse proxy, add:

nginx

Restart Services

bash

Verify SAML is Enabled

bash

You should see "saml_enabled": true in the response.

Step 2: Note Your Supabase Configuration

Gather your self-hosted instance information:

bash

Step 3: Configure Entra ID Enterprise Application

Create the Application

1. Sign in to Azure Portal

2. Navigate to Microsoft Entra ID → Enterprise applications

3. Click New application → Create your own application

4. Select Integrate any other application you don't find in the gallery (Non-gallery)

5. Name it (e.g., "sfp SSO Self-Hosted")

6. Click Create

Configure SAML Settings

1. In your application, go to Single sign-on

2. Select SAML as the method

3. Click Edit in Basic SAML Configuration

4. Configure these URLs (use your actual instance URL):

1. Click Save

Configure Attributes and Claims

1. In Attributes & Claims, click Edit

2. Ensure these claims are configured:

Download Federation Metadata

1. In SAML Certificates section

2. Download Federation Metadata XML

3. Note the SAML Metadata URL if available

Assign Users

1. Go to Users and groups

2. Click Add user/group

3. Select users who need sfp access

4. Click Assign

Step 4: Add SAML Provider to Self-Hosted Supabase

Since self-hosted Supabase doesn't have CLI support for SSO management, use the Admin API:

Add the Identity Provider

bash

Or using metadata XML content:

bash

Configure Attribute Mappings

Get the provider ID from the previous response, then update mappings:

bash

Verify Provider Configuration

bash

Step 5: Configure sfp CLI

Configure sfp to use your self-hosted Supabase instance:

bash

Example:

bash

Step 6: Test SAML Authentication

Test SSO URL Generation

First, verify the SSO URL can be generated:

bash

You should receive a JSON response with a URL to the Entra ID login page.

Test with sfp CLI

bash

Example:

bash

Troubleshooting

Common Issues

"saml_enabled": false in settings

• Check environment variables are set correctly

• Verify docker-compose.yml passes SAML variables to auth container

• Restart all containers: docker-compose down && docker-compose up -d

Kong routes not working

• Verify kong.yml has been updated with SSO routes

• Check Kong logs: docker logs supabase-kong

• Ensure paths are correctly configured

SSL/HTTPS issues

• SAML requires HTTPS - ensure SSL is properly configured

• Check reverse proxy configuration if using one

• Verify API_EXTERNAL_URL and GOTRUE_EXTERNAL_URL use https://

"No SSO provider assigned for this domain"

• Check provider was added successfully

• Verify domain matches exactly

• List providers to confirm configuration

Metadata URL not accessible

• For on-premise Entra ID behind VPN, use metadata XML instead

• Ensure your Supabase instance can reach Microsoft's URLs

Debug Commands

bash

Security Considerations

SSL/TLS Configuration

Ensure proper SSL configuration for SAML:

nginx

Network Security

1. Firewall Rules: Allow HTTPS traffic from Entra ID services

2. Internal Communication: Secure communication between containers

3. Secret Management: Store sensitive keys securely

Monitoring

1. Set up log aggregation for auth services

2. Monitor failed authentication attempts

3. Track certificate expiration dates

4. Regular security audits

Managing Multiple Environments

For different environments with self-hosted instances:

bash

Or use environment variables:

bash

Next Steps

After successful configuration:

1. Document the setup for your operations team

2. Create runbooks for common issues

3. Set up monitoring and alerting

4. Plan for certificate rotation

5. Consider implementing SCIM for user provisioning

6. Document disaster recovery procedures