You can keep the marketing site public while gating the reseller and user dashboards behind SSO.

Supported providers

• Google Workspace (OIDC)
• Okta (SAML or OIDC)
• Azure AD (OIDC)
• Any provider emitting JWTs with email and groups claims

High-level flow

sequenceDiagram
  participant User
  participant IdP
  participant StackDyno
  User->>StackDyno: Access /frontend-user
  StackDyno->>IdP: Redirect with client_id + scopes
  IdP-->>User: Prompt + MFA
  User-->>StackDyno: Auth code
  StackDyno->>IdP: Exchange for tokens
  IdP-->>StackDyno: id_token + access_token
  StackDyno->>User: Signed session cookie

Implementation checklist

1. Configure the OIDC app in your IdP (redirect URI https://app.stackdyno.dev/api/auth/callback).
2. Save CLIENT_ID, CLIENT_SECRET, and ISSUER_URL in the backend .env.
3. Update frontend-user/src/App.tsx to require an authenticated session before rendering.
4. Add a docs section with troubleshooting steps (clock skew, group claims, etc.).

Testing tips

• Use separate Okta groups for “internal” vs “customer” and map them to roles in the reseller app.
• Exercise sign-out flows on both desktop and mobile.
• Keep a break-glass user (email + password) for emergency access.

With SSO locked in, customers trust Stack Dyno with their real production data.