Users who exist in Microsoft Entra ID or LDAP but have no local account were blocked at the email-first login step because the system required a local user record before showing SSO options. This adds a domain-based fallback: when the email is unknown locally, the system checks tenant SSO configurations for matching allowed_domains and presents SSO-only login options, enabling the existing JIT provisioning to trigger on callback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
17 lines
576 B
PHP
17 lines
576 B
PHP
<?php
|
|
|
|
namespace MintyPHP\Repository\Tenant;
|
|
|
|
/** Contract for storing and retrieving Microsoft Entra ID SSO configuration per tenant. */
|
|
interface TenantMicrosoftAuthRepositoryInterface
|
|
{
|
|
public function findByTenantId(int $tenantId): ?array;
|
|
|
|
public function listByTenantIds(array $tenantIds): array;
|
|
|
|
public function upsertByTenantId(int $tenantId, array $data): bool;
|
|
|
|
/** @return list<array{tenant_id: int, allowed_domains: string}> Enabled configs with explicit domain match */
|
|
public function findEnabledWithExplicitDomain(string $domain): array;
|
|
}
|