Let's use WorkOS for this. Seems pretty simple to integrate. Pricing also looks good.

Endpoints

Redirect

Use the normal create token endpoint. Add an SSO_REQUIRED error code when the current account or user requires SSO.

POST /v1/tokens
401 Unauthorized
Location: <authorization_url>
{
  "errors": [
    {
      "title": "Unauthorized",
      "detail": "single sign on is required",
      "code": "SSO_REQUIRED"
    }
  ],
  "links": {
    "redirect": "<authorization_url>"
  }
}

The client i.e. Portal MUST manually redirect to the WorkOS authorization URL.

Docs: https://workos.com/docs/reference/sso/get-authorization-url

Callback

The callback is contains a code query param that can be exchanged for a user profile. After retrieving the user, we MAY need to create the user, and then we MUST generate a token for the authenticated user.

We can optionally use the state query param to store additional state, such as account or redirect URL.

After the user has been authenticated, we redirect to Portal.

GET /v1/workos?code=<code>&state=<account>
301 Temporary Redirect
Location: https://portal.keygen.sh/<account>

I'm thinking we should generate an SSO-specific token that can only be used via Portal e.g. using a strict/secure cookie. But using cookies creates other problems, such as accounts using a self-hosted Portal not being able to use SSO. (We COULD keep the Referrer in the state parameter of the authorization URL, but that introduces an open redirect attack vector...) If this becomes a problem, we can manually set a sso_redirect_url column for accounts using SSO.

Docs: https://workos.com/docs/reference/sso/get-authorization-url/redirect-uri