Roadmap placeholder. Phase A (token replication) merged in #451. Phase A.1 (RBAC table replication) tracked separately.
Scope
Replace / augment Arc Enterprise's bearer-token-only auth with single-sign-on integrations:
- SSO — generic OIDC-compliant identity providers (Okta, Auth0, Google Workspace, etc.).
- OIDC — direct OAuth 2.0 + OpenID Connect flow with PKCE.
- LDAP — for on-prem deployments with existing directory services (Active Directory, OpenLDAP).
Open design questions
- Token lifecycle: do we still issue Arc API tokens after SSO login (long-lived bearer for SDKs), or always re-authenticate against the IdP per session?
- RBAC mapping: how do IdP groups map to Arc RBAC roles? Auto-provision on first login, or operator-driven mapping table?
- Cluster replication: SSO config (issuer URL, client ID, JWKS endpoint) replicated via Raft like Phase A.1 RBAC, or per-node config like
arc.toml?
- Failover: what happens to in-flight sessions when the IdP is unreachable?
Out of scope (covered elsewhere)
- Token state replication — already shipped in Phase A.
- RBAC table replication — tracked in Phase A.1 issue.
Dependencies
- Phase A.1 must land first (RBAC tables need to replicate before SSO group-to-role mapping is useful in a cluster).
No target release yet. Will be sized when a customer engagement surfaces concrete IdP requirements.
Related: Phase A memory note.
Roadmap placeholder. Phase A (token replication) merged in #451. Phase A.1 (RBAC table replication) tracked separately.
Scope
Replace / augment Arc Enterprise's bearer-token-only auth with single-sign-on integrations:
Open design questions
arc.toml?Out of scope (covered elsewhere)
Dependencies
No target release yet. Will be sized when a customer engagement surfaces concrete IdP requirements.
Related: Phase A memory note.