MFA enforcement and single sign-on for teams that need more than a username and password. Ships TOTP (Google Authenticator, Authy) and WebAuthn (hardware keys, passkeys) out of the box. SSO connects to Okta, Google Workspace, and Microsoft Entra ID via SAML 2.0 or OIDC — controlled by a single feature flag.
Per the Security-Always-Free doctrine, TOTP + WebAuthn MFA is available without a license. SSO (SAML / OIDC) requires ɳSelf+ and NSELF_SSO=true.
nself plugin install auth-enterprise
nself build
nself start# Set the feature flag and provider details in your .env
NSELF_SSO=true
AUTH_ENTERPRISE_SSO_SP_ENTITY_ID=https://yoursite.com/sso
AUTH_ENTERPRISE_SSO_ACS_URL=https://api.yoursite.com/auth/sso/saml/callback
AUTH_ENTERPRISE_TOTP_ISSUER=MyCompany
# Then rebuild
nself build && nself start| Variable | Required | Description |
|---|---|---|
NSELF_SSO | No (default: false) | Set to true to enable SAML 2.0 + OIDC SSO endpoints |
AUTH_ENTERPRISE_TOTP_ISSUER | No (default: nSelf) | Issuer name shown in authenticator apps |
AUTH_ENTERPRISE_SSO_SP_ENTITY_ID | Required when SSO=true + SAML | SAML SP entity ID URI |
AUTH_ENTERPRISE_SSO_ACS_URL | Required when SSO=true + SAML | SAML Assertion Consumer Service URL |
AUTH_ENTERPRISE_SSO_OIDC_CALLBACK_URL | Required when SSO=true + OIDC | OIDC redirect URI registered with your IdP |
| Endpoint | Method | Description |
|---|---|---|
/auth/mfa/status | GET | MFA enrollment status for the authenticated user |
/auth/mfa/totp/setup | POST | Begin TOTP enrollment — returns QR code and secret |
/auth/mfa/totp/verify | POST | Confirm TOTP enrollment with a live 6-digit code |
/auth/mfa/totp/challenge | POST | Verify TOTP code during login step-up |
/auth/mfa/recovery | POST | Consume a single-use recovery code |
/auth/mfa/recovery/codes | GET | List masked recovery codes |
/auth/mfa/policy | GET / PUT | Read or update tenant MFA enforcement policy |
/auth/sso/providers | GET / POST | List or create SSO providers (SSO-gated) |
/auth/sso/providers/:id/saml/metadata | GET | Download SP SAML metadata XML to give to your IdP |
/auth/sso/oidc/:id/begin | GET | Start OIDC authorization code flow |
/auth/sso/saml/:id/acs | POST | SAML Assertion Consumer Service — receives IdP response |
| Table | Purpose |
|---|---|
np_mfa_enrollments | TOTP and WebAuthn enrollments per user |
np_mfa_recovery_codes | bcrypt-hashed single-use recovery codes |
np_mfa_policies | Per-tenant MFA enforcement rules |
np_sso_providers | SAML and OIDC provider configurations |
np_sso_sessions | Active SSO sessions with expiry |
np_sso_state_cache | Temporary OIDC state and nonce values |
Okta: Create a SAML 2.0 app in the Okta Admin Console. Set the Single Sign-On URL to your ACS URL and the Audience URI to your SP entity ID. Download the Okta metadata XML and create an SSO provider via the API with type: "saml" and the metadata XML in the metadata field.
Google Workspace: Use OIDC. In the Google Cloud Console create an OAuth 2.0 client ID (Web application), add your OIDC callback URL as an authorized redirect URI, and create an SSO provider with type: "oidc".
Microsoft Entra ID: Register an enterprise application with SAML SSO. Use the Identifier and Reply URL fields for your entity ID and ACS URL.
np_sso_providers should be application-level encrypted before storage.Pro Plugin — ɳSelf+ | MFA free | SSO gated | v1.1.1 | Ships: v1.1.0