IBM
diff --git a/‎.env.example‎
Lines changed: 22 additions & 0 deletions b/‎.env.example‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.secrets.baseline‎
Lines changed: 22 additions & 38 deletions b/‎.secrets.baseline‎
Lines changed: 22 additions & 38 deletions
diff --git a/‎MANIFEST.in‎
Lines changed: 1 addition & 0 deletions b/‎MANIFEST.in‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎charts/mcp-stack/values.schema.json‎
Lines changed: 3 additions & 0 deletions b/‎charts/mcp-stack/values.schema.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎charts/mcp-stack/values.yaml‎
Lines changed: 1 addition & 0 deletions b/‎charts/mcp-stack/values.yaml‎
Lines changed: 1 addition & 0 deletions
@@ -1116,6 +1116,18 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # SSO_ENTRA_CLIENT_SECRET=your-entra-client-secret-value
 # SSO_ENTRA_TENANT_ID=your-entra-tenant-id
 
+# ADFS Configuration
+# SSO_ADFS_ENABLED=false
+# SSO_ADFS_DISPLAY_NAME=your-value
+# SSO_ADFS_CLIENT_ID=your-adfs-client-id
+# SSO_ADFS_CLIENT_SECRET=your-adfs-client-secret  # pragma: allowlist secret
+# SSO_ADFS_AUTHORIZATION_URL=https://adfs.ds.example.net/adfs/oauth2/authorize
+# SSO_ADFS_TOKEN_URL=https://adfs.ds.example.net/adfs/oauth2/token
+# SSO_ADFS_ISSUER=https://adfs.ds.example.net/adfs
+# SSO_ADFS_SCOPE=openid profile email
+# Fallback: Default email domain for ADFS when UPN is plain username (e.g., converts 'user123' to 'user123@company.com')
+# SSO_ADFS_DEFAULT_EMAIL_DOMAIN=company.com
+
 # ─────────────────────────────────────────────────────────────────────────────
 # EntraID Role Mapping Configuration
 # ─────────────────────────────────────────────────────────────────────────────
@@ -1177,6 +1189,16 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # Keep local admin authentication when SSO is enabled
 # SSO_PRESERVE_ADMIN_AUTH=true
 
+# Bootstrap Behavior: Auto-disable providers not in environment config
+# When true: Providers configured in database but missing from SSO_*_ENABLED
+#            environment variables will be automatically disabled during bootstrap.
+#            This enforces environment config as the single source of truth.
+# When false: Manually configured providers in database are preserved (default).
+# IMPORTANT: Enabling this may be a breaking change for existing deployments
+#            with manually configured SSO providers.
+# Default: false (backward compatible)
+# SSO_AUTO_DISABLE_UNCONFIGURED_PROVIDERS=false
+
 # SSO Issuers Configuration
 # Optional JSON array of issuer URLs for SSO providers
 # Example: ["https://idp1.example.com", "https://idp2.example.com"]
 
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-01T19:01:30Z",
+  "generated_at": "2026-04-02T01:14:31Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -172,7 +172,7 @@
         "hashed_secret": "910fbf00f58e9bcb095ea26a75cc1d9a3355e671",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1165,
+        "line_number": 1177,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -788,63 +788,63 @@
         "hashed_secret": "25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 955,
+        "line_number": 956,
         "type": "Basic Auth Credentials",
         "verified_result": null
       },
       {
         "hashed_secret": "d08f88df745fa7950b104e4a707a31cfce7b5841",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1055,
+        "line_number": 1056,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7288edd0fc3ffcbe93a0cf06e3568e28521687bc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1058,
+        "line_number": 1059,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "8674c9b302d20800e4ab3808f139704d8641a6e3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1224,
+        "line_number": 1225,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cff0d14e4337fa8bdb68dfa906f04b0df6fad72f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1263,
+        "line_number": 1264,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f865b53623b121fd34ee5426c792e5c33af8c227",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1311,
+        "line_number": 1312,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "acde39840735314af1300688b6c2324ea89770a3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1406,
+        "line_number": 1407,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1754,
+        "line_number": 1755,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -2884,22 +2884,6 @@
       }
     ],
     "docs/docs/manage/sso-github-tutorial.md": [
-      {
-        "hashed_secret": "15a1549fd810c90cbb12e8e007eb6c7b18627261",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 74,
-        "type": "Secret Keyword",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 74,
-        "type": "GitHub Token",
-        "verified_result": null
-      },
       {
         "hashed_secret": "d7d24cbbbbaaacb8e213f754cd8f783eb747b56c",
         "is_secret": false,
@@ -9174,7 +9158,7 @@
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2075,
+        "line_number": 2098,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9506,7 +9490,7 @@
         "hashed_secret": "920a25ef686c4f7ca6ad23dd109d3ad653161832",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 747,
+        "line_number": 780,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9834,39 +9818,39 @@
         "hashed_secret": "920a25ef686c4f7ca6ad23dd109d3ad653161832",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 42,
+        "line_number": 43,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "b44bf05d644c15c4d84f78771de011e3cce924c0",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 59,
+        "line_number": 60,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "999a3419d9959d3c39b11dcc67d79c7888b4b765",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 71,
+        "line_number": 72,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "bacac952b5cb942687d38a9eda6531d570f88b22",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 84,
+        "line_number": 85,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cd1ecfcd67c8b85800a483d77e550d36727e8925",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 98,
+        "line_number": 99,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -23650,23 +23634,23 @@
         "hashed_secret": "920a25ef686c4f7ca6ad23dd109d3ad653161832",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 167,
+        "line_number": 175,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "3340ad734a33028b9498d58dc8b49e9c02157b19",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 188,
+        "line_number": 196,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ec09a041656818107eb855453ffbf7327d3bbc9d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 325,
+        "line_number": 333,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -24772,15 +24756,15 @@
         "hashed_secret": "fe1bae27cb7c1fb823f496f286e78f1d2ae87734",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 330,
+        "line_number": 370,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "945db841c03e42eef2f3d0a4ff310e2f3b3e59ec",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 414,
+        "line_number": 454,
         "type": "Secret Keyword",
         "verified_result": null
       }
 
@@ -148,6 +148,7 @@ prune .pytest_cache
 prune .ruff_cache
 prune .mypy_cache
 prune htmlcov
+global-exclude **/.mypy_cache/*
 
 # Virtual environments (including nested in plugins)
 prune venv
 
@@ -2146,6 +2146,9 @@
             "SSO_OKTA_ENABLED": {
               "type": "string"
             },
+            "SSO_ADFS_ENABLED": {
+              "type": "string"
+            },
             "SSRF_BLOCKED_HOSTS": {
               "type": "string"
             },
 
@@ -906,6 +906,7 @@ mcpContextForge:
     SSO_KEYCLOAK_ENABLED: "false"
     SSO_ENTRA_ENABLED: "false"
     SSO_GENERIC_ENABLED: "false"
+    SSO_ADFS_ENABLED: "false"
     # See .env.example for full SSO_*_CLIENT_ID, SSO_*_CLIENT_SECRET, etc.
 
     # ─ Default Role Configuration ─