I have an app where we take care for the authentication, meaning - we store the usernames and their passwords. Now, I want to add an SSO option to the app. Obviously, for normal user, the password field on the User model is required. What is the best practice regarding users coming from SSO login? (they must be saved in my db anyway, but do not have password)
**The app is written in RoR with devise and devise-saml-authenticatable (with Azur AD as my IdP) but my question has no relation to it.
They don't have a password that you have access to... that's the point of single sign-on, the identity provider handles all of that. You tagged SAML, so I'll speak to that, but this is broadly true for other SSO systems.
You are the Service Provider (SP). They get redirected from the Service Provider (your app) to the Identity Provider (IdP), log in, and are returned to your application with a SAML Assertion. Because there is a trust relationship established between the SP and IdP, you inherently trust the assertion from the IdP (so long as the certificates, etc.), so the user doesn't need to provide you with a username. Their "credential" is the SAML assertion.
Since the password isn't needed, it doesn't need to be set. If your DB schema requires that field be non-null, alter your schema, or load it with random data when you provision their access.