Skip to content

Fix default IdP validation rejecting server-wide identity providers#3384

Open
jaisinha77777 wants to merge 1 commit into
fosrl:devfrom
jaisinha77777:fix/default-idp-org-check
Open

Fix default IdP validation rejecting server-wide identity providers#3384
jaisinha77777 wants to merge 1 commit into
fosrl:devfrom
jaisinha77777:fix/default-idp-org-check

Conversation

@jaisinha77777

Copy link
Copy Markdown
Contributor
By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Fixes #3290

What

Setting a default identity provider (Platform SSO) on a resource's Authentication tab fails with Identity provider not found in this organization on Community Edition / self-host since 1.19. As noted in the issue thread, hitting Save Settings on any Auth tab that has a default IdP set reproduces it.

Why

setResourcePolicyAccessControl validates skipToIdpId with an inner join on idpOrg, so it only accepts IdPs that have an org link row. But server-wide IdPs created through the server admin panel (createOidcIdp) never get an idpOrg row - only org-scoped IdPs do (SaaS build or identity_provider_mode: org). The check shipped with the resource policies rework in 1.19, which is why this appeared after upgrading from 1.18.

The resource login page itself has the correct rule: it offers org-scoped IdPs when build === "saas" || identityProviderMode === "org", and otherwise offers every server-wide IdP from /idp. So any server-wide IdP is genuinely usable as a skip-to IdP on self-host - the save-time validation was just stricter than the runtime behavior.

How

  • Added canOrgUseIdp(idpId, orgId) in server/lib/idp/canOrgUseIdp.ts: left-joins the org link and only requires it when IdPs are org-scoped (SaaS build or IDENTITY_PROVIDER_MODE === "org", matching how other OSS routes read the mode). Otherwise any existing IdP passes.
  • Used it in setResourcePolicyAccessControl (OSS) and createResourcePolicy (private), which had the same inner-join check duplicated.

Behavior is unchanged for SaaS / org-scoped mode: the org link is still required there.

Testing

  • tsc --noEmit passes on both the oss and enterprise configurations.
  • Traced both affected routes plus the login page IdP resolution to confirm the validation now matches what the auth flow accepts at runtime.

Setting a default identity provider on a resource policy failed with
"Identity provider not found in this organization" because the
validation required an idpOrg link row. Server-wide IdPs created via
the server admin panel never get one; only org-scoped IdPs do (SaaS or
identity_provider_mode: org).

Validate against the same rule the resource login page uses: require
the org link only when IdPs are org-scoped, otherwise accept any
existing server-wide IdP.

Fixes fosrl#3290
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant