Skip to content

chore: allow user invitation when SSO enforce is enabled#6958

Merged
scott-ray-wilson merged 4 commits into
mainfrom
thiago-as/ENG-5115
Jun 22, 2026
Merged

chore: allow user invitation when SSO enforce is enabled#6958
scott-ray-wilson merged 4 commits into
mainfrom
thiago-as/ENG-5115

Conversation

@Thiago-AS

@Thiago-AS Thiago-AS commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Context

  • Allow user invitation even on SSO enforcement.
  • Pre creates the membership, so when a user sign up using SSO it keeps the user's pre defined role.
  • Change invitation link to redirect to SSO sign in.
  • The SSO flows still untouched.

Screenshots

Steps to verify the change

  • Register a verified domain
  • Register a SSO provider - local SAML using SSOJet SAML
  • Turn enforce SSO ON
  • Invite user
  • Sign in user

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@linear

linear Bot commented Jun 20, 2026

Copy link
Copy Markdown

ENG-5115

@infisical-review-police

Copy link
Copy Markdown

💬 Discussion in Slack: #pr-review-infisical-6958-thiago-as-eng-5115

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

@Thiago-AS Thiago-AS changed the title Thiago as/eng 5115 chore: allow user invitation when SSO enforce is enabled Jun 20, 2026
@greptile-apps

greptile-apps Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR allows org admins to invite users even when SSO is enforced. The guard validates that invited email domains belong to verified org domains (and OIDC allowed domains), pre-creates memberships, and redirects the invitation email to the SSO login URL instead of the standard signup flow.

  • New invite guard in org-membership-user-factory.ts validates verified email domains and OIDC allowed domains before permitting invitations in SSO-enforced orgs.
  • Email refactor across org-service.ts, super-admin-service.ts, and the email template moves token/to/organization_id out of template props and into the pre-built callback_url query string.
  • Frontend unblock removes the early-return that prevented the invite modal from opening when authEnforced was true.

Confidence Score: 3/5

The new invite path is gated correctly, but two existing email-sending paths — manual resend and the daily reminder — are now broken for the new SSO-invited membership state.

The initial invitation flow is well-guarded and will send users to the correct SSO login URL. However, resendOrgMemberInvitation and the nightly notifyInvitedUsers loop both send a token-based /signupinvite link unconditionally. Since this PR is the first to create Invited-status memberships in SSO-enforced orgs, both code paths will now silently misdirect those users every time they are triggered.

backend/src/services/org/org-service.ts — both the manual-resend handler and the daily reminder loop need SSO-aware branching equivalent to what onCreateMembershipComplete does.

Important Files Changed

Filename Overview
backend/src/services/membership-user/org/org-membership-user-factory.ts Core SSO invite logic added: domain validation guard, OIDC allowed-domain check, SSO redirect URL helper, and SSO email path in onCreateMembershipComplete. Contains a duplicate OIDC DB query across guard and URL helper.
backend/src/services/org/org-service.ts Refactors token/email/orgId from template props to URL query params. resendOrgMemberInvitation and daily-reminder notifyInvitedUsers now have unhandled SSO-enforced orgs — both send a standard signup-token email instead of the SSO login URL for members in SSO-enforced orgs.
backend/src/services/smtp/emails/OrganizationInvitationTemplate.tsx Simplifies template by moving token/email/orgId into the pre-built callback_url. The button now renders the full URL directly.
backend/src/services/super-admin/super-admin-service.ts Mirrors the URL-param refactor for super-admin invite and reinvite paths — no logic changes.
backend/src/services/membership-user/membership-user-service.ts Wires the three new DAL dependencies (emailDomainDAL, oidcConfigDAL, samlConfigDAL) into the org factory.
backend/src/server/routes/index.ts Passes the new DALs through dependency injection to the membership user service.
frontend/src/pages/organization/AccessManagementPage/components/OrgMembersTab/components/OrgMembersSection/OrgMembersSection.tsx Removes the frontend guard that blocked the invite modal for SSO-enforced orgs, allowing admins to open the modal and invite users.

Comments Outside Diff (2)

  1. backend/src/services/org/org-service.ts, line 918-987 (link)

    P1 resendOrgMemberInvitation sends wrong link for SSO-enforced orgs

    Before this PR, SSO-enforced orgs could never have members in Invited status, so this path was unreachable for them. Now that the new invite flow pre-creates memberships with Invited status in SSO-enforced orgs, an admin who resends the invitation via this endpoint will email a standard /signupinvite?token=... link rather than the SSO login URL. The invited user clicks "Accept Invite," lands on the signup page, and is stuck because SSO enforcement blocks the credential-based signup flow.

    The fix mirrors onCreateMembershipComplete: check org?.authEnforced, skip token creation, and send the SSO redirect URL instead.

  2. backend/src/services/org/org-service.ts, line 1280-1338 (link)

    P1 Daily reminder emails send wrong link for SSO-enforced org members

    notifyInvitedUsers sends periodic reminder emails to all pending members using the standard /signupinvite?token=... URL. Now that users in SSO-enforced orgs can legitimately be in Invited status, these reminders will direct them to the credential signup flow, which will fail under SSO enforcement. The function should skip (or redirect) these users to the SSO login URL, the same way the initial invite does in onCreateMembershipComplete.

Reviews (1): Last reviewed commit: "send individual emails" | Re-trigger Greptile

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a55628b77d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread backend/src/services/org/org-service.ts Outdated
@Thiago-AS Thiago-AS self-assigned this Jun 20, 2026

@scott-ray-wilson scott-ray-wilson left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested with SAML and OIDC

@scott-ray-wilson scott-ray-wilson merged commit 6567e83 into main Jun 22, 2026
15 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants