diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx index bfccc204122..ee3d53be3ec 100644 --- a/apps/docs/content/docs/en/enterprise/sso.mdx +++ b/apps/docs/content/docs/en/enterprise/sso.mdx @@ -250,6 +250,10 @@ SSO provisioning creates internal organization members. External workspace membe question: "Can I still use email/password login after enabling SSO?", answer: "Yes. Enabling SSO does not disable password-based login. Users can still sign in with their email and password if they have one. Forced SSO (requiring all users on the domain to use SSO) is not yet supported." }, + { + question: "A user already has an account with the same email — what happens when they sign in with SSO?", + answer: "Sim links the SSO identity to the existing account automatically, as long as your identity provider reports the email as verified (email_verified) or the provider is trusted. Most OIDC providers (Okta, Google Workspace, Auth0) assert email_verified, so linking just works. If sign-in fails with 'account not linked' — common with SAML providers that omit the claim — add the provider's ID to SSO_TRUSTED_PROVIDER_IDS on self-hosted and restart." + }, { question: "Who can configure SSO on Sim Cloud?", answer: "Organization owners and admins can configure SSO. You must be on the Enterprise plan." @@ -280,8 +284,25 @@ NEXT_PUBLIC_SSO_ENABLED=true # Required if you want users auto-added to your organization on first SSO sign-in ORGANIZATIONS_ENABLED=true NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true + +# Optional: comma-separated SSO provider IDs to trust for automatic account linking +# (links an SSO sign-in to an existing account with the same email). Needed when your +# IdP does not assert email_verified — typically SAML providers, or OIDC providers that +# omit the claim. Set it to the Provider ID you registered, then restart. +# (If you also keep SSO_PROVIDER_ID in the app's environment, that provider is trusted +# without listing it here.) +SSO_TRUSTED_PROVIDER_IDS=custom-oidc,partner-saml ``` + + When someone signs in with SSO and an account with the same email already exists + (for example, they previously signed up with email/password), Sim links the SSO + identity to that account automatically as long as your IdP reports the email as + verified, or the provider is trusted. If you hit an `account not linked` error, + either confirm your IdP sends `email_verified`, or add the provider's ID to + `SSO_TRUSTED_PROVIDER_IDS` and restart. + + You can register providers through the **Settings UI** (same as cloud) or by running the registration script directly against your database. ### Script-based registration diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts index 76465b45bec..cd27bbd5e2d 100644 --- a/apps/sim/lib/auth/auth.ts +++ b/apps/sim/lib/auth/auth.ts @@ -71,6 +71,7 @@ import { isRegistrationDisabled, isSignupEmailValidationEnabled, isSignupMxValidationEnabled, + isSsoEnabled, } from '@/lib/core/config/feature-flags' import { PlatformEvents } from '@/lib/core/telemetry' import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls' @@ -164,6 +165,20 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) => logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value }) ) +/** + * SSO provider IDs to trust for automatic account linking when an SSO sign-in + * matches an existing account's email. Includes `SSO_PROVIDER_ID` when it is set + * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Empty when + * SSO is disabled, so `trustedProviders` is unchanged for non-SSO deployments. + * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs + * that assert `email_verified` live, so this is only needed for IdPs that omit it. + */ +const additionalTrustedSsoProviders = isSsoEnabled + ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])] + .map((id) => id?.trim()) + .filter((id): id is string => Boolean(id)) + : [] + if (env.NODE_ENV === 'production') { const baseUrl = getBaseUrl() if (isLocalhostUrl(baseUrl)) { @@ -685,6 +700,7 @@ export const auth = betterAuth({ 'calcom', 'docusign', ...SSO_TRUSTED_PROVIDERS, + ...additionalTrustedSsoProviders, ], }, }, @@ -2916,6 +2932,12 @@ export const auth = betterAuth({ ...(env.SSO_ENABLED ? [ sso({ + /** + * Honor the IdP's verified-email claim. Without this the SSO plugin + * forces `emailVerified: false`, blocking automatic linking of an SSO + * login to an existing same-email account (Better Auth "account not linked"). + */ + trustEmailVerified: true, organizationProvisioning: { disabled: false, defaultRole: 'member', diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts index e47ca481d02..0a863112f10 100644 --- a/apps/sim/lib/core/config/env.ts +++ b/apps/sim/lib/core/config/env.ts @@ -406,6 +406,7 @@ export const env = createEnv({ SSO_DOMAIN: z.string().optional(), // [REQUIRED] SSO email domain SSO_USER_EMAIL: z.string().optional(), // [REQUIRED] User email for SSO registration SSO_ORGANIZATION_ID: z.string().optional(), // Organization ID for SSO registration (optional) + SSO_TRUSTED_PROVIDER_IDS: z.string().optional(), // Comma-separated SSO provider IDs to trust for automatic account linking when an existing account shares the same email. Use for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders. // SSO Mapping Configuration (optional - sensible defaults provided) SSO_MAPPING_ID: z.string().optional(), // Custom ID claim mapping (default: sub for OIDC, nameidentifier for SAML) diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json index 724f58161e5..b950e5bdd86 100644 --- a/helm/sim/values.schema.json +++ b/helm/sim/values.schema.json @@ -157,6 +157,10 @@ "type": "string", "description": "Comma-separated additional public origins to trust for auth (e.g. 'https://app.example.com,https://www.example.com'). Merged into Better Auth trustedOrigins." }, + "SSO_TRUSTED_PROVIDER_IDS": { + "type": "string", + "description": "Comma-separated SSO provider IDs to trust for automatic account linking when an SSO sign-in matches an existing account's email. Only needed for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders." + }, "NODE_ENV": { "type": "string", "enum": ["development", "test", "production"], diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 5fad7baa674..562a82d5798 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -216,6 +216,10 @@ app: # Set to "true" AFTER running the SSO registration script SSO_ENABLED: "" # Enable SSO authentication ("true" to enable) NEXT_PUBLIC_SSO_ENABLED: "" # Show SSO login button in UI ("true" to enable) + # SSO_TRUSTED_PROVIDER_IDS: comma-separated SSO provider IDs to trust for automatic account linking when a + # user signs in via SSO and an account with the same email already exists. Only needed for IdPs that do NOT + # assert email_verified (trustEmailVerified already handles those that do). Resolved at startup — restart after editing. + SSO_TRUSTED_PROVIDER_IDS: "" # Enterprise Feature Overrides (self-hosted) CREDENTIAL_SETS_ENABLED: "" # Enable credential sets (email polling) on self-hosted ("true" to enable)