From b07ee18ad544a73666a136c8d671f5d00e167820 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 3 Jun 2026 10:27:57 -0700 Subject: [PATCH 1/3] fix(auth): link SSO sign-in to existing same-email accounts SSO sign-ins failed with "account not linked" (then a cascading "Invalid callbackURL") when an account with the same email already existed. Better Auth's `@better-auth/sso` plugin hardcodes the provisioned user's `emailVerified: options?.trustEmailVerified ? : false`, so with the option unset every SSO login arrived unverified and tripped the account linking gate `(!isTrustedProvider && !userInfo.emailVerified)` whenever the provider was not in `accountLinking.trustedProviders`. - Set `trustEmailVerified: true` on the SSO plugin so the IdP's verified-email claim is honored (Okta, Entra ID, Google Workspace, Auth0 all assert it). - Trust the operator's configured provider for linking: merge `SSO_PROVIDER_ID` (when present in the app env) plus a new `SSO_TRUSTED_PROVIDER_IDS` list into `trustedProviders`. Empty/unset => no-op, so existing deployments are unchanged. - Invite callback URL: return a clean `/invite/` (token already persists in sessionStorage) so an appended `?error=` cannot produce a malformed URL. - Document `SSO_TRUSTED_PROVIDER_IDS` in SSO docs, Helm values, and schema. Co-Authored-By: Claude Opus 4.8 --- apps/docs/content/docs/en/enterprise/sso.mdx | 21 ++++++++++++++++++++ apps/sim/app/invite/[id]/invite.tsx | 12 ++++++----- apps/sim/lib/auth/auth.ts | 21 ++++++++++++++++++++ apps/sim/lib/core/config/env.ts | 1 + helm/sim/values.schema.json | 4 ++++ helm/sim/values.yaml | 4 ++++ 6 files changed, 58 insertions(+), 5 deletions(-) diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx index bfccc204122..ee3d53be3ec 100644 --- a/apps/docs/content/docs/en/enterprise/sso.mdx +++ b/apps/docs/content/docs/en/enterprise/sso.mdx @@ -250,6 +250,10 @@ SSO provisioning creates internal organization members. External workspace membe question: "Can I still use email/password login after enabling SSO?", answer: "Yes. Enabling SSO does not disable password-based login. Users can still sign in with their email and password if they have one. Forced SSO (requiring all users on the domain to use SSO) is not yet supported." }, + { + question: "A user already has an account with the same email — what happens when they sign in with SSO?", + answer: "Sim links the SSO identity to the existing account automatically, as long as your identity provider reports the email as verified (email_verified) or the provider is trusted. Most OIDC providers (Okta, Google Workspace, Auth0) assert email_verified, so linking just works. If sign-in fails with 'account not linked' — common with SAML providers that omit the claim — add the provider's ID to SSO_TRUSTED_PROVIDER_IDS on self-hosted and restart." + }, { question: "Who can configure SSO on Sim Cloud?", answer: "Organization owners and admins can configure SSO. You must be on the Enterprise plan." @@ -280,8 +284,25 @@ NEXT_PUBLIC_SSO_ENABLED=true # Required if you want users auto-added to your organization on first SSO sign-in ORGANIZATIONS_ENABLED=true NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true + +# Optional: comma-separated SSO provider IDs to trust for automatic account linking +# (links an SSO sign-in to an existing account with the same email). Needed when your +# IdP does not assert email_verified — typically SAML providers, or OIDC providers that +# omit the claim. Set it to the Provider ID you registered, then restart. +# (If you also keep SSO_PROVIDER_ID in the app's environment, that provider is trusted +# without listing it here.) +SSO_TRUSTED_PROVIDER_IDS=custom-oidc,partner-saml ``` + + When someone signs in with SSO and an account with the same email already exists + (for example, they previously signed up with email/password), Sim links the SSO + identity to that account automatically as long as your IdP reports the email as + verified, or the provider is trusted. If you hit an `account not linked` error, + either confirm your IdP sends `email_verified`, or add the provider's ID to + `SSO_TRUSTED_PROVIDER_IDS` and restart. + + You can register providers through the **Settings UI** (same as cloud) or by running the registration script directly against your database. ### Script-based registration diff --git a/apps/sim/app/invite/[id]/invite.tsx b/apps/sim/app/invite/[id]/invite.tsx index 2cb517709ea..0d06151304e 100644 --- a/apps/sim/app/invite/[id]/invite.tsx +++ b/apps/sim/app/invite/[id]/invite.tsx @@ -255,11 +255,13 @@ export default function Invite() { } } - const getCallbackUrl = () => { - const effectiveToken = - token || sessionStorage.getItem(inviteTokenStorageKey) || searchParams.get('token') - return `/invite/${inviteId}${effectiveToken ? `?token=${effectiveToken}` : ''}` - } + /** + * Post-authentication return URL. Omits the token query string: Better Auth + * appends `?error=` onto callbackURL unescaped, producing a malformed + * URL that fails its callbackURL validation. The token is persisted to + * sessionStorage on mount and rehydrated on return, so it need not ride in the URL. + */ + const getCallbackUrl = () => `/invite/${inviteId}` if (!session?.user && !isPending) { const callbackUrl = encodeURIComponent(getCallbackUrl()) diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts index 76465b45bec..ab45bd76cf0 100644 --- a/apps/sim/lib/auth/auth.ts +++ b/apps/sim/lib/auth/auth.ts @@ -164,6 +164,20 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) => logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value }) ) +/** + * SSO provider IDs to trust for automatic account linking when an SSO sign-in + * matches an existing account's email. Includes `SSO_PROVIDER_ID` when it is set + * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Resolved + * once at startup; `trustEmailVerified` on the SSO plugin handles IdPs that assert + * `email_verified` live, so this is only needed for IdPs that omit that claim. + */ +const additionalTrustedSsoProviders = [ + env.SSO_PROVIDER_ID, + ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? []), +] + .map((id) => id?.trim()) + .filter((id): id is string => Boolean(id)) + if (env.NODE_ENV === 'production') { const baseUrl = getBaseUrl() if (isLocalhostUrl(baseUrl)) { @@ -685,6 +699,7 @@ export const auth = betterAuth({ 'calcom', 'docusign', ...SSO_TRUSTED_PROVIDERS, + ...additionalTrustedSsoProviders, ], }, }, @@ -2916,6 +2931,12 @@ export const auth = betterAuth({ ...(env.SSO_ENABLED ? [ sso({ + /** + * Honor the IdP's verified-email claim. Without this the SSO plugin + * forces `emailVerified: false`, blocking automatic linking of an SSO + * login to an existing same-email account (Better Auth "account not linked"). + */ + trustEmailVerified: true, organizationProvisioning: { disabled: false, defaultRole: 'member', diff --git a/apps/sim/lib/core/config/env.ts b/apps/sim/lib/core/config/env.ts index 223eb519524..ee6ade33813 100644 --- a/apps/sim/lib/core/config/env.ts +++ b/apps/sim/lib/core/config/env.ts @@ -404,6 +404,7 @@ export const env = createEnv({ SSO_DOMAIN: z.string().optional(), // [REQUIRED] SSO email domain SSO_USER_EMAIL: z.string().optional(), // [REQUIRED] User email for SSO registration SSO_ORGANIZATION_ID: z.string().optional(), // Organization ID for SSO registration (optional) + SSO_TRUSTED_PROVIDER_IDS: z.string().optional(), // Comma-separated SSO provider IDs to trust for automatic account linking when an existing account shares the same email. Use for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders. // SSO Mapping Configuration (optional - sensible defaults provided) SSO_MAPPING_ID: z.string().optional(), // Custom ID claim mapping (default: sub for OIDC, nameidentifier for SAML) diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json index 724f58161e5..b950e5bdd86 100644 --- a/helm/sim/values.schema.json +++ b/helm/sim/values.schema.json @@ -157,6 +157,10 @@ "type": "string", "description": "Comma-separated additional public origins to trust for auth (e.g. 'https://app.example.com,https://www.example.com'). Merged into Better Auth trustedOrigins." }, + "SSO_TRUSTED_PROVIDER_IDS": { + "type": "string", + "description": "Comma-separated SSO provider IDs to trust for automatic account linking when an SSO sign-in matches an existing account's email. Only needed for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders." + }, "NODE_ENV": { "type": "string", "enum": ["development", "test", "production"], diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index 6b48a957bd3..11f31297b10 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -216,6 +216,10 @@ app: # Set to "true" AFTER running the SSO registration script SSO_ENABLED: "" # Enable SSO authentication ("true" to enable) NEXT_PUBLIC_SSO_ENABLED: "" # Show SSO login button in UI ("true" to enable) + # SSO_TRUSTED_PROVIDER_IDS: comma-separated SSO provider IDs to trust for automatic account linking when a + # user signs in via SSO and an account with the same email already exists. Only needed for IdPs that do NOT + # assert email_verified (trustEmailVerified already handles those that do). Resolved at startup — restart after editing. + SSO_TRUSTED_PROVIDER_IDS: "" # Enterprise Feature Overrides (self-hosted) CREDENTIAL_SETS_ENABLED: "" # Enable credential sets (email polling) on self-hosted ("true" to enable) From 45d5d64b7f097221a4438fef0518a2b84c619cfe Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 3 Jun 2026 10:36:40 -0700 Subject: [PATCH 2/3] =?UTF-8?q?fix(auth):=20address=20review=20=E2=80=94?= =?UTF-8?q?=20guard=20trusted=20SSO=20providers,=20revert=20invite=20callb?= =?UTF-8?q?ack?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Only compute additionalTrustedSsoProviders when SSO_ENABLED, so trustedProviders is exactly unchanged for non-SSO deployments. - Revert the invite getCallbackUrl change: keep the token in the callback URL (with sessionStorage/searchParams fallback) so the token survives when sessionStorage is unavailable. The account-linking fix removes the "account not linked" error that caused the malformed callback URL, so the callback cleanup is unnecessary. Co-Authored-By: Claude Opus 4.8 --- apps/sim/app/invite/[id]/invite.tsx | 12 +++++------- apps/sim/lib/auth/auth.ts | 18 +++++++++--------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/apps/sim/app/invite/[id]/invite.tsx b/apps/sim/app/invite/[id]/invite.tsx index 0d06151304e..2cb517709ea 100644 --- a/apps/sim/app/invite/[id]/invite.tsx +++ b/apps/sim/app/invite/[id]/invite.tsx @@ -255,13 +255,11 @@ export default function Invite() { } } - /** - * Post-authentication return URL. Omits the token query string: Better Auth - * appends `?error=` onto callbackURL unescaped, producing a malformed - * URL that fails its callbackURL validation. The token is persisted to - * sessionStorage on mount and rehydrated on return, so it need not ride in the URL. - */ - const getCallbackUrl = () => `/invite/${inviteId}` + const getCallbackUrl = () => { + const effectiveToken = + token || sessionStorage.getItem(inviteTokenStorageKey) || searchParams.get('token') + return `/invite/${inviteId}${effectiveToken ? `?token=${effectiveToken}` : ''}` + } if (!session?.user && !isPending) { const callbackUrl = encodeURIComponent(getCallbackUrl()) diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts index ab45bd76cf0..b4c95394940 100644 --- a/apps/sim/lib/auth/auth.ts +++ b/apps/sim/lib/auth/auth.ts @@ -167,16 +167,16 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) => /** * SSO provider IDs to trust for automatic account linking when an SSO sign-in * matches an existing account's email. Includes `SSO_PROVIDER_ID` when it is set - * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Resolved - * once at startup; `trustEmailVerified` on the SSO plugin handles IdPs that assert - * `email_verified` live, so this is only needed for IdPs that omit that claim. + * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Empty when + * SSO is disabled, so `trustedProviders` is unchanged for non-SSO deployments. + * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs + * that assert `email_verified` live, so this is only needed for IdPs that omit it. */ -const additionalTrustedSsoProviders = [ - env.SSO_PROVIDER_ID, - ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? []), -] - .map((id) => id?.trim()) - .filter((id): id is string => Boolean(id)) +const additionalTrustedSsoProviders = env.SSO_ENABLED + ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])] + .map((id) => id?.trim()) + .filter((id): id is string => Boolean(id)) + : [] if (env.NODE_ENV === 'production') { const baseUrl = getBaseUrl() From 481c66d3c46ba1eea17ce89b49693aabb5defd36 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Wed, 3 Jun 2026 10:58:37 -0700 Subject: [PATCH 3/3] fix(auth): guard trusted SSO providers with isSsoEnabled (isTruthy) env.SSO_ENABLED can be the string "false" (t3-env returns strings for booleans), which is truthy in JS. Use the canonical isSsoEnabled flag (isTruthy(env.SSO_ENABLED)) so SSO_ENABLED="false"/"0" correctly yields an empty trusted-provider list, matching how SSO is gated elsewhere. Co-Authored-By: Claude Opus 4.8 --- apps/sim/lib/auth/auth.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts index b4c95394940..cd27bbd5e2d 100644 --- a/apps/sim/lib/auth/auth.ts +++ b/apps/sim/lib/auth/auth.ts @@ -71,6 +71,7 @@ import { isRegistrationDisabled, isSignupEmailValidationEnabled, isSignupMxValidationEnabled, + isSsoEnabled, } from '@/lib/core/config/feature-flags' import { PlatformEvents } from '@/lib/core/telemetry' import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls' @@ -172,7 +173,7 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) => * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs * that assert `email_verified` live, so this is only needed for IdPs that omit it. */ -const additionalTrustedSsoProviders = env.SSO_ENABLED +const additionalTrustedSsoProviders = isSsoEnabled ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])] .map((id) => id?.trim()) .filter((id): id is string => Boolean(id))