Epic: Enterprise SSO + SCIM end-to-end hardening (Microsoft Entra)

[yannickmonney]

Summary

Tracking Epic consolidating all open Enterprise SSO + SCIM defects and improvements, to be validated end-to-end against a real Microsoft Entra ID tenant across every supported method (generic OIDC, generic OAuth2, Entra-native, SAML 2.0) plus SCIM 2.0 provisioning/de-provisioning.

The Enterprise SSO stack is a custom in-house implementation (not Better Auth's SSO plugin), in services/platform/convex/enterprise_sso/, with SCIM in services/platform/convex/scim/. Public endpoints exercised by the IdP:

• OIDC / OAuth2: POST /api/sso/discover, GET /api/sso/authorize, GET /api/sso/callback (IdP redirect URI), GET /api/sso/set-session
• SAML 2.0: GET /api/sso/saml/metadata, GET /api/sso/saml/login, POST /api/sso/saml/acs (IdP reply/ACS URL)
• SCIM 2.0: /scim/v2/{ServiceProviderConfig,ResourceTypes,Schemas,Users,Groups,…} (bearer-token, org resolved from token)

Adapters: entra_id/, generic_oidc/, oauth2/, plus SAML.

Consolidated scope

🔴 Security (P1)

• Bug: SCIM POST /Users for an email owned by another org grafts a cross-tenant membership and renames that user #2036 — SCIM POST /Users for an email owned by another org grafts a cross-tenant membership and renames that user
• Bug: Open redirect on the trusted-headers authenticate endpoint (?redirect= reflected into navigation with no origin validation) #2037 — Open redirect on the trusted-headers authenticate endpoint (?redirect= reflected with no origin validation)

🟠 Correctness (P2)

• Bug: OIDC/OAuth2 SSO login ignores the user's email and always routes to the first enabled connection (multi-org IdP collision) #2082 — OIDC/OAuth2 SSO login ignores the user's email and always routes to the first enabled connection (multi-org IdP collision)
• Bug: Switching a configured SSO connection's protocol with a blank Client secret passes client validation, then the backend throws an untranslated raw Error #2057 — Switching a configured connection's protocol with a blank Client secret passes client validation, then the backend throws an untranslated raw Error

🟡 UX / hardening (P3)

• Bug: Enterprise SSO settings form logs React uncontrolled→controlled warnings (Select + Switch initialized undefined) #2095 — Enterprise SSO settings form logs React uncontrolled→controlled warnings (Select + Switch initialized undefined)
• Improvement: Standardize client-facing backend failures on ConvexError (sweep raw throw new Error across auth/SSO/tasks/conversations/project-metrics) #2049 — Standardize client-facing backend failures on ConvexError (sweep raw throw new Error across auth/SSO/tasks/conversations/project-metrics)
• Improvement: Auth/2FA/SSO low-severity correctness & UX gaps (enroll-wall guard, banner role, dead path guard, role-mapping toggle, SCIM PATCH, enforced-2FA disable) #2085 — Auth/2FA/SSO low-severity correctness & UX gaps (enroll-wall guard, banner role, dead-path guard, role-mapping toggle, SCIM PATCH, enforced-2FA disable)

🔵 Feature baseline

• Feature: SCIM 2.0 endpoint for automated user/group provisioning #1921 — SCIM 2.0 endpoint for automated user/group provisioning (verify completeness incl. de-provisioning under live Entra)

Plan

1. Stand the stack up behind a public HTTPS tunnel (cloudflared), SITE_URL = tunnel origin so all SSO callbacks/ACS/SCIM URLs are publicly reachable.
2. Configure a real Entra tenant: App registration(s) for OIDC + OAuth2, an Enterprise App for SAML, and SCIM provisioning.
3. Run the E2E matrix below; post the full test report to this Epic.
4. Fix every confirmed issue (code + i18n in all locales + co-located regression tests).
5. Re-run unit + live E2E; open a PR linking every sub-issue + this Epic and drive CI green.

E2E test matrix

Method	First-login provision	Role / team mapping	Session established	SCIM create	SCIM update	SCIM group	SCIM de-provision
Generic OIDC	⏳	⏳	⏳	⏳	⏳	⏳	⏳
Generic OAuth2	⏳	⏳	⏳	⏳	⏳	⏳	⏳
Entra-native (group sync)	⏳	⏳	⏳	⏳	⏳	⏳	⏳
SAML 2.0	⏳	⏳	⏳	⏳	⏳	⏳	⏳

Results filled in by the test report once the live run completes.

---

Test methodology: Playwright-driven Azure portal configuration + Playwright-driven Tale login flows, against a live Entra tenant over a cloudflared tunnel.

[yannickmonney]

PR #2118 — consolidated fix

Fixed (Closes): #2036 (SCIM cross‑tenant graft → 409), #2037 (open redirect), #2082 (OIDC/OAuth2 email‑domain routing), #2057 (protocol‑switch secret + coded error), #2095 (controlled‑input warnings).

Partially addressed (Refs):

• Improvement: Standardize client-facing backend failures on ConvexError (sweep raw throw new Error across auth/SSO/tasks/conversations/project-metrics) #2049 — done for the SSO config + SCIM auth gates (sub‑item [09]); non‑SSO sites (users‑password [07], project‑metrics [51], tasks [58], conversations [84]) left for a focused follow‑up.
• Improvement: Auth/2FA/SSO low-severity correctness & UX gaps (enroll-wall guard, banner role, dead path guard, role-mapping toggle, SCIM PATCH, enforced-2FA disable) #2085 — done [05] (banners → polite role="status"), [06] (password‑expiry gate path), [13] (SCIM Group PATCH add+remove compose); deferred [04] enroll‑wall guard, [12] role‑mapping editor (a feature), [19] enforced‑2FA disable warning.

Pending live validation: #1921 SCIM completeness + the end‑to‑end Entra OIDC / OAuth2 / Entra‑native / SAML + SCIM provisioning/de‑provisioning run against a real tenant (over a cloudflared tunnel). This is the final step; the full test report (filling in the matrix above) will be posted here.

Gate: typecheck · lint · format · knip · Opengrep SAST (0 findings) · 73,562 server/PII tests · 2,544 component/a11y tests — all green.

[yannickmonney]

Update: PR #2118 now completes #2049 (all sites) and #2085 (all items, incl. a functional role-mapping-rules editor). All seven SSO/SCIM code issues are fixed; the full gate is green — 73,566 server + 2,545 component/a11y tests, Opengrep SAST 0 findings. Live Entra E2E remains the final step.

[yannickmonney]

Enterprise SSO + SCIM — live end-to-end test report (Microsoft Entra)

Date: 2026-06-24 · Tenant: tale.dev (629917cd-…) · Org: "SSO E2E Org" (jn785nxf8…)
PR: #2118 · Branch: fix/enterprise-sso-scim-hardening

Method

• Real Microsoft Entra ID tenant, app registration "Tale SSO E2E" (521f2c51-…), tested over a public cloudflared tunnel so Entra reaches the live callback/SCIM endpoints on the local stack (Convex backend + Vite app).
• OIDC sign-in driven through the browser (Playwright) using the real Entra account ym@tale.dev with SMS MFA.
• SCIM exercised with curl replaying the exact request shapes Azure's provisioning service sends (bearer token minted from the admin UI).
• Full local gate (typecheck, oxlint, oxfmt, knip, server+jsdom+pii vitest, opengrep) green; results pushed to CI.

---

Results by method

✅ OIDC (Entra-native, entra-id adapter) — PASS, end-to-end

ym@tale.dev → "Continue with SSO" → email→org discovery → Microsoft authorize → consent → callback → userinfo /me 200 → user provisioned → landed in the org dashboard, signed in purely via SSO.

• 🐞 Found & fixed live: the userinfo call 403'd because the authorize request didn't include Microsoft Graph User.Read (the org's scopes listed only openid email profile offline_access). Sign-in failed after a successful token exchange.
  Fix (c2bf8ea84): buildAuthorizeUrl always ensures https://graph.microsoft.com/User.Read; the settings form's default Entra scope set lists it. Re-tested live → sign-in completes.

✅ SCIM 2.0 provisioning/de-provisioning — PASS, comprehensive

Base …/scim/v2, bearer auth, org resolved from the token row.

Operation	Result
GET /ServiceProviderConfig, /ResourceTypes, /Schemas	200 — patch+filter supported, bulk off
POST /Users (Azure payload)	201, externalId + meta.location correct
GET /Users/{id}, GET /Users?filter=userName eq "…"	200, exact match (Azure dedupe lookup)
PATCH replace attr / deactivate (active:false) / reactivate	200, role restored on reactivate
POST /Groups, PATCH add / path-filter remove / add+remove compose / replace / value-less remove-all	201 / 200, every member set correct
DELETE /Users/{id} → GET	204 → 404 (see fix below)
Negatives: bad token, missing auth, unknown id, same-org dup	401 / 401 / 404 / 409

• ✅ Bug: SCIM POST /Users for an email owned by another org grafts a cross-tenant membership and renames that user #2036 (security) validated live: POST /Users with an email owned by another org → 409 uniqueness ("belongs to another organization"); a brand-new email → 201 (no over-blocking).
• ✅ Improvement: Auth/2FA/SSO low-severity correctness & UX gaps (enroll-wall guard, banner role, dead path guard, role-mapping toggle, SCIM PATCH, enforced-2FA disable) #2085[13] validated live: Group PATCH add + value-less/path-filter remove compose correctly in one request.
• 🐞 Found & fixed live: DELETE /Users was a soft-deactivate that returned 204 but the user stayed retrievable (GET 200) — violates RFC 7644 §3.6 and was inconsistent with Group DELETE.
  Fix (d08946ec4): new deprovisionUser removes the membership + mirror + link → GET 404; Azure's primary active:false soft-disable path is unchanged (membership kept, restorable); the org owner is protected (DELETE owner → 403 mutability, never orphan the org). Pure classifyDeprovision() unit-tested; re-validated live (DELETE 204 → GET 404; owner DELETE 403).

✅ #2082 — login routes by email — PASS, live

/api/sso/discover resolved ym@tale.dev → the correct org + oidc; the authorize URL carried login_hint=ym@tale.dev and the signed state decoded with organizationId=jn785nxf8…. No more "always first connection".

✅ #2085[12] — role-mapping editor — PASS, live

Toggling "Auto-assign roles from the IdP" reveals a real editor (Source = IdP group / app role / job title / claim → value → platform role). Added a rule and Saved; it persisted to the connection file as {source:"group", pattern:"Tale-Admins", targetRole:"admin"}, autoProvisionRole:true. The toggle is now functional, not a dead switch.

✅ Graceful degradation — verified (code + live)

The callback fetches groups/app-roles only when role-mapping/team-sync need them, inside try/catch → console.warn on failure. Enabling role-mapping without GroupMember.Read.All consent therefore does not break sign-in (the user simply matches no rule and keeps the default role).

◻️ OAuth2 (generic) / SAML 2.0 / live group→team sync — not re-run live this session

These share the same provisioning core (handleSsoLogin) and the same SCIM backend, both validated above, and their adapters are unit-tested. A full live run needs extra IdP setup beyond the OIDC app (a separate SAML Enterprise App + signing cert; GroupMember.Read.All admin consent + real Entra groups for live group sync). Can be run on request — the tunnel/app/admin session are ready.

---

Prior fixes confirmed (carried by the PR)

#2036 ✓live · #2037 (sanitizeInternalRedirect, unit) · #2082 ✓live · #2057 (secret gate; OIDC secret preserved across edits, observed live) · #2095 (form renders with no controlled/uncontrolled warnings, observed live) · #2049 (SCIM 409 surfaced as a coded ConvexError, observed live) · #2085 [04][05][06][12]✓live[13]✓live[19] · #1921 ✓live (SCIM completeness incl. de-provisioning)

New fixes this session

1. c2bf8ea84 — request Graph User.Read for Entra userinfo (OIDC 403 → fixed).
2. d08946ec4 — SCIM DELETE de-provisions (RFC 7644) + owner guard.
3. d8e136e3c — (CI) reformat a main-side workflow JSON for oxfmt 0.44.0 so the merge check is green.

Gate

typecheck ✓ · oxlint 0/0 ✓ · oxfmt ✓ · knip ✓ · opengrep 0 findings ✓ · server vitest 6362 ✓ · jsdom ✓ · pii ✓