Skip to content

fix(backend): correct SAML user complete check & always verify email on provision#5358

Merged
scott-ray-wilson merged 1 commit intomainfrom
fix-saml-is-email-verified
Feb 3, 2026
Merged

fix(backend): correct SAML user complete check & always verify email on provision#5358
scott-ray-wilson merged 1 commit intomainfrom
fix-saml-is-email-verified

Conversation

@scott-ray-wilson
Copy link
Contributor

@scott-ray-wilson scott-ray-wilson commented Feb 3, 2026

Context

This PR fixes two SAML and SCIM bugs:

  • When logging in via SAML we now only check whether the user alias email is verified
  • When a user is provisioned via SCIM, we now verify their email even if the user already exists

Screenshots

N/A

Steps to verify the change

  • Verify you can login via SAML even if you were invited via email without verifying and then provisioned via SCIM
  • Verify email is verified on provision

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Read the contributing guide

@scott-ray-wilson
fix: correct saml isUserComplete check to only verify alias email is …
b93ed2f 
…verified and verify email on provision even if user already exists
@maidul98
Copy link
Collaborator

maidul98 commented Feb 3, 2026

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 3, 2026

Greptile Overview

Greptile Summary

Fixed SAML login check to only verify the alias email (not the user's primary email) and ensured SCIM provisioning verifies email for existing users when trustScimEmails is enabled.

  • Changed SAML isUserCompleted check to only require userAlias.isEmailVerified instead of both user.isEmailVerified and userAlias.isEmailVerified
  • Added email verification for existing users during SCIM provisioning when trustScimEmails is configured

Confidence Score: 4/5

  • Safe to merge with minimal risk - changes align with stated goals and fix the SAML/SCIM integration issues
  • The changes are focused and address specific bugs in SAML and SCIM flows. The SAML change correctly focuses on alias email verification for SSO users, and the SCIM change ensures email verification consistency. No security vulnerabilities introduced.
  • No files require special attention

Important Files Changed

Filename Overview
backend/src/ee/services/saml-config/saml-config-service.ts Removed user.isEmailVerified from the isUserCompleted check, now only verifies userAlias.isEmailVerified
backend/src/ee/services/scim/scim-service.ts Added logic to verify email for existing users when trustScimEmails is enabled during SCIM provisioning

@scott-ray-wilson scott-ray-wilson merged commit fe4b826 into main Feb 3, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akhilmhdh akhilmhdh akhilmhdh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scott-ray-wilson @maidul98 @akhilmhdh