search

Flagsmith / flagsmith

Open Source Feature Flagging and Remote Config Service. Host on-prem or use our hosted version at https://flagsmith.com/
https://flagsmith.com/
BSD 3-Clause "New" or "Revised" License
4.75k stars 359 forks source link

Invites don't work for SAML / LDAP #1526

Open matthewelwell opened 1 year ago

matthewelwell commented 1 year ago

The current invite flow (for both links and emails) is:

  1. User receives invite
  2. Click the link to accept invite
  3. Authenticate with Flagsmith (which for SAML / LDAP will add the user to the organisation)
  4. UI triggers invite accept workflow by hitting relevant endpoint

Step 4 will break for SAML / LDAP since the user is already part of the organisation they are trying to join via invite.

As far as I can tell, we have a few options to resolve this:

  1. Remove the invites functionality when users are using SAML / LDAP
  2. Instead of blindly trying to create the user's organisation membership, we could update the existing membership if it exists (since LDAP / SAML users are created with the 'User' role)
  3. Handle the error gracefully so that users are aware what's happening since I believe that, at the moment, the invite flow breaks
matthewelwell commented 1 year ago

It's worth pointing out that LDAP actually only creates the user organisation membership if the default organisation id environment variable is set so we should allow invites if this is not set.

sentry-io[bot] commented 1 year ago

Sentry issue: FLAGSMITH-API-2E0