Skip to content

feat(den): add org-scoped SCIM and SSO admin flows#1556

Draft
src-opn wants to merge 3 commits intodevfrom
scim-support
Draft

feat(den): add org-scoped SCIM and SSO admin flows#1556
src-opn wants to merge 3 commits intodevfrom
scim-support

Conversation

@src-opn
Copy link
Copy Markdown
Collaborator

@src-opn src-opn commented Apr 24, 2026

Summary

  • add org-scoped SCIM management and SSO management to Den, including dashboard pages, server routes, generated setup URLs, and Better Auth plugin wiring
  • add shared external identity groundwork so SCIM lifecycle changes and SSO sign-ins can converge on one org-scoped identity record
  • add require-SSO org policy, domain verification management, and live fixes for the org SSO entry route and SCIM-safe deprovisioning behavior

Testing

  • pnpm --filter @openwork-ee/den-api build
  • pnpm --filter @openwork-ee/den-web build
  • pnpm dev:web-local
  • GET http://localhost:8788/health
  • browser verification in Chrome DevTools MCP against http://localhost:3005
  • live SCIM checks:
    • create user via POST /api/auth/scim/v2/Users returned 201
    • delete user via DELETE /api/auth/scim/v2/Users/:id returned 204
    • invalid delete via DELETE /api/auth/scim/v2/Users/9876543210123456 returned 404
  • MySQL verification in the local dev container confirmed external_identity creation and deactivation while preserving the global user row

Notes

  • draft PR because SSO domain verification was exercised only against a non-owned test domain, so the live failure path is verified but not a successful DNS-backed verification yet
  • screenshots captured locally during verification:
    • tmp/scim-support-sso-dashboard.png
    • tmp/scim-support-sso-configured.png

src-opn added 3 commits April 24, 2026 12:38
@src-opn
feat(den): add org-scoped SCIM support
236b066 
Wire Better Auth SCIM into Den, add org-admin management routes and UI entrypoints, add the SCIM provider schema, and document the compatibility-layer follow-up plan based on tester findings.
@src-opn
feat(den): add org-scoped SSO support
4277a8f 
Wire Better Auth SSO into Den with org-scoped provider management, admin UI, generated setup URLs, and a dedicated org sign-in route. Add the SSO schema and external identity groundwork so SCIM and SSO can converge on shared enterprise identity state.
@src-opn
fix(den): enforce org SSO and sync SCIM identities
b082209 
Sync SCIM user lifecycle into external_identity, add org-level require-SSO resolution and domain verification management, and fix the org SSO entry flow to use the correct web URL and organization slug. These changes were live-tested against the local den web-local stack.
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Apr 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
openwork-app Ready Ready Preview, Comment Apr 24, 2026 9:53pm
openwork-den Ready Ready Preview, Comment Apr 24, 2026 9:53pm
openwork-den-worker-proxy Ready Ready Preview, Comment Apr 24, 2026 9:53pm
openwork-landing Ready Ready Preview, Comment, Open in v0 Apr 24, 2026 9:53pm
openwork-share Ready Ready Preview, Comment Apr 24, 2026 9:53pm

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 24, 2026

The following comment was made by an LLM, it may be inaccurate:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@src-opn