Skip to content

fix(webapp): gate SSO UI on plugin presence, not managed-cloud #4006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
0ski wants to merge 1 commit into
base: main
Choose a base branch
from
+6 −22
Open

fix(webapp): gate SSO UI on plugin presence, not managed-cloud #4006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 4 additions & 9 deletions apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.sso/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ import { Paragraph } from "~/components/primitives/Paragraph";
import { Select, SelectItem } from "~/components/primitives/Select";
import { Switch } from "~/components/primitives/Switch";
import { $replica } from "~/db.server";
import { featuresForRequest } from "~/features.server";
import { useOrganization } from "~/hooks/useOrganizations";
import { rbac } from "~/services/rbac.server";
import { ssoController } from "~/services/sso.server";
Expand Down Expand Up @@ -79,12 +78,8 @@ export const loader = dashboardLoader(
authorization: { action: "manage", resource: { type: "sso" } },
},
async ({ context, request }) => {
const { isManagedCloud } = featuresForRequest(request);
// Gate on managed cloud AND the SSO plugin actually being loaded
// (SSO_ENABLED off → OSS fallback → isUsingPlugin false). Without
// this the page renders for every managed-cloud org even when SSO
// is disabled for the deployment.
if (!isManagedCloud || !(await ssoController.isUsingPlugin())) {
// True only when SSO_ENABLED is on and a real SSO plugin is loaded.
if (!(await ssoController.isUsingPlugin())) {
throw new Response("Not Found", { status: 404 });
Comment on lines +81 to 83

@devin-ai-integration devin-ai-integration Bot Jun 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Incomplete removal of isManagedCloud gate: sidebar SSO entry still hidden on self-hosted

The PR removes the isManagedCloud check from the SSO settings loader/action and the login page, consolidating gating to ssoController.isUsingPlugin(). However, the sidebar navigation at apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx:150 still checks isManagedCloud && isSsoUsingPlugin before rendering the SSO menu item. On a self-hosted deployment with SSO_ENABLED=true and the plugin installed, the SSO settings page loads fine via direct URL, the login page shows the SSO auth option, and mutations work — but the sidebar won't show the SSO link because isManagedCloud is false. This makes the feature undiscoverable through normal navigation.

Sidebar still gated on isManagedCloud

In OrganizationSettingsSideMenu.tsx:150:

{isManagedCloud && isSsoUsingPlugin && (
  <SideMenuItem name="SSO" ... />
)}

This should be updated to just isSsoUsingPlugin to match the loader/action changes.

Prompt for agents 
The SSO settings loader and action removed the isManagedCloud gate, but the sidebar navigation in apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx at line 150 still checks isManagedCloud && isSsoUsingPlugin. To complete this transformation consistently, the sidebar condition should be updated to just isSsoUsingPlugin, so that on self-hosted deployments with SSO_ENABLED=true, the SSO sidebar link is visible and the feature is discoverable through normal navigation.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

}

Expand Down Expand Up @@ -175,8 +170,8 @@ export const action = dashboardAction(
throw new Response("Not Found", { status: 404 });
}

const { isManagedCloud } = featuresForRequest(request);
if (!isManagedCloud) {
// Mirror the loader gate.
if (!(await ssoController.isUsingPlugin())) {
throw new Response("Not Found", { status: 404 });
}
await requireSsoEntitlement(orgId);
Expand Down
15 changes: 2 additions & 13 deletions apps/webapp/app/routes/login._index/route.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,12 @@ import { FormError } from "~/components/primitives/FormError";
import { Header1 } from "~/components/primitives/Headers";
import { Paragraph } from "~/components/primitives/Paragraph";
import { TextLink } from "~/components/primitives/TextLink";
import { featuresForRequest } from "~/features.server";
import { isGithubAuthSupported, isGoogleAuthSupported } from "~/services/auth.server";
import { getLastAuthMethod } from "~/services/lastAuthMethod.server";
import { commitSession, setRedirectTo } from "~/services/redirectTo.server";
import { getUserId } from "~/services/session.server";
import { getUserSession } from "~/services/sessionStorage.server";
import { ssoController } from "~/services/sso.server";
import { flags as getGlobalFlags } from "~/v3/featureFlags.server";
import { requestUrl } from "~/utils/requestUrl.server";
import { SSO_SESSION_EXPIRED_REASON } from "~/utils/ssoSession";
import { cn } from "~/utils/cn";
Expand Down Expand Up @@ -86,17 +84,8 @@ export async function loader({ request }: LoaderFunctionArgs) {
? "Your SSO session expired. Please sign in again."
: null;

const { isManagedCloud } = featuresForRequest(request);
// /login is unauthenticated and high-traffic; don't pay the plugin
// resolution + flag fetch on self-hosted where the result is unused.
let showSsoAuth = false;
if (isManagedCloud) {
const [pluginActive, globalFlags] = await Promise.all([
ssoController.isUsingPlugin(),
getGlobalFlags(),
]);
showSsoAuth = pluginActive && (globalFlags as Record<string, unknown>).hasSso === true;
}
// True only when SSO_ENABLED is on and a real SSO plugin is loaded.
const showSsoAuth = await ssoController.isUsingPlugin();
Comment on lines +87 to +88

@devin-ai-integration devin-ai-integration Bot Jun 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Removal of hasSso feature flag eliminates runtime kill switch for SSO login button

The old login loader required three conditions for showing SSO auth: isManagedCloud, ssoController.isUsingPlugin(), and globalFlags.hasSso === true. The new code only checks ssoController.isUsingPlugin(). The hasSso flag (defined at apps/webapp/app/v3/featureFlags.ts:29) was a DB-backed boolean that could be toggled at runtime without redeploying — effectively a kill switch for the SSO login button. With this PR, the only way to disable SSO auth is via the SSO_ENABLED env var (which requires a restart/redeploy). If the team relied on hasSso as a quick runtime toggle (e.g., during incidents or phased rollout), that capability is now gone. The flag definition still exists in the catalog but is no longer consumed anywhere in the codebase.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


if (redirectTo) {
const session = await setRedirectTo(request, redirectTo);
Expand Down