fix(auth): link SSO sign-in to existing same-email accounts (#4866)

* fix(auth): link SSO sign-in to existing same-email accounts

SSO sign-ins failed with "account not linked" (then a cascading "Invalid
callbackURL") when an account with the same email already existed. Better
Auth's `@better-auth/sso` plugin hardcodes the provisioned user's
`emailVerified: options?.trustEmailVerified ? <claim> : false`, so with the
option unset every SSO login arrived unverified and tripped the account
linking gate `(!isTrustedProvider && !userInfo.emailVerified)` whenever the
provider was not in `accountLinking.trustedProviders`.

- Set `trustEmailVerified: true` on the SSO plugin so the IdP's verified-email
  claim is honored (Okta, Entra ID, Google Workspace, Auth0 all assert it).
- Trust the operator's configured provider for linking: merge
  `SSO_PROVIDER_ID` (when present in the app env) plus a new
  `SSO_TRUSTED_PROVIDER_IDS` list into `trustedProviders`. Empty/unset =>
  no-op, so existing deployments are unchanged.
- Invite callback URL: return a clean `/invite/<id>` (token already persists
  in sessionStorage) so an appended `?error=` cannot produce a malformed URL.
- Document `SSO_TRUSTED_PROVIDER_IDS` in SSO docs, Helm values, and schema.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(auth): address review — guard trusted SSO providers, revert invite callback

- Only compute additionalTrustedSsoProviders when SSO_ENABLED, so
  trustedProviders is exactly unchanged for non-SSO deployments.
- Revert the invite getCallbackUrl change: keep the token in the callback URL
  (with sessionStorage/searchParams fallback) so the token survives when
  sessionStorage is unavailable. The account-linking fix removes the
  "account not linked" error that caused the malformed callback URL, so the
  callback cleanup is unnecessary.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(auth): guard trusted SSO providers with isSsoEnabled (isTruthy)

env.SSO_ENABLED can be the string "false" (t3-env returns strings for
booleans), which is truthy in JS. Use the canonical isSsoEnabled flag
(isTruthy(env.SSO_ENABLED)) so SSO_ENABLED="false"/"0" correctly yields an
empty trusted-provider list, matching how SSO is gated elsewhere.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/docs/content/docs/en/enterprise/sso.mdx

@@ -250,6 +250,10 @@ SSO provisioning creates internal organization members. External workspace membe
     question: "Can I still use email/password login after enabling SSO?",
     answer: "Yes. Enabling SSO does not disable password-based login. Users can still sign in with their email and password if they have one. Forced SSO (requiring all users on the domain to use SSO) is not yet supported."
   },
+  {
+    question: "A user already has an account with the same email — what happens when they sign in with SSO?",
+    answer: "Sim links the SSO identity to the existing account automatically, as long as your identity provider reports the email as verified (email_verified) or the provider is trusted. Most OIDC providers (Okta, Google Workspace, Auth0) assert email_verified, so linking just works. If sign-in fails with 'account not linked' — common with SAML providers that omit the claim — add the provider's ID to SSO_TRUSTED_PROVIDER_IDS on self-hosted and restart."
+  },
   {
     question: "Who can configure SSO on Sim Cloud?",
     answer: "Organization owners and admins can configure SSO. You must be on the Enterprise plan."
@@ -280,8 +284,25 @@ NEXT_PUBLIC_SSO_ENABLED=true
 # Required if you want users auto-added to your organization on first SSO sign-in
 ORGANIZATIONS_ENABLED=true
 NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true
+
+# Optional: comma-separated SSO provider IDs to trust for automatic account linking
+# (links an SSO sign-in to an existing account with the same email). Needed when your
+# IdP does not assert email_verified — typically SAML providers, or OIDC providers that
+# omit the claim. Set it to the Provider ID you registered, then restart.
+# (If you also keep SSO_PROVIDER_ID in the app's environment, that provider is trusted
+# without listing it here.)
+SSO_TRUSTED_PROVIDER_IDS=custom-oidc,partner-saml
 ```
 
+<Callout type="info">
+  When someone signs in with SSO and an account with the same email already exists
+  (for example, they previously signed up with email/password), Sim links the SSO
+  identity to that account automatically as long as your IdP reports the email as
+  verified, or the provider is trusted. If you hit an `account not linked` error,
+  either confirm your IdP sends `email_verified`, or add the provider's ID to
+  `SSO_TRUSTED_PROVIDER_IDS` and restart.
+</Callout>
+
 You can register providers through the **Settings UI** (same as cloud) or by running the registration script directly against your database.
 
 ### Script-based registration

apps/sim/lib/auth/auth.ts

@@ -71,6 +71,7 @@ import {
   isRegistrationDisabled,
   isSignupEmailValidationEnabled,
   isSignupMxValidationEnabled,
+  isSsoEnabled,
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl, isLocalhostUrl, parseOriginList } from '@/lib/core/utils/urls'
@@ -164,6 +165,20 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
   logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value })
 )
 
+/**
+ * SSO provider IDs to trust for automatic account linking when an SSO sign-in
+ * matches an existing account's email. Includes `SSO_PROVIDER_ID` when it is set
+ * in the app environment, plus any IDs from `SSO_TRUSTED_PROVIDER_IDS`. Empty when
+ * SSO is disabled, so `trustedProviders` is unchanged for non-SSO deployments.
+ * Resolved once at startup; `trustEmailVerified` on the SSO plugin handles IdPs
+ * that assert `email_verified` live, so this is only needed for IdPs that omit it.
+ */
+const additionalTrustedSsoProviders = isSsoEnabled
+  ? [env.SSO_PROVIDER_ID, ...(env.SSO_TRUSTED_PROVIDER_IDS?.split(',') ?? [])]
+      .map((id) => id?.trim())
+      .filter((id): id is string => Boolean(id))
+  : []
+
 if (env.NODE_ENV === 'production') {
   const baseUrl = getBaseUrl()
   if (isLocalhostUrl(baseUrl)) {
@@ -685,6 +700,7 @@ export const auth = betterAuth({
         'calcom',
         'docusign',
         ...SSO_TRUSTED_PROVIDERS,
+        ...additionalTrustedSsoProviders,
       ],
     },
   },
@@ -2916,6 +2932,12 @@ export const auth = betterAuth({
     ...(env.SSO_ENABLED
       ? [
           sso({
+            /**
+             * Honor the IdP's verified-email claim. Without this the SSO plugin
+             * forces `emailVerified: false`, blocking automatic linking of an SSO
+             * login to an existing same-email account (Better Auth "account not linked").
+             */
+            trustEmailVerified: true,
             organizationProvisioning: {
               disabled: false,
               defaultRole: 'member',

apps/sim/lib/core/config/env.ts

@@ -406,6 +406,7 @@ export const env = createEnv({
     SSO_DOMAIN:                            z.string().optional(),                  // [REQUIRED] SSO email domain
     SSO_USER_EMAIL:                        z.string().optional(),                  // [REQUIRED] User email for SSO registration
     SSO_ORGANIZATION_ID:                   z.string().optional(),                  // Organization ID for SSO registration (optional)
+    SSO_TRUSTED_PROVIDER_IDS:              z.string().optional(),                  // Comma-separated SSO provider IDs to trust for automatic account linking when an existing account shares the same email. Use for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders.
 
     // SSO Mapping Configuration (optional - sensible defaults provided)
     SSO_MAPPING_ID:                        z.string().optional(),                  // Custom ID claim mapping (default: sub for OIDC, nameidentifier for SAML)

helm/sim/values.schema.json

@@ -157,6 +157,10 @@
               "type": "string",
               "description": "Comma-separated additional public origins to trust for auth (e.g. 'https://app.example.com,https://www.example.com'). Merged into Better Auth trustedOrigins."
             },
+            "SSO_TRUSTED_PROVIDER_IDS": {
+              "type": "string",
+              "description": "Comma-separated SSO provider IDs to trust for automatic account linking when an SSO sign-in matches an existing account's email. Only needed for IdPs that do not assert email_verified. Merged into Better Auth accountLinking.trustedProviders."
+            },
             "NODE_ENV": {
               "type": "string",
               "enum": ["development", "test", "production"],

helm/sim/values.yaml

@@ -216,6 +216,10 @@ app:
     # Set to "true" AFTER running the SSO registration script
     SSO_ENABLED: ""                                       # Enable SSO authentication ("true" to enable)
     NEXT_PUBLIC_SSO_ENABLED: ""                           # Show SSO login button in UI ("true" to enable)
+    # SSO_TRUSTED_PROVIDER_IDS: comma-separated SSO provider IDs to trust for automatic account linking when a
+    # user signs in via SSO and an account with the same email already exists. Only needed for IdPs that do NOT
+    # assert email_verified (trustEmailVerified already handles those that do). Resolved at startup — restart after editing.
+    SSO_TRUSTED_PROVIDER_IDS: ""
 
     # Enterprise Feature Overrides (self-hosted)
     CREDENTIAL_SETS_ENABLED: ""                           # Enable credential sets (email polling) on self-hosted ("true" to enable)