fix: clarify IdP validation messages across policy flows

fix: allow default IdP validation in global mode policies
Initial plan
2026-06-17 04:47:11 +00:00 · 2026-06-16 23:46:51 +00:00 · 2026-06-16 23:43:36 +00:00 · 2026-06-16 23:39:01 +00:00
3 changed files with 66 additions and 16 deletions
--- a/server/lib/blueprints/resourcePolicies.ts
+++ b/server/lib/blueprints/resourcePolicies.ts
@@ -74,20 +74,33 @@ export async function updateResourcePolicies(
            const [provider] = await trx
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(
-                        eq(idp.idpId, policyData["auto-login-idp"]),
-                        eq(idpOrg.orgId, orgId)
-                    )
-                )
+                .where(eq(idp.idpId, policyData["auto-login-idp"]))
                .limit(1);

            if (!provider) {
                throw new Error(
-                    `Identity provider not found for policy '${policyNiceId}' in this organization`
+                    `Identity provider not found for policy '${policyNiceId}'`
                );
            }
+
+            if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+                const [providerOrg] = await trx
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(
+                            eq(idpOrg.idpId, policyData["auto-login-idp"]),
+                            eq(idpOrg.orgId, orgId)
+                        )
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    throw new Error(
+                        `Identity provider not found for policy '${policyNiceId}' in this organization`
+                    );
+                }
+            }
        }

        // Look up the admin role
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -207,18 +207,39 @@ export async function createResourcePolicy(
            const [provider] = await db
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId)))
+                .where(eq(idp.idpId, skipToIdpId))
                .limit(1);

            if (!provider) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Identity provider not found in this organization"
+                        "Identity provider not found"
                    )
                );
            }
+
+            if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+                const [providerOrg] = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(
+                            eq(idpOrg.idpId, skipToIdpId),
+                            eq(idpOrg.orgId, orgId)
+                        )
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Identity provider not found in this organization"
+                        )
+                    );
+                }
+            }
        }

        const adminRole = await db
--- a/server/routers/policy/setResourcePolicyAccessControl.ts
+++ b/server/routers/policy/setResourcePolicyAccessControl.ts
@@ -107,20 +107,36 @@ export async function setResourcePolicyAccessControl(
            const [provider] = await db
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
-                )
+                .where(eq(idp.idpId, idpId))
                .limit(1);

            if (!provider) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Identity provider not found in this organization"
+                        "Identity provider not found"
                    )
                );
            }
+
+            if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+                const [providerOrg] = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Identity provider not found in this organization"
+                        )
+                    );
+                }
+            }
        }

        // Check if any of the roleIds are admin roles
Author	SHA1	Message	Date
copilot-swe-agent[bot]	3b68139873	fix: clarify IdP validation messages across policy flows	2026-06-16 23:46:51 +00:00
copilot-swe-agent[bot]	ad1c8113ea	fix: allow default IdP validation in global mode policies	2026-06-16 23:43:36 +00:00
copilot-swe-agent[bot]	fec0fea766	Initial plan	2026-06-16 23:39:01 +00:00