Skip to content

feat(webapp): Directory Sync (SCIM) for Identity & Access#4148

Open
0ski wants to merge 1 commit into
mainfrom
oskar/feat-directory-sync
Open

feat(webapp): Directory Sync (SCIM) for Identity & Access#4148
0ski wants to merge 1 commit into
mainfrom
oskar/feat-directory-sync

Conversation

@0ski

@0ski 0ski commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Extend the SSO plugin contract for directory sync and apply membership effects
from the accounts webhook worker: provision users in mapped groups (role from
group mapping, else the org default role), deprovision on removal, and keep a
sticky-removal tombstone so JIT never silently re-adds a removed user. JIT and
Directory Sync coexist; roles default to Developer (the JIT default-role picker
has no 'None'). Changing a group's role in the dashboard re-applies it to that
group's current members immediately. The Directory Sync settings section
(group→role mapping, external-domain + manual-membership policy, deferred Save)
appears once a domain is verified — independent of SSO — gated by the hasSso
flag. The settings page polls the whole page while entitled with override-aware
drafts so in-progress edits are never clobbered.

@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: eae6a92

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 28 packages
Name Type
@trigger.dev/plugins Patch
@trigger.dev/rbac Patch
@trigger.dev/sso Patch
@trigger.dev/build Patch
@trigger.dev/core Patch
@trigger.dev/python Patch
@trigger.dev/react-hooks Patch
@trigger.dev/redis-worker Patch
@trigger.dev/rsc Patch
@trigger.dev/schema-to-json Patch
@trigger.dev/sdk Patch
@trigger.dev/database Patch
@trigger.dev/otlp-importer Patch
trigger.dev Patch
@internal/dashboard-agent Patch
@internal/cache Patch
@internal/clickhouse Patch
@internal/llm-model-catalog Patch
@internal/redis Patch
@internal/replication Patch
@internal/run-engine Patch
@internal/run-store Patch
@internal/schedule-engine Patch
@internal/testcontainers Patch
@internal/tracing Patch
@internal/tsql Patch
@internal/zod-worker Patch
@internal/sdk-compat-tests Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR adds WorkOS Directory Sync (SCIM) support to the SSO plugin contract and webapp. New directory sync types and controller methods are added, fallback and lazy controller implementations are extended, and webhook processing now returns host membership effects. The webapp applies those effects, blocks manual membership changes when directory-managed membership is enforced, and adds Directory Sync configuration controls to the SSO settings page.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description summarizes the change but misses the required template sections, including Closes #, checklist, testing, changelog, and screenshots. Rewrite the PR description to match the template and add the missing issue reference, checklist items, testing steps, changelog, and screenshots sections.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately captures the main change: adding Directory Sync support for Identity & Access.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch oskar/feat-directory-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@0ski 0ski force-pushed the oskar/feat-directory-sync branch from 4a57f15 to 3cba6af Compare July 3, 2026 16:06
@0ski 0ski marked this pull request as ready for review July 3, 2026 16:06
@pkg-pr-new

pkg-pr-new Bot commented Jul 3, 2026

Copy link
Copy Markdown

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@eae6a92

trigger.dev

npm i https://pkg.pr.new/trigger.dev@eae6a92

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@eae6a92

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@eae6a92

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@eae6a92

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@eae6a92

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@eae6a92

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@eae6a92

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@eae6a92

commit: eae6a92

devin-ai-integration[bot]

This comment was marked as resolved.

coderabbitai[bot]

This comment was marked as resolved.

@0ski 0ski force-pushed the oskar/feat-directory-sync branch from 3cba6af to 0043359 Compare July 3, 2026 16:24
devin-ai-integration[bot]

This comment was marked as resolved.

coderabbitai[bot]

This comment was marked as resolved.

@0ski 0ski force-pushed the oskar/feat-directory-sync branch from 0043359 to c485cab Compare July 3, 2026 16:31
devin-ai-integration[bot]

This comment was marked as resolved.

@0ski 0ski force-pushed the oskar/feat-directory-sync branch 3 times, most recently from 3571991 to 99c84ab Compare July 3, 2026 16:52
coderabbitai[bot]

This comment was marked as resolved.

@0ski 0ski force-pushed the oskar/feat-directory-sync branch from 99c84ab to 395c60b Compare July 3, 2026 17:29
@0ski 0ski changed the title feat(webapp): WorkOS Directory Sync (SCIM) for Identity & Access feat(webapp): Directory Sync (SCIM) for Identity & Access Jul 3, 2026
Extend the SSO plugin contract for directory sync and apply membership effects
from the accounts webhook worker: provision users in mapped groups (role from
group mapping, else the org default role), deprovision on removal, and keep a
sticky-removal tombstone so JIT never silently re-adds a removed user. JIT and
Directory Sync coexist; roles default to Developer (the JIT default-role picker
has no 'None'). Changing a group's role in the dashboard re-applies it to that
group's current members immediately. The Directory Sync settings section
(group→role mapping, external-domain + manual-membership policy, deferred Save)
appears once a domain is verified — independent of SSO — gated by the hasSso
flag. The settings page polls the whole page while entitled with override-aware
drafts so in-progress edits are never clobbered.
@0ski 0ski force-pushed the oskar/feat-directory-sync branch from 395c60b to eae6a92 Compare July 3, 2026 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants