fix: support single-tenant saml record (#9486)

Signed-off-by: Matt Krick <[email protected]>

packages/server/graphql/private/mutations/loginSAML.ts

@@ -16,6 +16,7 @@ import getSignOnURL from '../../public/mutations/helpers/SAMLHelpers/getSignOnUR
 import {SSORelayState} from '../../queries/SAMLIdP'
 import {MutationResolvers} from '../resolverTypes'
 import standardError from '../../../utils/standardError'
+import {isSingleTenantSSO} from '../../../utils/getSAMLURLFromEmail'
 
 const serviceProvider = samlify.ServiceProvider({})
 samlify.setSchemaValidator(samlXMLValidator)
@@ -104,8 +105,10 @@ const loginSAML: MutationResolvers['loginSAML'] = async (
   }
   const ssoDomain = getSSODomainFromEmail(email)
   if (!ssoDomain || !domains.includes(ssoDomain)) {
-    // don't blindly trust the IdP
-    return {error: {message: `${email} does not belong to ${domains.join(', ')}`}}
+    if (!isSingleTenantSSO) {
+      // don't blindly trust the IdP unless there is only 1
+      return {error: {message: `${email} does not belong to ${domains.join(', ')}`}}
+    }
   }
 
   if (newMetadata) {

packages/server/utils/getSAMLURLFromEmail.ts

@@ -4,7 +4,7 @@ import {URL} from 'url'
 import {DataLoaderWorker} from '../graphql/graphql'
 import getKysely from '../postgres/getKysely'
 
-const isSingleTenantSSO =
+export const isSingleTenantSSO =
   process.env.AUTH_INTERNAL_DISABLED === 'true' &&
   process.env.AUTH_GOOGLE_DISABLED === 'true' &&
   process.env.AUTH_MICROSOFT_DISABLED === 'true' &&