chore: move organizatinon sync to runtime configuration (#15431)

Moves the configuration from environment to database backed, to allow configuring organization sync at runtime.
2025-07-09 11:45:56 +00:00 · 2024-11-08 08:44:14 -06:00
parent 7b33ab0dcf
commit 782214bcd8
28 changed files with 883 additions and 280 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -287,6 +287,16 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Delete("/organizations/{organization}/members/roles/{roleName}", api.deleteOrgRole)
 		})

+		r.Group(func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+			)
+			r.Route("/settings/idpsync/organization", func(r chi.Router) {
+				r.Get("/", api.organizationIDPSyncSettings)
+				r.Patch("/", api.patchOrganizationIDPSyncSettings)
+			})
+		})
+
 		r.Group(func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
--- a/enterprise/coderd/enidpsync/groups.go
+++ b/enterprise/coderd/enidpsync/groups.go
@ -10,7 +10,7 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )

-func (e EnterpriseIDPSync) GroupSyncEnabled() bool {
+func (e EnterpriseIDPSync) GroupSyncEntitled() bool {
 	return e.entitlements.Enabled(codersdk.FeatureTemplateRBAC)
 }

@ -20,7 +20,7 @@ func (e EnterpriseIDPSync) GroupSyncEnabled() bool {
 // GroupAllowList is implemented here to prevent login by unauthorized users.
 // TODO: GroupAllowList overlaps with the default organization group sync settings.
 func (e EnterpriseIDPSync) ParseGroupClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.GroupParams, *idpsync.HTTPError) {
-	if !e.GroupSyncEnabled() {
+	if !e.GroupSyncEntitled() {
 		return e.AGPLIDPSync.ParseGroupClaims(ctx, mergedClaims)
 	}

@ -64,7 +64,7 @@ func (e EnterpriseIDPSync) ParseGroupClaims(ctx context.Context, mergedClaims jw
 	}

 	return idpsync.GroupParams{
-		SyncEnabled:  true,
+		SyncEntitled: true,
 		MergedClaims: mergedClaims,
 	}, nil
 }
--- a/enterprise/coderd/enidpsync/groups_test.go
+++ b/enterprise/coderd/enidpsync/groups_test.go
@ -39,7 +39,7 @@ func TestEnterpriseParseGroupClaims(t *testing.T) {
 		params, err := s.ParseGroupClaims(ctx, jwt.MapClaims{})
 		require.Nil(t, err)

-		require.False(t, params.SyncEnabled)
+		require.False(t, params.SyncEntitled)
 	})

 	t.Run("NotInAllowList", func(t *testing.T) {
@ -90,7 +90,7 @@ func TestEnterpriseParseGroupClaims(t *testing.T) {
 		}
 		params, err := s.ParseGroupClaims(ctx, claims)
 		require.Nil(t, err)
-		require.True(t, params.SyncEnabled)
+		require.True(t, params.SyncEntitled)
 		require.Equal(t, claims, params.MergedClaims)
 	})
 }
--- a/enterprise/coderd/enidpsync/organizations.go
+++ b/enterprise/coderd/enidpsync/organizations.go
@ -2,72 +2,39 @@ package enidpsync

 import (
 	"context"
-	"net/http"

 	"github.com/golang-jwt/jwt/v4"
-	"github.com/google/uuid"

-	"cdr.dev/slog"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/idpsync"
-	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 )

-func (e EnterpriseIDPSync) OrganizationSyncEnabled() bool {
-	return e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) && e.OrganizationField != ""
+func (e EnterpriseIDPSync) OrganizationSyncEntitled() bool {
+	return e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations)
+}
+
+func (e EnterpriseIDPSync) OrganizationSyncEnabled(ctx context.Context, db database.Store) bool {
+	if !e.OrganizationSyncEntitled() {
+		return false
+	}
+
+	settings, err := e.OrganizationSyncSettings(ctx, db)
+	if err == nil && settings.Field != "" {
+		return true
+	}
+	return false
 }

 func (e EnterpriseIDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.OrganizationParams, *idpsync.HTTPError) {
-	if !e.OrganizationSyncEnabled() {
+	if !e.OrganizationSyncEntitled() {
 		// Default to agpl if multi-org is not enabled
 		return e.AGPLIDPSync.ParseOrganizationClaims(ctx, mergedClaims)
 	}

-	// nolint:gocritic // all syncing is done as a system user
-	ctx = dbauthz.AsSystemRestricted(ctx)
-	userOrganizations := make([]uuid.UUID, 0)
-
-	// Pull extra organizations from the claims.
-	if e.OrganizationField != "" {
-		organizationRaw, ok := mergedClaims[e.OrganizationField]
-		if ok {
-			parsedOrganizations, err := idpsync.ParseStringSliceClaim(organizationRaw)
-			if err != nil {
-				return idpsync.OrganizationParams{}, &idpsync.HTTPError{
-					Code:                 http.StatusBadRequest,
-					Msg:                  "Failed to sync organizations from the OIDC claims",
-					Detail:               err.Error(),
-					RenderStaticPage:     false,
-					RenderDetailMarkdown: false,
-				}
-			}
-
-			// Keep track of which claims are not mapped for debugging purposes.
-			var ignored []string
-			for _, parsedOrg := range parsedOrganizations {
-				if mappedOrganization, ok := e.OrganizationMapping[parsedOrg]; ok {
-					// parsedOrg is in the mapping, so add the mapped organizations to the
-					// user's organizations.
-					userOrganizations = append(userOrganizations, mappedOrganization...)
-				} else {
-					ignored = append(ignored, parsedOrg)
-				}
-			}
-
-			e.Logger.Debug(ctx, "parsed organizations from claim",
-				slog.F("len", len(parsedOrganizations)),
-				slog.F("ignored", ignored),
-				slog.F("organizations", parsedOrganizations),
-			)
-		}
-	}
-
 	return idpsync.OrganizationParams{
-		// If the field is not set, then sync is not enabled.
-		SyncEnabled:    e.OrganizationField != "",
-		IncludeDefault: e.OrganizationAssignDefault,
-		// Do not return duplicates
-		Organizations: slice.Unique(userOrganizations),
+		// Return true if entitled
+		SyncEntitled: true,
+		MergedClaims: mergedClaims,
 	}, nil
 }
--- a/enterprise/coderd/enidpsync/organizations_test.go
+++ b/enterprise/coderd/enidpsync/organizations_test.go
@ -34,17 +34,19 @@ type Expectations struct {
 	Name   string
 	Claims jwt.MapClaims
 	// Parse
-	ParseError     func(t *testing.T, httpErr *idpsync.HTTPError)
-	ExpectedParams idpsync.OrganizationParams
+	ParseError      func(t *testing.T, httpErr *idpsync.HTTPError)
+	ExpectedParams  idpsync.OrganizationParams
+	ExpectedEnabled bool
 	// Mutate allows mutating the user before syncing
 	Mutate func(t *testing.T, db database.Store, user database.User)
 	Sync   ExpectedUser
 }

 type OrganizationSyncTestCase struct {
-	Settings     idpsync.DeploymentSyncSettings
-	Entitlements *entitlements.Set
-	Exps         []Expectations
+	Settings        idpsync.DeploymentSyncSettings
+	RuntimeSettings *idpsync.OrganizationSyncSettings
+	Entitlements    *entitlements.Set
+	Exps            []Expectations
 }

 func TestOrganizationSync(t *testing.T) {
@ -100,10 +102,9 @@ func TestOrganizationSync(t *testing.T) {
 							Name:   "NoOrganizations",
 							Claims: jwt.MapClaims{},
 							ExpectedParams: idpsync.OrganizationParams{
-								SyncEnabled:    false,
-								IncludeDefault: true,
-								Organizations:  []uuid.UUID{},
+								SyncEntitled: true,
 							},
+							ExpectedEnabled: false,
 							Sync: ExpectedUser{
 								Organizations: []uuid.UUID{},
 							},
@ -112,10 +113,9 @@ func TestOrganizationSync(t *testing.T) {
 							Name:   "AlreadyInOrgs",
 							Claims: jwt.MapClaims{},
 							ExpectedParams: idpsync.OrganizationParams{
-								SyncEnabled:    false,
-								IncludeDefault: true,
-								Organizations:  []uuid.UUID{},
+								SyncEntitled: true,
 							},
+							ExpectedEnabled: false,
 							Mutate: func(t *testing.T, db database.Store, user database.User) {
 								dbgen.OrganizationMember(t, db, database.OrganizationMember{
 									UserID:         user.ID,
@ -157,10 +157,9 @@ func TestOrganizationSync(t *testing.T) {
 							Name:   "NoOrganizations",
 							Claims: jwt.MapClaims{},
 							ExpectedParams: idpsync.OrganizationParams{
-								SyncEnabled:    true,
-								IncludeDefault: true,
-								Organizations:  []uuid.UUID{},
+								SyncEntitled: true,
 							},
+							ExpectedEnabled: true,
 							Sync: ExpectedUser{
 								Organizations: []uuid.UUID{def.ID},
 							},
@ -171,10 +170,9 @@ func TestOrganizationSync(t *testing.T) {
 								"organizations": []string{"second", "extra"},
 							},
 							ExpectedParams: idpsync.OrganizationParams{
-								SyncEnabled:    true,
-								IncludeDefault: true,
-								Organizations:  []uuid.UUID{two.ID},
+								SyncEntitled: true,
 							},
+							ExpectedEnabled: true,
 							Mutate: func(t *testing.T, db database.Store, user database.User) {
 								dbgen.OrganizationMember(t, db, database.OrganizationMember{
 									UserID:         user.ID,
@ -196,12 +194,9 @@ func TestOrganizationSync(t *testing.T) {
 								"organizations": []string{"second", "extra", "first", "third", "second", "second"},
 							},
 							ExpectedParams: idpsync.OrganizationParams{
-								SyncEnabled:    true,
-								IncludeDefault: true,
-								Organizations: []uuid.UUID{
-									two.ID, one.ID, three.ID,
-								},
+								SyncEntitled: true,
 							},
+							ExpectedEnabled: true,
 							Mutate: func(t *testing.T, db database.Store, user database.User) {
 								dbgen.OrganizationMember(t, db, database.OrganizationMember{
 									UserID:         user.ID,
@ -220,6 +215,72 @@ func TestOrganizationSync(t *testing.T) {
 				}
 			},
 		},
+		{
+			Name: "DynamicSettings",
+			Case: func(t *testing.T, db database.Store) OrganizationSyncTestCase {
+				def, _ := db.GetDefaultOrganization(context.Background())
+				one := dbgen.Organization(t, db, database.Organization{})
+				two := dbgen.Organization(t, db, database.Organization{})
+				three := dbgen.Organization(t, db, database.Organization{})
+				return OrganizationSyncTestCase{
+					Entitlements: entitled,
+					Settings: idpsync.DeploymentSyncSettings{
+						OrganizationField: "organizations",
+						OrganizationMapping: map[string][]uuid.UUID{
+							"first":  {one.ID},
+							"second": {two.ID},
+							"third":  {three.ID},
+						},
+						OrganizationAssignDefault: true,
+					},
+					// Override
+					RuntimeSettings: &idpsync.OrganizationSyncSettings{
+						Field: "dynamic",
+						Mapping: map[string][]uuid.UUID{
+							"third": {three.ID},
+						},
+						AssignDefault: false,
+					},
+					Exps: []Expectations{
+						{
+							Name:   "NoOrganizations",
+							Claims: jwt.MapClaims{},
+							ExpectedParams: idpsync.OrganizationParams{
+								SyncEntitled: true,
+							},
+							ExpectedEnabled: true,
+							Sync: ExpectedUser{
+								Organizations: []uuid.UUID{},
+							},
+						},
+						{
+							Name: "AlreadyInOrgs",
+							Claims: jwt.MapClaims{
+								"organizations": []string{"second", "extra"},
+								"dynamic":       []string{"third"},
+							},
+							ExpectedParams: idpsync.OrganizationParams{
+								SyncEntitled: true,
+							},
+							ExpectedEnabled: true,
+							Mutate: func(t *testing.T, db database.Store, user database.User) {
+								dbgen.OrganizationMember(t, db, database.OrganizationMember{
+									UserID:         user.ID,
+									OrganizationID: def.ID,
+								})
+								dbgen.OrganizationMember(t, db, database.OrganizationMember{
+									UserID:         user.ID,
+									OrganizationID: one.ID,
+								})
+							},
+							Sync: ExpectedUser{
+								Organizations: []uuid.UUID{three.ID},
+							},
+						},
+					},
+				}
+			},
+		},
 	}

 	for _, tc := range testCases {
@ -238,6 +299,11 @@ func TestOrganizationSync(t *testing.T) {

 			// Create a new sync object
 			sync := enidpsync.NewSync(logger, runtimeconfig.NewManager(), caseData.Entitlements, caseData.Settings)
+			if caseData.RuntimeSettings != nil {
+				err := sync.UpdateOrganizationSettings(ctx, rdb, *caseData.RuntimeSettings)
+				require.NoError(t, err)
+			}
+
 			for _, exp := range caseData.Exps {
 				t.Run(exp.Name, func(t *testing.T) {
 					params, httpErr := sync.ParseOrganizationClaims(ctx, exp.Claims)
@ -247,12 +313,8 @@ func TestOrganizationSync(t *testing.T) {
 					}
 					require.Nil(t, httpErr, "no parse error")

-					require.Equal(t, exp.ExpectedParams.SyncEnabled, params.SyncEnabled, "match enabled")
-					require.Equal(t, exp.ExpectedParams.IncludeDefault, params.IncludeDefault, "match include default")
-					if exp.ExpectedParams.Organizations == nil {
-						exp.ExpectedParams.Organizations = []uuid.UUID{}
-					}
-					require.ElementsMatch(t, exp.ExpectedParams.Organizations, params.Organizations, "match organizations")
+					require.Equal(t, exp.ExpectedParams.SyncEntitled, params.SyncEntitled, "match enabled")
+					require.Equal(t, exp.ExpectedEnabled, sync.OrganizationSyncEnabled(context.Background(), rdb))

 					user := dbgen.User(t, db, database.User{})
 					if exp.Mutate != nil {
--- a/enterprise/coderd/idpsync.go
+++ b/enterprise/coderd/idpsync.go
@ -44,8 +44,10 @@ func (api *API) groupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 // @ID update-group-idp-sync-settings-by-organization
 // @Security CoderSessionToken
 // @Produce json
+// @Accept json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
+// @Param request body codersdk.GroupSyncSettings true "New settings"
 // @Success 200 {object} codersdk.GroupSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/groups [patch]
 func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
@ -57,7 +59,7 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 		return
 	}

-	var req idpsync.GroupSyncSettings
+	var req codersdk.GroupSyncSettings
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}
@ -78,7 +80,13 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques

 	//nolint:gocritic // Requires system context to update runtime config
 	sysCtx := dbauthz.AsSystemRestricted(ctx)
-	err := api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, req)
+	err := api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, idpsync.GroupSyncSettings{
+		Field:             req.Field,
+		Mapping:           req.Mapping,
+		RegexFilter:       req.RegexFilter,
+		AutoCreateMissing: req.AutoCreateMissing,
+		LegacyNameMapping: req.LegacyNameMapping,
+	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@ -90,7 +98,13 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 		return
 	}

-	httpapi.Write(ctx, rw, http.StatusOK, settings)
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.GroupSyncSettings{
+		Field:             settings.Field,
+		Mapping:           settings.Mapping,
+		RegexFilter:       settings.RegexFilter,
+		AutoCreateMissing: settings.AutoCreateMissing,
+		LegacyNameMapping: settings.LegacyNameMapping,
+	})
 }

 // @Summary Get role IdP Sync settings by organization
@ -125,8 +139,10 @@ func (api *API) roleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 // @ID update-role-idp-sync-settings-by-organization
 // @Security CoderSessionToken
 // @Produce json
+// @Accept json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
+// @Param request body codersdk.RoleSyncSettings true "New settings"
 // @Success 200 {object} codersdk.RoleSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/roles [patch]
 func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
@ -138,14 +154,17 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 		return
 	}

-	var req idpsync.RoleSyncSettings
+	var req codersdk.RoleSyncSettings
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}

 	//nolint:gocritic // Requires system context to update runtime config
 	sysCtx := dbauthz.AsSystemRestricted(ctx)
-	err := api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, req)
+	err := api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, idpsync.RoleSyncSettings{
+		Field:   req.Field,
+		Mapping: req.Mapping,
+	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@ -157,5 +176,82 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 		return
 	}

+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.RoleSyncSettings{
+		Field:   settings.Field,
+		Mapping: settings.Mapping,
+	})
+}
+
+// @Summary Get organization IdP Sync settings
+// @ID get-organization-idp-sync-settings
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.OrganizationSyncSettings
+// @Router /settings/idpsync/organization [get]
+func (api *API) organizationIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceIdpsyncSettings) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	//nolint:gocritic // Requires system context to read runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	settings, err := api.IDPSync.OrganizationSyncSettings(sysCtx, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
 	httpapi.Write(ctx, rw, http.StatusOK, settings)
 }
+
+// @Summary Update organization IdP Sync settings
+// @ID update-organization-idp-sync-settings
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.OrganizationSyncSettings
+// @Param request body codersdk.OrganizationSyncSettings true "New settings"
+// @Router /settings/idpsync/organization [patch]
+func (api *API) patchOrganizationIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.OrganizationSyncSettings
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := api.IDPSync.UpdateOrganizationSettings(sysCtx, api.Database, idpsync.OrganizationSyncSettings{
+		Field: req.Field,
+		// We do not check if the mappings point to actual organizations.
+		Mapping:       req.Mapping,
+		AssignDefault: req.AssignDefault,
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	settings, err := api.IDPSync.OrganizationSyncSettings(sysCtx, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.OrganizationSyncSettings{
+		Field:         settings.Field,
+		Mapping:       settings.Mapping,
+		AssignDefault: settings.AssignDefault,
+	})
+}
--- a/enterprise/coderd/scim.go
+++ b/enterprise/coderd/scim.go
@ -281,7 +281,13 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 	// the default org, regardless if sync is enabled or not.
 	// This is to preserve single org deployment behavior.
 	organizations := []uuid.UUID{}
-	if api.IDPSync.AssignDefaultOrganization() {
+	//nolint:gocritic // SCIM operations are a system user
+	orgSync, err := api.IDPSync.OrganizationSyncSettings(dbauthz.AsSystemRestricted(ctx), api.Database)
+	if err != nil {
+		_ = handlerutil.WriteError(rw, xerrors.Errorf("failed to get organization sync settings: %w", err))
+		return
+	}
+	if orgSync.AssignDefault {
 		//nolint:gocritic // SCIM operations are a system user
 		defaultOrganization, err := api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
 		if err != nil {
--- a/enterprise/coderd/userauth_test.go
+++ b/enterprise/coderd/userauth_test.go
@ -102,70 +102,89 @@ func TestUserOIDC(t *testing.T) {
 		t.Run("MultiOrgWithDefault", func(t *testing.T) {
 			t.Parallel()

-			// Chicken and egg problem. Config is at startup, but orgs are
-			// created at runtime. We should add a runtime configuration of
-			// this.
-			second := uuid.New()
-			third := uuid.New()
-
 			// Given: 4 organizations: default, second, third, and fourth
 			runner := setupOIDCTest(t, oidcTestConfig{
 				Config: func(cfg *coderd.OIDCConfig) {
 					cfg.AllowSignups = true
 				},
 				DeploymentValues: func(dv *codersdk.DeploymentValues) {
-					dv.OIDC.OrganizationAssignDefault = true
+					// Will be overwritten by dynamic value
+					dv.OIDC.OrganizationAssignDefault = false
 					dv.OIDC.OrganizationField = "organization"
 					dv.OIDC.OrganizationMapping = serpent.Struct[map[string][]uuid.UUID]{
-						Value: map[string][]uuid.UUID{
-							"second": {second},
-							"third":  {third},
-						},
+						Value: map[string][]uuid.UUID{},
 					}
 				},
 			})
-			dbgen.Organization(t, runner.API.Database, database.Organization{
-				ID: second,
-			})
-			dbgen.Organization(t, runner.API.Database, database.Organization{
-				ID: third,
-			})
-			fourth := dbgen.Organization(t, runner.API.Database, database.Organization{})

 			ctx := testutil.Context(t, testutil.WaitMedium)
+			orgOne, err := runner.AdminClient.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+				Name:        "one",
+				DisplayName: "One",
+				Description: "",
+				Icon:        "",
+			})
+			require.NoError(t, err)
+
+			orgTwo, err := runner.AdminClient.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+				Name:        "two",
+				DisplayName: "two",
+				Description: "",
+				Icon:        "",
+			})
+			require.NoError(t, err)
+
+			orgThree, err := runner.AdminClient.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+				Name:        "three",
+				DisplayName: "three",
+			})
+			require.NoError(t, err)
+
+			expectedSettings := codersdk.OrganizationSyncSettings{
+				Field: "organization",
+				Mapping: map[string][]uuid.UUID{
+					"first":  {orgOne.ID},
+					"second": {orgTwo.ID},
+				},
+				AssignDefault: true,
+			}
+			settings, err := runner.AdminClient.PatchOrganizationIDPSyncSettings(ctx, expectedSettings)
+			require.NoError(t, err)
+			require.Equal(t, expectedSettings.Field, settings.Field)
+
 			claims := jwt.MapClaims{
 				"email":        "alice@coder.com",
-				"organization": []string{"second", "third"},
+				"organization": []string{"first", "second"},
 			}

 			// Then: a new user logs in with claims "second" and "third", they
 			// should belong to [default, second, third].
 			userClient, resp := runner.Login(t, claims)
 			require.Equal(t, http.StatusOK, resp.StatusCode)
-			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{second, third})
+			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{orgOne.ID, orgTwo.ID})
 			user, err := userClient.User(ctx, codersdk.Me)
 			require.NoError(t, err)

 			// When: they are manually added to the fourth organization, a new sync
 			// should remove them.
-			_, err = runner.AdminClient.PostOrganizationMember(ctx, fourth.ID, "alice")
+			_, err = runner.AdminClient.PostOrganizationMember(ctx, orgThree.ID, "alice")
 			require.ErrorContains(t, err, "Organization sync is enabled")

-			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{second, third})
+			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{orgOne.ID, orgTwo.ID})
 			// Go around the block to add the user to see if they are removed.
 			dbgen.OrganizationMember(t, runner.API.Database, database.OrganizationMember{
 				UserID:         user.ID,
-				OrganizationID: fourth.ID,
+				OrganizationID: orgThree.ID,
 			})
-			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{second, third, fourth.ID})
+			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{orgOne.ID, orgTwo.ID, orgThree.ID})

 			// Then: Log in again will resync the orgs to their updated
 			// claims.
 			runner.Login(t, jwt.MapClaims{
 				"email":        "alice@coder.com",
-				"organization": []string{"third"},
+				"organization": []string{"second"},
 			})
-			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{third})
+			runner.AssertOrganizations(t, "alice", true, []uuid.UUID{orgTwo.ID})
 		})

 		t.Run("MultiOrgWithoutDefault", func(t *testing.T) {