Merge pull request #2010 from Infisical/misc/add-documentation-for-bitbucket-cli-integration

doc: added bitbucket integration with cli
rename bit bucket options
2025-04-02 14:38:48 +00:00 · 2024-06-25 16:33:07 -04:00 · 2024-06-25 16:31:56 -04:00 · 2024-06-25 15:55:04 -04:00 · 2024-06-25 15:47:55 -04:00 · 2024-06-26 01:21:14 +08:00
63 changed files with 1559 additions and 240 deletions
--- a/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
+++ b/backend/src/db/migrations/20240624172027_default-saml-ldap-org.ts
@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+const DEFAULT_AUTH_ORG_ID_FIELD = "defaultAuthOrgId";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (!hasDefaultOrgColumn) {
+      t.uuid(DEFAULT_AUTH_ORG_ID_FIELD).nullable();
+      t.foreign(DEFAULT_AUTH_ORG_ID_FIELD).references("id").inTable(TableName.Organization).onDelete("SET NULL");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasDefaultOrgColumn = await knex.schema.hasColumn(TableName.SuperAdmin, DEFAULT_AUTH_ORG_ID_FIELD);
+
+  await knex.schema.alterTable(TableName.SuperAdmin, (t) => {
+    if (hasDefaultOrgColumn) {
+      t.dropForeign([DEFAULT_AUTH_ORG_ID_FIELD]);
+      t.dropColumn(DEFAULT_AUTH_ORG_ID_FIELD);
+    }
+  });
+}
--- a/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
+++ b/backend/src/db/migrations/20240624221840_certificate-alt-names.ts
--- a/backend/src/db/schemas/super-admin.ts
+++ b/backend/src/db/schemas/super-admin.ts
@ -17,7 +17,8 @@ export const SuperAdminSchema = z.object({
  instanceId: z.string().uuid().default("00000000-0000-0000-0000-000000000000"),
  trustSamlEmails: z.boolean().default(false).nullable().optional(),
  trustLdapEmails: z.boolean().default(false).nullable().optional(),
-  trustOidcEmails: z.boolean().default(false).nullable().optional()
+  trustOidcEmails: z.boolean().default(false).nullable().optional(),
+  defaultAuthOrgId: z.string().uuid().nullable().optional()
 });

 export type TSuperAdmin = z.infer<typeof SuperAdminSchema>;
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@ -65,25 +65,31 @@ export enum EventType {
  ADD_IDENTITY_UNIVERSAL_AUTH = "add-identity-universal-auth",
  UPDATE_IDENTITY_UNIVERSAL_AUTH = "update-identity-universal-auth",
  GET_IDENTITY_UNIVERSAL_AUTH = "get-identity-universal-auth",
+  REVOKE_IDENTITY_UNIVERSAL_AUTH = "revoke-identity-universal-auth",
  LOGIN_IDENTITY_KUBERNETES_AUTH = "login-identity-kubernetes-auth",
  ADD_IDENTITY_KUBERNETES_AUTH = "add-identity-kubernetes-auth",
  UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
  GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
+  REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
+  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
  LOGIN_IDENTITY_GCP_AUTH = "login-identity-gcp-auth",
  ADD_IDENTITY_GCP_AUTH = "add-identity-gcp-auth",
  UPDATE_IDENTITY_GCP_AUTH = "update-identity-gcp-auth",
+  REVOKE_IDENTITY_GCP_AUTH = "revoke-identity-gcp-auth",
  GET_IDENTITY_GCP_AUTH = "get-identity-gcp-auth",
  LOGIN_IDENTITY_AWS_AUTH = "login-identity-aws-auth",
  ADD_IDENTITY_AWS_AUTH = "add-identity-aws-auth",
  UPDATE_IDENTITY_AWS_AUTH = "update-identity-aws-auth",
+  REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
  GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
  LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
  ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
  UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
  GET_IDENTITY_AZURE_AUTH = "get-identity-azure-auth",
+  REVOKE_IDENTITY_AZURE_AUTH = "revoke-identity-azure-auth",
  CREATE_ENVIRONMENT = "create-environment",
  UPDATE_ENVIRONMENT = "update-environment",
  DELETE_ENVIRONMENT = "delete-environment",
@ -434,6 +440,13 @@ interface GetIdentityUniversalAuthEvent {
  };
 }

+interface DeleteIdentityUniversalAuthEvent {
+  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityKubernetesAuthEvent {
  type: EventType.LOGIN_IDENTITY_KUBERNETES_AUTH;
  metadata: {
@ -457,6 +470,13 @@ interface AddIdentityKubernetesAuthEvent {
  };
 }

+interface DeleteIdentityKubernetesAuthEvent {
+  type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityKubernetesAuthEvent {
  type: EventType.UPDATE_IDENTITY_KUBENETES_AUTH;
  metadata: {
@ -493,6 +513,14 @@ interface GetIdentityUniversalAuthClientSecretsEvent {
  };
 }

+interface GetIdentityUniversalAuthClientSecretByIdEvent {
+  type: EventType.GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID;
+  metadata: {
+    identityId: string;
+    clientSecretId: string;
+  };
+}
+
 interface RevokeIdentityUniversalAuthClientSecretEvent {
  type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET;
  metadata: {
@ -525,6 +553,13 @@ interface AddIdentityGcpAuthEvent {
  };
 }

+interface DeleteIdentityGcpAuthEvent {
+  type: EventType.REVOKE_IDENTITY_GCP_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityGcpAuthEvent {
  type: EventType.UPDATE_IDENTITY_GCP_AUTH;
  metadata: {
@ -570,6 +605,13 @@ interface AddIdentityAwsAuthEvent {
  };
 }

+interface DeleteIdentityAwsAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AWS_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAwsAuthEvent {
  type: EventType.UPDATE_IDENTITY_AWS_AUTH;
  metadata: {
@ -613,6 +655,13 @@ interface AddIdentityAzureAuthEvent {
  };
 }

+interface DeleteIdentityAzureAuthEvent {
+  type: EventType.REVOKE_IDENTITY_AZURE_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface UpdateIdentityAzureAuthEvent {
  type: EventType.UPDATE_IDENTITY_AZURE_AUTH;
  metadata: {
@ -1003,24 +1052,30 @@ export type Event =
  | LoginIdentityUniversalAuthEvent
  | AddIdentityUniversalAuthEvent
  | UpdateIdentityUniversalAuthEvent
+  | DeleteIdentityUniversalAuthEvent
  | GetIdentityUniversalAuthEvent
  | LoginIdentityKubernetesAuthEvent
+  | DeleteIdentityKubernetesAuthEvent
  | AddIdentityKubernetesAuthEvent
  | UpdateIdentityKubernetesAuthEvent
  | GetIdentityKubernetesAuthEvent
  | CreateIdentityUniversalAuthClientSecretEvent
  | GetIdentityUniversalAuthClientSecretsEvent
+  | GetIdentityUniversalAuthClientSecretByIdEvent
  | RevokeIdentityUniversalAuthClientSecretEvent
  | LoginIdentityGcpAuthEvent
  | AddIdentityGcpAuthEvent
+  | DeleteIdentityGcpAuthEvent
  | UpdateIdentityGcpAuthEvent
  | GetIdentityGcpAuthEvent
  | LoginIdentityAwsAuthEvent
  | AddIdentityAwsAuthEvent
  | UpdateIdentityAwsAuthEvent
  | GetIdentityAwsAuthEvent
+  | DeleteIdentityAwsAuthEvent
  | LoginIdentityAzureAuthEvent
  | AddIdentityAzureAuthEvent
+  | DeleteIdentityAzureAuthEvent
  | UpdateIdentityAzureAuthEvent
  | GetIdentityAzureAuthEvent
  | CreateEnvironmentEvent
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@ -23,6 +23,8 @@ import {
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
@ -30,6 +32,7 @@ import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membe
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
 import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
 import { getServerCfg } from "@app/services/super-admin/super-admin-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
@ -84,6 +87,8 @@ type TLdapConfigServiceFactoryDep = {
  userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
+  smtpService: Pick<TSmtpService, "sendMail">;
 };

 export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFactory>;
@ -103,7 +108,9 @@ export const ldapConfigServiceFactory = ({
  userDAL,
  userAliasDAL,
  permissionService,
-  licenseService
+  licenseService,
+  tokenService,
+  smtpService
 }: TLdapConfigServiceFactoryDep) => {
  const createLdapCfg = async ({
    actor,
@ -494,7 +501,7 @@ export const ldapConfigServiceFactory = ({
        if (!orgMembership) {
          await orgMembershipDAL.create(
            {
-              userId: userAlias.userId,
+              userId: newUser.id,
              inviteEmail: email,
              orgId,
              role: OrgMembershipRole.Member,
@ -627,6 +634,22 @@ export const ldapConfigServiceFactory = ({
      }
    );

+    if (user.email && !user.isEmailVerified) {
+      const token = await tokenService.createTokenForUser({
+        type: TokenType.TOKEN_EMAIL_VERIFICATION,
+        userId: user.id
+      });
+
+      await smtpService.sendMail({
+        template: SmtpTemplates.EmailVerification,
+        subjectLine: "Infisical confirmation code",
+        recipients: [user.email],
+        substitutions: {
+          code: token
+        }
+      });
+    }
+
    return { isUserCompleted, providerAuthToken };
  };

--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@ -42,6 +42,13 @@ export const IDENTITIES = {
  },
  DELETE: {
    identityId: "The ID of the identity to delete."
+  },
+  GET_BY_ID: {
+    identityId: "The ID of the identity to get details.",
+    orgId: "The ID of the org of the identity"
+  },
+  LIST: {
+    orgId: "The ID of the organization to list identities."
  }
 } as const;

@ -65,6 +72,9 @@ export const UNIVERSAL_AUTH = {
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve."
  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  },
  UPDATE: {
    identityId: "The ID of the identity to update.",
    clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
@ -83,6 +93,10 @@ export const UNIVERSAL_AUTH = {
  LIST_CLIENT_SECRETS: {
    identityId: "The ID of the identity to list client secrets for."
  },
+  GET_CLIENT_SECRET: {
+    identityId: "The ID of the identity to get the client secret from.",
+    clientSecretId: "The ID of the client secret to get details."
+  },
  REVOKE_CLIENT_SECRET: {
    identityId: "The ID of the identity to revoke the client secret from.",
    clientSecretId: "The ID of the client secret to revoke."
@ -104,6 +118,27 @@ export const AWS_AUTH = {
    iamRequestBody:
      "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
    iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const AZURE_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const GCP_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
+  }
+} as const;
+
+export const KUBERNETES_AUTH = {
+  REVOKE: {
+    identityId: "The ID of the identity to revoke."
  }
 } as const;

@ -347,6 +382,7 @@ export const RAW_SECRETS = {
    tagIds: "The ID of the tags to be attached to the created secret."
  },
  GET: {
+    expand: "Whether or not to expand secret references",
    secretName: "The name of the secret to get.",
    workspaceId: "The ID of the project to get the secret from.",
    workspaceSlug: "The slug of the project to get the secret from.",
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@ -395,7 +395,9 @@ export const registerRoutes = async (
    userDAL,
    userAliasDAL,
    permissionService,
-    licenseService
+    licenseService,
+    tokenService,
+    smtpService
  });

  const telemetryService = telemetryServiceFactory({
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@ -22,6 +22,7 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          config: SuperAdminSchema.omit({ createdAt: true, updatedAt: true }).extend({
            isMigrationModeOn: z.boolean(),
+            defaultAuthOrgSlug: z.string().nullable(),
            isSecretScanningDisabled: z.boolean()
          })
        })
@ -52,11 +53,14 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
        allowedSignUpDomain: z.string().optional().nullable(),
        trustSamlEmails: z.boolean().optional(),
        trustLdapEmails: z.boolean().optional(),
-        trustOidcEmails: z.boolean().optional()
+        trustOidcEmails: z.boolean().optional(),
+        defaultAuthOrgId: z.string().optional().nullable()
      }),
      response: {
        200: z.object({
-          config: SuperAdminSchema
+          config: SuperAdminSchema.extend({
+            defaultAuthOrgSlug: z.string().nullable()
+          })
        })
      }
    },
--- a/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-aws-iam-auth-router.ts
@ -266,4 +266,51 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
      return { identityAwsAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/aws-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete AWS Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AWS_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAwsAuth: IdentityAwsAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAwsAuth = await server.services.identityAwsAuth.revokeIdentityAwsAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAwsAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AWS_AUTH,
+          metadata: {
+            identityId: identityAwsAuth.identityId
+          }
+        }
+      });
+
+      return { identityAwsAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-azure-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-azure-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityAzureAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { AZURE_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -259,4 +260,51 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
      return { identityAzureAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/azure-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Azure Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(AZURE_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityAzureAuth: IdentityAzureAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityAzureAuth = await server.services.identityAzureAuth.revokeIdentityAzureAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityAzureAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_AZURE_AUTH,
+          metadata: {
+            identityId: identityAzureAuth.identityId
+          }
+        }
+      });
+
+      return { identityAzureAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-gcp-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-gcp-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityGcpAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { GCP_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -265,4 +266,51 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
      return { identityGcpAuth };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/gcp-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete GCP Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(GCP_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityGcpAuth: IdentityGcpAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityGcpAuth = await server.services.identityGcpAuth.revokeIdentityGcpAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityGcpAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_GCP_AUTH,
+          metadata: {
+            identityId: identityGcpAuth.identityId
+          }
+        }
+      });
+
+      return { identityGcpAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@ -2,6 +2,7 @@ import { z } from "zod";

 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { KUBERNETES_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -280,4 +281,54 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      return { identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.parse(identityKubernetesAuth) };
    }
  });
+
+  server.route({
+    method: "DELETE",
+    url: "/kubernetes-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Kubernetes Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(KUBERNETES_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityKubernetesAuth: IdentityKubernetesAuthResponseSchema.omit({
+            caCert: true,
+            tokenReviewerJwt: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityKubernetesAuth = await server.services.identityKubernetesAuth.revokeIdentityKubernetesAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityKubernetesAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_KUBERNETES_AUTH,
+          metadata: {
+            identityId: identityKubernetesAuth.identityId
+          }
+        }
+      });
+
+      return { identityKubernetesAuth };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@ -1,9 +1,9 @@
 import { z } from "zod";

-import { IdentitiesSchema, OrgMembershipRole } from "@app/db/schemas";
+import { IdentitiesSchema, IdentityOrgMembershipsSchema, OrgMembershipRole, OrgRolesSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { IDENTITIES } from "@app/lib/api-docs";
-import { creationLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@ -170,4 +170,94 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
      return { identity };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get an identity by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(IDENTITIES.GET_BY_ID.identityId)
+      }),
+      response: {
+        200: z.object({
+          identity: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identity = await server.services.identity.getIdentityById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.identityId
+      });
+
+      return { identity };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "List identities",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        orgId: z.string().describe(IDENTITIES.LIST.orgId)
+      }),
+      response: {
+        200: z.object({
+          identities: IdentityOrgMembershipsSchema.extend({
+            customRole: OrgRolesSchema.pick({
+              id: true,
+              name: true,
+              slug: true,
+              permissions: true,
+              description: true
+            }).optional(),
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+          }).array()
+        })
+      }
+    },
+    handler: async (req) => {
+      const identities = await server.services.identity.listOrgIdentities({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.query.orgId
+      });
+
+      return { identities };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@ -134,7 +134,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.attachUa({
+      const identityUniversalAuth = await server.services.identityUa.attachUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
@ -219,7 +219,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.updateUa({
+      const identityUniversalAuth = await server.services.identityUa.updateUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorOrgId: req.permission.orgId,
@ -272,7 +272,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const identityUniversalAuth = await server.services.identityUa.getIdentityUa({
+      const identityUniversalAuth = await server.services.identityUa.getIdentityUniversalAuth({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
@ -295,6 +295,53 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "DELETE",
+    url: "/universal-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete Universal Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityUniversalAuth: IdentityUniversalAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityUniversalAuth = await server.services.identityUa.revokeIdentityUniversalAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityUniversalAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH,
+          metadata: {
+            identityId: identityUniversalAuth.identityId
+          }
+        }
+      });
+
+      return { identityUniversalAuth };
+    }
+  });
+
  server.route({
    method: "POST",
    url: "/universal-auth/identities/:identityId/client-secrets",
@ -325,14 +372,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const { clientSecret, clientSecretData, orgId } = await server.services.identityUa.createUaClientSecret({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId,
-        ...req.body
-      });
+      const { clientSecret, clientSecretData, orgId } =
+        await server.services.identityUa.createUniversalAuthClientSecret({
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId,
+          ...req.body
+        });

      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@ -374,13 +422,15 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUaClientSecrets({
-        actor: req.permission.type,
-        actorId: req.permission.id,
-        actorAuthMethod: req.permission.authMethod,
-        actorOrgId: req.permission.orgId,
-        identityId: req.params.identityId
-      });
+      const { clientSecrets: clientSecretData, orgId } = await server.services.identityUa.getUniversalAuthClientSecrets(
+        {
+          actor: req.permission.type,
+          actorId: req.permission.id,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          identityId: req.params.identityId
+        }
+      );

      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
@ -396,6 +446,56 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Get Universal Auth Client Secret for identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.identityId),
+        clientSecretId: z.string().describe(UNIVERSAL_AUTH.GET_CLIENT_SECRET.clientSecretId)
+      }),
+      response: {
+        200: z.object({
+          clientSecretData: sanitizedClientSecretSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const clientSecretData = await server.services.identityUa.getUniversalAuthClientSecretById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId,
+        clientSecretId: req.params.clientSecretId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: clientSecretData.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET,
+          metadata: {
+            identityId: clientSecretData.identityId,
+            clientSecretId: clientSecretData.id
+          }
+        }
+      });
+
+      return { clientSecretData };
+    }
+  });
+
  server.route({
    method: "POST",
    url: "/universal-auth/identities/:identityId/client-secrets/:clientSecretId/revoke",
@ -421,7 +521,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      }
    },
    handler: async (req) => {
-      const clientSecretData = await server.services.identityUa.revokeUaClientSecret({
+      const clientSecretData = await server.services.identityUa.revokeUniversalAuthClientSecret({
        actor: req.permission.type,
        actorId: req.permission.id,
        actorAuthMethod: req.permission.authMethod,
--- a/backend/src/server/routes/v1/index.ts
+++ b/backend/src/server/routes/v1/index.ts
@ -9,7 +9,7 @@ import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityRouter } from "./identity-router";
-import { registerIdentityUaRouter } from "./identity-ua";
+import { registerIdentityUaRouter } from "./identity-universal-auth-router";
 import { registerIntegrationAuthRouter } from "./integration-auth-router";
 import { registerIntegrationRouter } from "./integration-router";
 import { registerInviteOrgRouter } from "./invite-org-router";
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@ -300,6 +300,11 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        secretPath: z.string().trim().default("/").transform(removeTrailingSlash).describe(RAW_SECRETS.GET.secretPath),
        version: z.coerce.number().optional().describe(RAW_SECRETS.GET.version),
        type: z.nativeEnum(SecretType).default(SecretType.Shared).describe(RAW_SECRETS.GET.type),
+        expandSecretReferences: z
+          .enum(["true", "false"])
+          .default("false")
+          .transform((value) => value === "true")
+          .describe(RAW_SECRETS.GET.expand),
        include_imports: z
          .enum(["true", "false"])
          .default("false")
@ -344,6 +349,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        actor: req.permission.type,
        actorAuthMethod: req.permission.authMethod,
        actorOrgId: req.permission.orgId,
+        expandSecretReferences: req.query.expandSecretReferences,
        environment,
        projectId: workspaceId,
        projectSlug: workspaceSlug,
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@ -354,9 +354,12 @@ export const authLoginServiceFactory = ({
    // Check if the user actually has access to the specified organization.
    const userOrgs = await orgDAL.findAllOrgsByUserId(user.id);
    const hasOrganizationMembership = userOrgs.some((org) => org.id === organizationId);
+    const selectedOrg = await orgDAL.findById(organizationId);

    if (!hasOrganizationMembership) {
-      throw new UnauthorizedError({ message: "User does not have access to the organization" });
+      throw new UnauthorizedError({
+        message: `User does not have access to the organization named ${selectedOrg?.name}`
+      });
    }

    await tokenDAL.incrementTokenSessionVersion(user.id, decodedToken.tokenVersionId);
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@ -7,11 +7,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -24,12 +25,13 @@ import {
  TGetAwsAuthDTO,
  TGetCallerIdentityResponse,
  TLoginAwsAuthDTO,
+  TRevokeAwsAuthDTO,
  TUpdateAwsAuthDTO
 } from "./identity-aws-auth-types";

 type TIdentityAwsAuthServiceFactoryDep = {
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
-  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@ -301,10 +303,54 @@ export const identityAwsAuthServiceFactory = ({
    return { ...awsIdentityAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityAwsAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAwsAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AWS_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have aws auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke aws auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
+      const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAwsAuth;
+  };
+
  return {
    login,
    attachAwsAuth,
    updateAwsAuth,
-    getAwsAuth
+    getAwsAuth,
+    revokeIdentityAwsAuth
  };
 };
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-types.ts
@ -52,3 +52,7 @@ export type TGetCallerIdentityResponse = {
    ResponseMetadata: { RequestId: string };
  };
 };
+
+export type TRevokeAwsAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -20,11 +21,15 @@ import {
  TAttachAzureAuthDTO,
  TGetAzureAuthDTO,
  TLoginAzureAuthDTO,
+  TRevokeAzureAuthDTO,
  TUpdateAzureAuthDTO
 } from "./identity-azure-auth-types";

 type TIdentityAzureAuthServiceFactoryDep = {
-  identityAzureAuthDAL: Pick<TIdentityAzureAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityAzureAuthDAL: Pick<
+    TIdentityAzureAuthDALFactory,
+    "findOne" | "transaction" | "create" | "updateById" | "delete"
+  >;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
@ -277,10 +282,54 @@ export const identityAzureAuthServiceFactory = ({
    return { ...identityAzureAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityAzureAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeAzureAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.AZURE_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have azure auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke azure auth of identity with more privileged role"
+      });
+
+    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
+      const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityAzureAuth;
+  };
+
  return {
    login,
    attachAzureAuth,
    updateAzureAuth,
-    getAzureAuth
+    getAzureAuth,
+    revokeIdentityAzureAuth
  };
 };
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-types.ts
@ -118,3 +118,7 @@ export type TDecodedAzureAuthJwt = {
    [key: string]: string;
  };
 };
+
+export type TRevokeAzureAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@ -5,11 +5,12 @@ import { IdentityAuthMethod } from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -21,11 +22,12 @@ import {
  TGcpIdentityDetails,
  TGetGcpAuthDTO,
  TLoginGcpAuthDTO,
+  TRevokeGcpAuthDTO,
  TUpdateGcpAuthDTO
 } from "./identity-gcp-auth-types";

 type TIdentityGcpAuthServiceFactoryDep = {
-  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById">;
+  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityDAL: Pick<TIdentityDALFactory, "updateById">;
@ -315,10 +317,54 @@ export const identityGcpAuthServiceFactory = ({
    return { ...identityGcpAuth, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityGcpAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeGcpAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.GCP_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have gcp auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke gcp auth of identity with more privileged role"
+      });
+
+    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
+      const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityGcpAuth;
+  };
+
  return {
    login,
    attachGcpAuth,
    updateGcpAuth,
-    getGcpAuth
+    getGcpAuth,
+    revokeIdentityGcpAuth
  };
 };
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-types.ts
@ -76,3 +76,7 @@ export type TDecodedGcpIamAuthJwt = {
    [key: string]: string;
  };
 };
+
+export type TRevokeGcpAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@ -7,6 +7,7 @@ import { IdentityAuthMethod, SecretKeyEncoding, TIdentityKubernetesAuthsUpdate }
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
 import { getConfig } from "@app/lib/config/env";
 import {
  decryptSymmetric,
@ -16,11 +17,11 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";

-import { AuthTokenType } from "../auth/auth-type";
+import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "../identity/identity-dal";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
 import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
@ -32,13 +33,14 @@ import {
  TCreateTokenReviewResponse,
  TGetKubernetesAuthDTO,
  TLoginKubernetesAuthDTO,
+  TRevokeKubernetesAuthDTO,
  TUpdateKubernetesAuthDTO
 } from "./identity-kubernetes-auth-types";

 type TIdentityKubernetesAuthServiceFactoryDep = {
  identityKubernetesAuthDAL: Pick<
    TIdentityKubernetesAuthDALFactory,
-    "create" | "findOne" | "transaction" | "updateById"
+    "create" | "findOne" | "transaction" | "updateById" | "delete"
  >;
  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
@ -533,10 +535,54 @@ export const identityKubernetesAuthServiceFactory = ({
    return { ...identityKubernetesAuth, caCert, tokenReviewerJwt, orgId: identityMembershipOrg.orgId };
  };

+  const revokeIdentityKubernetesAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeKubernetesAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.KUBERNETES_AUTH)
+      throw new BadRequestError({
+        message: "The identity does not have kubenetes auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke kubenetes auth of identity with more privileged role"
+      });
+
+    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
+      const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityKubernetesAuth;
+  };
+
  return {
    login,
    attachKubernetesAuth,
    updateKubernetesAuth,
-    getKubernetesAuth
+    getKubernetesAuth,
+    revokeIdentityKubernetesAuth
  };
 };
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
@ -59,3 +59,7 @@ export type TCreateTokenReviewResponse = {
  };
  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
 };
+
+export type TRevokeKubernetesAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@ -25,7 +25,9 @@ import {
  TCreateUaClientSecretDTO,
  TGetUaClientSecretsDTO,
  TGetUaDTO,
+  TGetUniversalAuthClientSecretByIdDTO,
  TRevokeUaClientSecretDTO,
+  TRevokeUaDTO,
  TUpdateUaDTO
 } from "./identity-ua-types";

@ -136,7 +138,7 @@ export const identityUaServiceFactory = ({
    return { accessToken, identityUa, validClientSecretInfo, identityAccessToken, identityMembershipOrg };
  };

-  const attachUa = async ({
+  const attachUniversalAuth = async ({
    accessTokenMaxTTL,
    identityId,
    accessTokenNumUsesLimit,
@ -227,7 +229,7 @@ export const identityUaServiceFactory = ({
    return { ...identityUa, orgId: identityMembershipOrg.orgId };
  };

-  const updateUa = async ({
+  const updateUniversalAuth = async ({
    accessTokenMaxTTL,
    identityId,
    accessTokenNumUsesLimit,
@ -312,7 +314,7 @@ export const identityUaServiceFactory = ({
    return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
  };

-  const getIdentityUa = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
+  const getIdentityUniversalAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetUaDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
@ -333,7 +335,50 @@ export const identityUaServiceFactory = ({
    return { ...uaIdentityAuth, orgId: identityMembershipOrg.orgId };
  };

-  const createUaClientSecret = async ({
+  const revokeIdentityUniversalAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeUaDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke universal auth of identity with more privileged role"
+      });
+
+    const revokedIdentityUniversalAuth = await identityUaDAL.transaction(async (tx) => {
+      const deletedUniversalAuth = await identityUaDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedUniversalAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityUniversalAuth;
+  };
+
+  const createUniversalAuthClientSecret = async ({
    actor,
    actorId,
    actorOrgId,
@ -396,7 +441,7 @@ export const identityUaServiceFactory = ({
    };
  };

-  const getUaClientSecrets = async ({
+  const getUniversalAuthClientSecrets = async ({
    actor,
    actorId,
    actorOrgId,
@ -442,7 +487,47 @@ export const identityUaServiceFactory = ({
    return { clientSecrets, orgId: identityMembershipOrg.orgId };
  };

-  const revokeUaClientSecret = async ({
+  const getUniversalAuthClientSecretById = async ({
+    identityId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod,
+    clientSecretId
+  }: TGetUniversalAuthClientSecretByIdDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new BadRequestError({ message: "Failed to find identity" });
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.Univeral)
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge)
+      throw new ForbiddenRequestError({
+        message: "Failed to read identity client secret of project with more privileged role"
+      });
+
+    const clientSecret = await identityUaClientSecretDAL.findById(clientSecretId);
+    return { ...clientSecret, identityId, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeUniversalAuthClientSecret = async ({
    identityId,
    actorId,
    actor,
@ -475,7 +560,7 @@ export const identityUaServiceFactory = ({
    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
    if (!hasPriviledge)
      throw new ForbiddenRequestError({
-        message: "Failed to add identity to project with more privileged role"
+        message: "Failed to revoke identity client secret with more privileged role"
      });

    const clientSecret = await identityUaClientSecretDAL.updateById(clientSecretId, {
@ -486,11 +571,13 @@ export const identityUaServiceFactory = ({

  return {
    login,
-    attachUa,
-    updateUa,
-    getIdentityUa,
-    createUaClientSecret,
-    getUaClientSecrets,
-    revokeUaClientSecret
+    attachUniversalAuth,
+    updateUniversalAuth,
+    getIdentityUniversalAuth,
+    revokeIdentityUniversalAuth,
+    createUniversalAuthClientSecret,
+    getUniversalAuthClientSecrets,
+    revokeUniversalAuthClientSecret,
+    getUniversalAuthClientSecretById
  };
 };
--- a/backend/src/services/identity-ua/identity-ua-types.ts
+++ b/backend/src/services/identity-ua/identity-ua-types.ts
@ -22,6 +22,10 @@ export type TGetUaDTO = {
  identityId: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TRevokeUaDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TCreateUaClientSecretDTO = {
  identityId: string;
  description: string;
@ -37,3 +41,8 @@ export type TRevokeUaClientSecretDTO = {
  identityId: string;
  clientSecretId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TGetUniversalAuthClientSecretByIdDTO = {
+  identityId: string;
+  clientSecretId: string;
+} & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/identity/identity-org-dal.ts
+++ b/backend/src/services/identity/identity-org-dal.ts
@ -27,10 +27,10 @@ export const identityOrgDALFactory = (db: TDbClient) => {
    }
  };

-  const findByOrgId = async (orgId: string, tx?: Knex) => {
+  const find = async (filter: Partial<TIdentityOrgMemberships>, tx?: Knex) => {
    try {
      const docs = await (tx || db)(TableName.IdentityOrgMembership)
-        .where(`${TableName.IdentityOrgMembership}.orgId`, orgId)
+        .where(filter)
        .join(TableName.Identity, `${TableName.IdentityOrgMembership}.identityId`, `${TableName.Identity}.id`)
        .leftJoin(TableName.OrgRoles, `${TableName.IdentityOrgMembership}.roleId`, `${TableName.OrgRoles}.id`)
        .select(selectAllTableCols(TableName.IdentityOrgMembership))
@ -79,5 +79,5 @@ export const identityOrgDALFactory = (db: TDbClient) => {
    }
  };

-  return { ...identityOrgOrm, findOne, findByOrgId };
+  return { ...identityOrgOrm, find, findOne };
 };
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@ -1,6 +1,6 @@
 import { ForbiddenError } from "@casl/ability";

-import { OrgMembershipRole, TOrgRoles } from "@app/db/schemas";
+import { OrgMembershipRole, TableName, TOrgRoles } from "@app/db/schemas";
 import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { isAtLeastAsPrivileged } from "@app/lib/casl";
@ -10,7 +10,7 @@ import { TOrgPermission } from "@app/lib/types";
 import { ActorType } from "../auth/auth-type";
 import { TIdentityDALFactory } from "./identity-dal";
 import { TIdentityOrgDALFactory } from "./identity-org-dal";
-import { TCreateIdentityDTO, TDeleteIdentityDTO, TUpdateIdentityDTO } from "./identity-types";
+import { TCreateIdentityDTO, TDeleteIdentityDTO, TGetIdentityByIdDTO, TUpdateIdentityDTO } from "./identity-types";

 type TIdentityServiceFactoryDep = {
  identityDAL: TIdentityDALFactory;
@ -126,6 +126,24 @@ export const identityServiceFactory = ({
    return { ...identity, orgId: identityOrgMembership.orgId };
  };

+  const getIdentityById = async ({ id, actor, actorId, actorOrgId, actorAuthMethod }: TGetIdentityByIdDTO) => {
+    const doc = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.identityId` as "identityId"]: id
+    });
+    const identity = doc[0];
+    if (!identity) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identity.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+    return identity;
+  };
+
  const deleteIdentity = async ({ actorId, actor, actorOrgId, actorAuthMethod, id }: TDeleteIdentityDTO) => {
    const identityOrgMembership = await identityOrgMembershipDAL.findOne({ identityId: id });
    if (!identityOrgMembership) throw new BadRequestError({ message: `Failed to find identity with id ${id}` });
@ -157,7 +175,9 @@ export const identityServiceFactory = ({
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);

-    const identityMemberships = await identityOrgMembershipDAL.findByOrgId(orgId);
+    const identityMemberships = await identityOrgMembershipDAL.find({
+      [`${TableName.IdentityOrgMembership}.orgId` as "orgId"]: orgId
+    });
    return identityMemberships;
  };

@ -165,6 +185,7 @@ export const identityServiceFactory = ({
    createIdentity,
    updateIdentity,
    deleteIdentity,
-    listOrgIdentities
+    listOrgIdentities,
+    getIdentityById
  };
 };
--- a/backend/src/services/identity/identity-types.ts
+++ b/backend/src/services/identity/identity-types.ts
@ -16,6 +16,10 @@ export type TDeleteIdentityDTO = {
  id: string;
 } & Omit<TOrgPermission, "orgId">;

+export type TGetIdentityByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
 export interface TIdentityTrustedIp {
  ipAddress: string;
  type: IPType;
--- a/backend/src/services/secret-blind-index/secret-blind-index-dal.ts
+++ b/backend/src/services/secret-blind-index/secret-blind-index-dal.ts
@ -30,7 +30,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
        .leftJoin(TableName.SecretFolder, `${TableName.SecretFolder}.id`, `${TableName.Secret}.folderId`)
        .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
        .where({ projectId })
-        .whereNull("secretBlindIndex")
        .select(selectAllTableCols(TableName.Secret))
        .select(
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
@ -49,7 +48,6 @@ export const secretBlindIndexDALFactory = (db: TDbClient) => {
        .leftJoin(TableName.Environment, `${TableName.Environment}.id`, `${TableName.SecretFolder}.envId`)
        .where({ projectId })
        .whereIn(`${TableName.Secret}.id`, secretIds)
-        .whereNull("secretBlindIndex")
        .select(selectAllTableCols(TableName.Secret))
        .select(
          db.ref("slug").withSchema(TableName.Environment).as("environment"),
--- a/backend/src/services/secret/secret-service.ts
+++ b/backend/src/services/secret/secret-service.ts
@ -1078,6 +1078,7 @@ export const secretServiceFactory = ({
    actor,
    environment,
    projectId: workspaceId,
+    expandSecretReferences,
    projectSlug,
    actorId,
    actorOrgId,
@ -1091,7 +1092,7 @@ export const secretServiceFactory = ({
    const botKey = await projectBotService.getBotKey(projectId);
    if (!botKey) throw new BadRequestError({ message: "Project bot not found", name: "bot_not_found_error" });

-    const secret = await getSecretByName({
+    const encryptedSecret = await getSecretByName({
      actorId,
      projectId,
      actorAuthMethod,
@ -1105,7 +1106,46 @@ export const secretServiceFactory = ({
      version
    });

-    return decryptSecretRaw(secret, botKey);
+    const decryptedSecret = decryptSecretRaw(encryptedSecret, botKey);
+
+    if (expandSecretReferences) {
+      const expandSecrets = interpolateSecrets({
+        folderDAL,
+        projectId,
+        secretDAL,
+        secretEncKey: botKey
+      });
+
+      const expandSingleSecret = async (secret: {
+        secretKey: string;
+        secretValue: string;
+        secretComment?: string;
+        secretPath: string;
+        skipMultilineEncoding: boolean | null | undefined;
+      }) => {
+        const secretRecord: Record<
+          string,
+          { value: string; comment?: string; skipMultilineEncoding: boolean | null | undefined }
+        > = {
+          [secret.secretKey]: {
+            value: secret.secretValue,
+            comment: secret.secretComment,
+            skipMultilineEncoding: secret.skipMultilineEncoding
+          }
+        };
+
+        await expandSecrets(secretRecord);
+
+        // Update the secret with the expanded value
+        // eslint-disable-next-line no-param-reassign
+        secret.secretValue = secretRecord[secret.secretKey].value;
+      };
+
+      // Expand the secret
+      await expandSingleSecret(decryptedSecret);
+    }
+
+    return decryptedSecret;
  };

  const createSecretRaw = async ({
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@ -151,6 +151,7 @@ export type TGetASecretRawDTO = {
  secretName: string;
  path: string;
  environment: string;
+  expandSecretReferences?: boolean;
  type: "shared" | "personal";
  includeImports?: boolean;
  version?: number;
--- a/backend/src/services/super-admin/super-admin-dal.ts
+++ b/backend/src/services/super-admin/super-admin-dal.ts
@ -1,7 +1,57 @@
+import { Knex } from "knex";
+
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";

 export type TSuperAdminDALFactory = ReturnType<typeof superAdminDALFactory>;

-export const superAdminDALFactory = (db: TDbClient) => ormify(db, TableName.SuperAdmin, {});
+export const superAdminDALFactory = (db: TDbClient) => {
+  const superAdminOrm = ormify(db, TableName.SuperAdmin);
+
+  const findById = async (id: string, tx?: Knex) => {
+    const config = await (tx || db)(TableName.SuperAdmin)
+      .where(`${TableName.SuperAdmin}.id`, id)
+      .leftJoin(TableName.Organization, `${TableName.SuperAdmin}.defaultAuthOrgId`, `${TableName.Organization}.id`)
+      .select(
+        db.ref("*").withSchema(TableName.SuperAdmin) as unknown as keyof TSuperAdmin,
+        db.ref("slug").withSchema(TableName.Organization).as("defaultAuthOrgSlug")
+      )
+      .first();
+
+    if (!config) {
+      return null;
+    }
+
+    return {
+      ...config,
+      defaultAuthOrgSlug: config?.defaultAuthOrgSlug || null
+    } as TSuperAdmin & { defaultAuthOrgSlug: string | null };
+  };
+
+  const updateById = async (id: string, data: TSuperAdminUpdate, tx?: Knex) => {
+    const updatedConfig = await (superAdminOrm || tx).transaction(async (trx: Knex) => {
+      await superAdminOrm.updateById(id, data, trx);
+      const config = await findById(id, trx);
+
+      if (!config) {
+        throw new DatabaseError({
+          error: "Failed to find updated super admin config",
+          message: "Failed to update super admin config",
+          name: "UpdateById"
+        });
+      }
+
+      return config;
+    });
+
+    return updatedConfig;
+  };
+
+  return {
+    ...superAdminOrm,
+    findById,
+    updateById
+  };
+};
--- a/backend/src/services/super-admin/super-admin-service.ts
+++ b/backend/src/services/super-admin/super-admin-service.ts
@ -25,7 +25,7 @@ type TSuperAdminServiceFactoryDep = {
 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;

 // eslint-disable-next-line
-export let getServerCfg: () => Promise<TSuperAdmin>;
+export let getServerCfg: () => Promise<TSuperAdmin & { defaultAuthOrgSlug: string | null }>;

 const ADMIN_CONFIG_KEY = "infisical-admin-cfg";
 const ADMIN_CONFIG_KEY_EXP = 60; // 60s
@ -42,16 +42,20 @@ export const superAdminServiceFactory = ({
    // TODO(akhilmhdh): bad  pattern time less change this later to me itself
    getServerCfg = async () => {
      const config = await keyStore.getItem(ADMIN_CONFIG_KEY);
+
      // missing in keystore means fetch from db
      if (!config) {
        const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
-        if (serverCfg) {
-          await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(serverCfg)); // insert it back to keystore
+
+        if (!serverCfg) {
+          throw new BadRequestError({ name: "Admin config", message: "Admin config not found" });
        }
+
+        await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(serverCfg)); // insert it back to keystore
        return serverCfg;
      }

-      const keyStoreServerCfg = JSON.parse(config) as TSuperAdmin;
+      const keyStoreServerCfg = JSON.parse(config) as TSuperAdmin & { defaultAuthOrgSlug: string | null };
      return {
        ...keyStoreServerCfg,
        // this is to allow admin router to work
@ -65,14 +69,21 @@ export const superAdminServiceFactory = ({
    const serverCfg = await serverCfgDAL.findById(ADMIN_CONFIG_DB_UUID);
    if (serverCfg) return;

-    // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
-    const newCfg = await serverCfgDAL.create({ initialized: false, allowSignUp: true, id: ADMIN_CONFIG_DB_UUID });
+    const newCfg = await serverCfgDAL.create({
+      // @ts-expect-error id is kept as fixed for idempotence and to avoid race condition
+      id: ADMIN_CONFIG_DB_UUID,
+      initialized: false,
+      allowSignUp: true,
+      defaultAuthOrgId: null
+    });
    return newCfg;
  };

  const updateServerCfg = async (data: TSuperAdminUpdate) => {
    const updatedServerCfg = await serverCfgDAL.updateById(ADMIN_CONFIG_DB_UUID, data);
+
    await keyStore.setItemWithExpiry(ADMIN_CONFIG_KEY, ADMIN_CONFIG_KEY_EXP, JSON.stringify(updatedServerCfg));
+
    return updatedServerCfg;
  };

--- a/docs/api-reference/endpoints/identities/get-by-id.mdx
+++ b/docs/api-reference/endpoints/identities/get-by-id.mdx
@ -0,0 +1,5 @@
+---
+title: "Get By ID"
+openapi: "GET /api/v1/identities/{identityId}"
+---
+
--- a/docs/api-reference/endpoints/identities/list.mdx
+++ b/docs/api-reference/endpoints/identities/list.mdx
@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/identities"
+---
--- a/docs/api-reference/endpoints/universal-auth/get-client-secret-by-id.mdx
+++ b/docs/api-reference/endpoints/universal-auth/get-client-secret-by-id.mdx
@ -0,0 +1,4 @@
+---
+title: "Get Client Secret By ID"
+openapi: "GET /api/v1/auth/universal-auth/identities/{identityId}/client-secrets/{clientSecretId}"
+---
--- a/docs/api-reference/endpoints/universal-auth/revoke.mdx
+++ b/docs/api-reference/endpoints/universal-auth/revoke.mdx
@ -0,0 +1,4 @@
+---
+title: "Revoke"
+openapi: "DELETE /api/v1/auth/universal-auth/identities/{identityId}"
+---
--- a/docs/images/integrations/bitbucket/integrations-bitbucket-env.png
+++ b/docs/images/integrations/bitbucket/integrations-bitbucket-env.png
--- a/docs/integrations/cicd/bitbucket.mdx
+++ b/docs/integrations/cicd/bitbucket.mdx
@ -7,26 +7,62 @@ Prerequisites:

 - Set up and add envars to [Infisical Cloud](https://app.infisical.com)

-<Steps>
-  <Step title="Authorize Infisical for Bitbucket">
-    Navigate to your project's integrations tab in Infisical.
+<AccordionGroup>
+  <Accordion title="Push secrets to Bitbucket from Infisical">
+    <Steps>
+      <Step title="Authorize Infisical for Bitbucket">
+        Navigate to your project's integrations tab in Infisical.

-    ![integrations](../../images/integrations.png)
+        ![integrations](../../images/integrations.png)

-    Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.
+        Press on the Bitbucket tile and grant Infisical access to your Bitbucket account.

-    ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)
+        ![integrations bitbucket authorization](../../images/integrations/bitbucket/integrations-bitbucket-auth.png)

-    <Info>
-      If this is your project's first cloud integration, then you'll have to grant
-      Infisical access to your project's environment variables. Although this step
-      breaks E2EE, it's necessary for Infisical to sync the environment variables to
-      the cloud platform.
-    </Info>
-  </Step>
-  <Step title="Start integration">
-    Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.
+      </Step>
+      <Step title="Start integration">
+        Select which Infisical environment secrets you want to sync to which Bitbucket repo and press start integration to start syncing secrets to the repo.

-    ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
-  </Step>
-</Steps>
+        ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket.png)
+      </Step>
+    </Steps>
+
+  </Accordion>
+  <Accordion title="Pull secrets in Bitbucket pipelines from Infisical">
+    <Steps>
+      <Step title="Configure Infisical Access">
+        Configure a [Machine Identity](https://infisical.com/docs/documentation/platform/identities/universal-auth) for your project and give it permissions to read secrets from your desired Infisical projects and environments.
+      </Step>
+      <Step title="Initialize Bitbucket variables">
+      Create Bitbucket variables (can be either workspace, repository, or deployment-level) to store Machine Identity Client ID and Client Secret.
+      
+      ![integrations bitbucket](../../images/integrations/bitbucket/integrations-bitbucket-env.png)
+      </Step>
+      <Step title="Integrate Infisical secrets into the pipeline">
+        Edit your Bitbucket pipeline YAML file to include the use of the Infisical CLI to fetch and inject secrets into any script or command within the pipeline.
+        
+        #### Example
+
+        ```yaml
+        image: atlassian/default-image:3
+
+        pipelines:
+          default:
+            - step:
+                name: Build application with secrets from Infisical
+                script:
+                  - apt update && apt install -y curl
+                  - curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | bash
+                  - apt-get update && apt-get install -y infisical
+                  - export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=$INFISICAL_CLIENT_ID --client-secret=$INFISICAL_CLIENT_SECRET --silent --plain)
+                  - infisical run --projectId=1d0443c1-cd43-4b3a-91a3-9d5f81254a89 --env=dev -- npm run build
+        ```
+
+      <Tip>
+        Set the values of `projectId` and `env` flags in the `infisical run` command to your intended source path. For more options, refer to the CLI command reference [here](https://infisical.com/docs/cli/commands/run).
+      </Tip>
+      </Step>
+    </Steps>
+
+  </Accordion>
+</AccordionGroup>
--- a/docs/mint.json
+++ b/docs/mint.json
@ -419,7 +419,9 @@
          "pages": [
            "api-reference/endpoints/identities/create",
            "api-reference/endpoints/identities/update",
-            "api-reference/endpoints/identities/delete"
+            "api-reference/endpoints/identities/delete",
+            "api-reference/endpoints/identities/get-by-id",
+            "api-reference/endpoints/identities/list"
          ]
        },
        {
@ -429,9 +431,11 @@
            "api-reference/endpoints/universal-auth/attach",
            "api-reference/endpoints/universal-auth/retrieve",
            "api-reference/endpoints/universal-auth/update",
+            "api-reference/endpoints/universal-auth/revoke",
            "api-reference/endpoints/universal-auth/create-client-secret",
            "api-reference/endpoints/universal-auth/list-client-secrets",
            "api-reference/endpoints/universal-auth/revoke-client-secret",
+            "api-reference/endpoints/universal-auth/get-client-secret-by-id",
            "api-reference/endpoints/universal-auth/renew-access-token",
            "api-reference/endpoints/universal-auth/revoke-access-token"
          ]
--- a/docs/sdks/overview.mdx
+++ b/docs/sdks/overview.mdx
@ -19,7 +19,7 @@ From local development to production, Infisical SDKs provide the easiest way for
    <Card href="/sdks/languages/java" title="Java" icon="java" color="#e41f23">
        Manage secrets for your Java application on demand
    </Card>
-    <Card href="/sdks/languages/go" title="Go icon="golang" color="#367B99">
+    <Card href="/sdks/languages/go" title="Go" icon="golang" color="#367B99">
        Manage secrets for your Go application on demand
    </Card>
    <Card href="/sdks/languages/csharp" title="C#" icon="bars" color="#368833">
--- a/frontend/src/components/v2/Select/Select.tsx
+++ b/frontend/src/components/v2/Select/Select.tsx
@ -36,61 +36,73 @@ export const Select = forwardRef<HTMLButtonElement, SelectProps>(
    ref
  ): JSX.Element => {
    return (
-      <SelectPrimitive.Root {...props} disabled={isDisabled}>
-        <SelectPrimitive.Trigger
-          ref={ref}
-          className={twMerge(
-            `inline-flex items-center justify-between rounded-md
-            bg-mineshaft-900 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none focus:bg-mineshaft-700/80 data-[placeholder]:text-mineshaft-200`,
-            className,
-            isDisabled && "cursor-not-allowed opacity-50"
-          )}
-        >
-          <SelectPrimitive.Value placeholder={placeholder}>
-            {props.icon ? <FontAwesomeIcon icon={props.icon} /> : placeholder}
-          </SelectPrimitive.Value>
+      <div className="flex items-center space-x-2">
+        <SelectPrimitive.Root
+          {...props}
+          onValueChange={(value) => {
+            if (!props.onValueChange) return;

-          <SelectPrimitive.Icon className="ml-3">
-            <FontAwesomeIcon
-              icon={faCaretDown}
-              size="sm"
-              className={twMerge(isDisabled && "opacity-30")}
-            />
-          </SelectPrimitive.Icon>
-        </SelectPrimitive.Trigger>
-        <SelectPrimitive.Portal>
-          <SelectPrimitive.Content
+            const newValue = value === "EMPTY-VALUE" ? "" : value;
+            props.onValueChange(newValue);
+          }}
+          disabled={isDisabled}
+        >
+          <SelectPrimitive.Trigger
+            ref={ref}
            className={twMerge(
-              "relative top-1 z-[100] overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md",
-              position === "popper" && "max-h-72",
-              dropdownContainerClassName
+              `inline-flex items-center justify-between rounded-md
+            bg-mineshaft-900 px-3 py-2 font-inter text-sm font-normal text-bunker-200 outline-none focus:bg-mineshaft-700/80 data-[placeholder]:text-mineshaft-200`,
+              className,
+              isDisabled && "cursor-not-allowed opacity-50"
            )}
-            position={position}
-            style={{ width: "var(--radix-select-trigger-width)" }}
          >
-            <SelectPrimitive.ScrollUpButton>
-              <div className="flex items-center justify-center">
-                <FontAwesomeIcon icon={faCaretUp} size="sm" />
-              </div>
-            </SelectPrimitive.ScrollUpButton>
-            <SelectPrimitive.Viewport className="p-1">
-              {isLoading ? (
-                <div className="flex items-center justify-center">
-                  <Spinner size="xs" />
-                  <span className="ml-2 text-xs text-gray-500">Loading...</span>
-                </div>
-              ) : (
-                children
+            <div className="flex items-center space-x-2">
+              {props.icon && <FontAwesomeIcon icon={props.icon} />}
+              <SelectPrimitive.Value placeholder={placeholder} />
+            </div>
+
+            <SelectPrimitive.Icon className="ml-3">
+              <FontAwesomeIcon
+                icon={faCaretDown}
+                size="sm"
+                className={twMerge(isDisabled && "opacity-30")}
+              />
+            </SelectPrimitive.Icon>
+          </SelectPrimitive.Trigger>
+          <SelectPrimitive.Portal>
+            <SelectPrimitive.Content
+              className={twMerge(
+                "relative top-1 z-[100] overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md",
+                position === "popper" && "max-h-72",
+                dropdownContainerClassName
              )}
-            </SelectPrimitive.Viewport>
-            <SelectPrimitive.ScrollDownButton>
-              <div className="flex items-center justify-center">
-                <FontAwesomeIcon icon={faCaretDown} size="sm" />
-              </div>
-            </SelectPrimitive.ScrollDownButton>
-          </SelectPrimitive.Content>
-        </SelectPrimitive.Portal>
-      </SelectPrimitive.Root>
+              position={position}
+              style={{ width: "var(--radix-select-trigger-width)" }}
+            >
+              <SelectPrimitive.ScrollUpButton>
+                <div className="flex items-center justify-center">
+                  <FontAwesomeIcon icon={faCaretUp} size="sm" />
+                </div>
+              </SelectPrimitive.ScrollUpButton>
+              <SelectPrimitive.Viewport className="p-1">
+                {isLoading ? (
+                  <div className="flex items-center justify-center">
+                    <Spinner size="xs" />
+                    <span className="ml-2 text-xs text-gray-500">Loading...</span>
+                  </div>
+                ) : (
+                  children
+                )}
+              </SelectPrimitive.Viewport>
+              <SelectPrimitive.ScrollDownButton>
+                <div className="flex items-center justify-center">
+                  <FontAwesomeIcon icon={faCaretDown} size="sm" />
+                </div>
+              </SelectPrimitive.ScrollDownButton>
+            </SelectPrimitive.Content>
+          </SelectPrimitive.Portal>
+        </SelectPrimitive.Root>
+      </div>
    );
  }
 );
@ -114,7 +126,7 @@ export const SelectItem = forwardRef<HTMLDivElement, SelectItemProps>(
          outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-700/80`,
          isSelected && "bg-primary",
          isDisabled &&
-          "cursor-not-allowed text-gray-600 hover:bg-transparent hover:text-mineshaft-600",
+            "cursor-not-allowed text-gray-600 hover:bg-transparent hover:text-mineshaft-600",
          className
        )}
        ref={forwardedRef}
@ -129,3 +141,45 @@ export const SelectItem = forwardRef<HTMLDivElement, SelectItemProps>(
 );

 SelectItem.displayName = "SelectItem";
+
+export type SelectClearProps = Omit<SelectItemProps, "disabled" | "value"> & {
+  onClear: () => void;
+  selectValue: string;
+};
+
+export const SelectClear = forwardRef<HTMLDivElement, SelectClearProps>(
+  (
+    { children, className, isSelected, isDisabled, onClear, selectValue, ...props },
+    forwardedRef
+  ) => {
+    return (
+      <SelectPrimitive.Item
+        {...props}
+        value="EMPTY-VALUE"
+        onSelect={() => onClear()}
+        onClick={() => onClear()}
+        className={twMerge(
+          `relative mb-0.5 flex
+          cursor-pointer select-none items-center rounded-md py-2 pl-10 pr-4 text-sm
+          outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-700/80`,
+          isSelected && "bg-primary",
+          isDisabled &&
+            "cursor-not-allowed text-gray-600 hover:bg-transparent hover:text-mineshaft-600",
+          className
+        )}
+        ref={forwardedRef}
+      >
+        <div
+          className={twMerge(
+            "absolute left-3.5 text-primary",
+            selectValue === "" ? "visible" : "hidden"
+          )}
+        >
+          <FontAwesomeIcon icon={faCheck} />
+        </div>
+        <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
+      </SelectPrimitive.Item>
+    );
+  }
+);
+SelectClear.displayName = "SelectClear";
--- a/frontend/src/components/v2/Select/index.tsx
+++ b/frontend/src/components/v2/Select/index.tsx
@ -1,2 +1,2 @@
 export type { SelectItemProps, SelectProps } from "./Select";
-export { Select, SelectItem } from "./Select";
+export { Select, SelectClear, SelectItem } from "./Select";
--- a/frontend/src/hooks/api/admin/types.ts
+++ b/frontend/src/hooks/api/admin/types.ts
@ -7,6 +7,8 @@ export type TServerConfig = {
  trustLdapEmails: boolean;
  trustOidcEmails: boolean;
  isSecretScanningDisabled: boolean;
+  defaultAuthOrgSlug: string | null;
+  defaultAuthOrgId: string | null;
 };

 export type TCreateAdminUserDTO = {
--- a/frontend/src/hooks/api/serverDetails/types.ts
+++ b/frontend/src/hooks/api/serverDetails/types.ts
@ -4,5 +4,5 @@ export type ServerStatus = {
  emailConfigured: boolean;
  secretScanningConfigured: boolean;
  redisConfigured: boolean;
-  samlDefaultOrgSlug: boolean
+  samlDefaultOrgSlug: string;
 };
--- a/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
+++ b/frontend/src/views/IntegrationsPage/components/IntegrationsSection/IntegrationsSection.tsx
@ -297,6 +297,7 @@ export const IntegrationsSection = ({
          (popUp?.deleteConfirmation?.data as TIntegration)?.app ||
          (popUp?.deleteConfirmation?.data as TIntegration)?.owner ||
          (popUp?.deleteConfirmation?.data as TIntegration)?.path ||
+          (popUp?.deleteConfirmation?.data as TIntegration)?.integration ||
          ""
        }
        onDeleteApproved={async () =>
--- a/frontend/src/views/Login/Login.tsx
+++ b/frontend/src/views/Login/Login.tsx
@ -1,16 +1,15 @@
 import { useEffect, useState } from "react";
-import { useRouter } from "next/router";

 import { isLoggedIn } from "@app/reactQuery";

 import { InitialStep, MFAStep, SSOStep } from "./components";
-import { navigateUserToSelectOrg } from "./Login.utils";
+import { useNavigateToSelectOrganization } from "./Login.utils";

 export const Login = () => {
-  const router = useRouter();
  const [step, setStep] = useState(0);
  const [email, setEmail] = useState("");
  const [password, setPassword] = useState("");
+  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();

  const queryParams = new URLSearchParams(window.location.search);

@ -21,10 +20,10 @@ export const Login = () => {
        const callbackPort = queryParams?.get("callback_port");
        // case: a callback port is set, meaning it's a cli login request: redirect to select org with callback port
        if (callbackPort) {
-          navigateUserToSelectOrg(router, callbackPort);
+          navigateToSelectOrganization(callbackPort);
        } else {
          // case: no callback port, meaning it's a regular login request: redirect to select org
-          navigateUserToSelectOrg(router);
+          navigateToSelectOrganization();
        }
      } catch (error) {
        console.log("Error - Not logged in yet");
--- a/frontend/src/views/Login/Login.utils.tsx
+++ b/frontend/src/views/Login/Login.utils.tsx
@ -1,5 +1,7 @@
-import { NextRouter } from "next/router";
+import { NextRouter, useRouter } from "next/router";

+import { useServerConfig } from "@app/context";
+import { useSelectOrganization } from "@app/hooks/api";
 import { fetchOrganizations } from "@app/hooks/api/organization/queries";
 import { userKeys } from "@app/hooks/api/users/queries";
 import { queryClient } from "@app/reactQuery";
@ -27,14 +29,29 @@ export const navigateUserToOrg = async (router: NextRouter, organizationId?: str
  }
 };

-export const navigateUserToSelectOrg = (router: NextRouter, cliCallbackPort?: string) => {
-  queryClient.invalidateQueries(userKeys.getUser);
+export const useNavigateToSelectOrganization = () => {
+  const { config } = useServerConfig();
+  const selectOrganization = useSelectOrganization();
+  const router = useRouter();

-  let redirectTo = "/login/select-organization";
+  const navigate = async (cliCallbackPort?: string) => {
+    if (config.defaultAuthOrgId) {
+      await selectOrganization.mutateAsync({
+        organizationId: config.defaultAuthOrgId
+      });

-  if (cliCallbackPort) {
-    redirectTo += `?callback_port=${cliCallbackPort}`;
-  }
+      await navigateUserToOrg(router, config.defaultAuthOrgId);
+    }

-  router.push(redirectTo, undefined, { shallow: true });
+    queryClient.invalidateQueries(userKeys.getUser);
+    let redirectTo = "/login/select-organization";
+
+    if (cliCallbackPort) {
+      redirectTo += `?callback_port=${cliCallbackPort}`;
+    }
+
+    router.push(redirectTo, undefined, { shallow: true });
+  };
+
+  return { navigateToSelectOrganization: navigate };
 };
--- a/frontend/src/views/Login/LoginLDAP.tsx
+++ b/frontend/src/views/Login/LoginLDAP.tsx
@ -4,15 +4,19 @@ import { useRouter } from "next/router";

 import { createNotification } from "@app/components/notifications";
 import { Button, Input } from "@app/components/v2";
+import { useServerConfig } from "@app/context";
 import { loginLDAPRedirect } from "@app/hooks/api/auth/queries";

 export const LoginLDAP = () => {
  const router = useRouter();
+  const { config } = useServerConfig();
  const queryParams = new URLSearchParams(window.location.search);
  const passedOrgSlug = queryParams.get("organizationSlug");
  const passedUsername = queryParams.get("username");

-  const [organizationSlug, setOrganizationSlug] = useState(passedOrgSlug || "");
+  const [organizationSlug, setOrganizationSlug] = useState(
+    config.defaultAuthOrgSlug || passedOrgSlug || ""
+  );
  const [username, setUsername] = useState(passedUsername || "");
  const [password, setPassword] = useState("");

@ -63,21 +67,22 @@ export const LoginLDAP = () => {
        What&apos;s your LDAP Login?
      </p>
      <form onSubmit={handleSubmission}>
-        <div className="relative mx-auto flex max-h-24 w-1/4 w-full min-w-[20rem] items-center justify-center rounded-lg md:max-h-28 md:min-w-[22rem] lg:w-1/6">
-          <div className="flex max-h-24 w-full items-center justify-center rounded-lg md:max-h-28">
-            <Input
-              value={organizationSlug}
-              onChange={(e) => setOrganizationSlug(e.target.value)}
-              type="text"
-              placeholder="Enter your organization slug..."
-              isRequired
-              autoComplete="email"
-              id="email"
-              className="h-12"
-              isDisabled={passedOrgSlug !== null}
-            />
+        {!config.defaultAuthOrgSlug && !passedOrgSlug && (
+          <div className="relative mx-auto flex max-h-24 w-1/4 w-full min-w-[20rem] items-center justify-center rounded-lg md:max-h-28 md:min-w-[22rem] lg:w-1/6">
+            <div className="flex max-h-24 w-full items-center justify-center rounded-lg md:max-h-28">
+              <Input
+                value={organizationSlug}
+                onChange={(e) => setOrganizationSlug(e.target.value)}
+                type="text"
+                placeholder="Enter your organization slug..."
+                isRequired
+                autoComplete="email"
+                id="email"
+                className="h-12"
+              />
+            </div>
          </div>
-        </div>
+        )}
        <div className="relative mx-auto mt-2 flex max-h-24 w-1/4 w-full min-w-[20rem] items-center justify-center rounded-lg md:max-h-28 md:min-w-[22rem] lg:w-1/6">
          <div className="flex max-h-24 w-full items-center justify-center rounded-lg md:max-h-28">
            <Input
--- a/frontend/src/views/Login/components/InitialStep/InitialStep.tsx
+++ b/frontend/src/views/Login/components/InitialStep/InitialStep.tsx
@ -1,4 +1,4 @@
-import { FormEvent, useEffect, useRef, useState } from "react";
+import { FormEvent, useCallback, useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import Link from "next/link";
 import { useRouter } from "next/router";
@ -16,7 +16,7 @@ import { Button, Input } from "@app/components/v2";
 import { useServerConfig } from "@app/context";
 import { useFetchServerStatus } from "@app/hooks/api";

-import { navigateUserToSelectOrg } from "../../Login.utils";
+import { useNavigateToSelectOrganization } from "../../Login.utils";

 type Props = {
  setStep: (step: number) => void;
@ -39,16 +39,28 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
  const captchaRef = useRef<HCaptcha>(null);
  const { data: serverDetails } = useFetchServerStatus();

+  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();
+
+  const redirectToSaml = (orgSlug: string) => {
+    const callbackPort = queryParams.get("callback_port");
+    const redirectUrl = `/api/v1/sso/redirect/saml2/organizations/${orgSlug}${
+      callbackPort ? `?callback_port=${callbackPort}` : ""
+    }`;
+    router.push(redirectUrl);
+  };
+
  useEffect(() => {
-    if (serverDetails?.samlDefaultOrgSlug) {
-      const callbackPort = queryParams.get("callback_port");
-      const redirectUrl = `/api/v1/sso/redirect/saml2/organizations/${
-        serverDetails?.samlDefaultOrgSlug
-      }${callbackPort ? `?callback_port=${callbackPort}` : ""}`;
-      router.push(redirectUrl);
-    }
+    if (serverDetails?.samlDefaultOrgSlug) redirectToSaml(serverDetails.samlDefaultOrgSlug);
  }, [serverDetails?.samlDefaultOrgSlug]);

+  const handleSaml = useCallback((step: number) => {
+    if (config.defaultAuthOrgSlug) {
+      redirectToSaml(config.defaultAuthOrgSlug);
+    } else {
+      setStep(step);
+    }
+  }, []);
+
  const handleLogin = async (e: FormEvent<HTMLFormElement>) => {
    e.preventDefault();
    try {
@ -75,7 +87,7 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
            return;
          }

-          navigateUserToSelectOrg(router, callbackPort!);
+          navigateToSelectOrganization(callbackPort!);
        } else {
          setLoginError(true);
          createNotification({
@ -100,7 +112,7 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
            return;
          }

-          navigateUserToSelectOrg(router);
+          navigateToSelectOrganization();

          // case: login does not require MFA step
          createNotification({
@ -211,7 +223,7 @@ export const InitialStep = ({ setStep, email, setEmail, password, setPassword }:
          colorSchema="primary"
          variant="outline_bg"
          onClick={() => {
-            setStep(2);
+            handleSaml(2);
          }}
          leftIcon={<FontAwesomeIcon icon={faLock} className="mr-2" />}
          className="mx-0 h-10 w-full"
--- a/frontend/src/views/Login/components/MFAStep/MFAStep.tsx
+++ b/frontend/src/views/Login/components/MFAStep/MFAStep.tsx
@ -16,7 +16,7 @@ import { useSelectOrganization, verifyMfaToken } from "@app/hooks/api/auth/queri
 import { fetchOrganizations } from "@app/hooks/api/organization/queries";
 import { fetchMyPrivateKey } from "@app/hooks/api/users/queries";

-import { navigateUserToOrg, navigateUserToSelectOrg } from "../../Login.utils";
+import { navigateUserToOrg, useNavigateToSelectOrganization } from "../../Login.utils";

 // The style for the verification code input
 const props = {
@ -50,6 +50,7 @@ export const MFAStep = ({ email, password, providerAuthToken }: Props) => {
  const [isLoading, setIsLoading] = useState(false);
  const [isLoadingResend, setIsLoadingResend] = useState(false);
  const [mfaCode, setMfaCode] = useState("");
+  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();
  const [triesLeft, setTriesLeft] = useState<number | undefined>(undefined);

  const { t } = useTranslation();
@ -93,7 +94,7 @@ export const MFAStep = ({ email, password, providerAuthToken }: Props) => {

      // case: user has orgs, so we navigate the user to select an org
      if (userOrgs.length > 0) {
-        navigateUserToSelectOrg(router, callbackPort);
+        navigateToSelectOrganization(callbackPort);
      }
      // case: no orgs found, so we navigate the user to create an org
      // cli login will fail in this case
@ -166,7 +167,7 @@ export const MFAStep = ({ email, password, providerAuthToken }: Props) => {

            // case: user has orgs, so we navigate the user to select an org
            if (userOrgs.length > 0) {
-              navigateUserToSelectOrg(router, callbackPort);
+              navigateToSelectOrganization(callbackPort);
            }
            // case: no orgs found, so we navigate the user to create an org
            // cli login will fail in this case
@ -195,7 +196,7 @@ export const MFAStep = ({ email, password, providerAuthToken }: Props) => {
          if (organizationId) {
            await navigateUserToOrg(router, organizationId);
          } else {
-            navigateUserToSelectOrg(router);
+            navigateToSelectOrganization();
          }
        } else {
          createNotification({
--- a/frontend/src/views/Login/components/PasswordStep/PasswordStep.tsx
+++ b/frontend/src/views/Login/components/PasswordStep/PasswordStep.tsx
@ -1,4 +1,4 @@
-import { useEffect, useRef,useState } from "react";
+import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import Link from "next/link";
 import { useRouter } from "next/router";
@ -16,7 +16,7 @@ import { useOauthTokenExchange, useSelectOrganization } from "@app/hooks/api";
 import { fetchOrganizations } from "@app/hooks/api/organization/queries";
 import { fetchMyPrivateKey } from "@app/hooks/api/users/queries";

-import { navigateUserToOrg, navigateUserToSelectOrg } from "../../Login.utils";
+import { navigateUserToOrg, useNavigateToSelectOrganization } from "../../Login.utils";

 type Props = {
  providerAuthToken: string;
@ -39,8 +39,11 @@ export const PasswordStep = ({
  const { mutateAsync: selectOrganization } = useSelectOrganization();
  const { mutateAsync: oauthTokenExchange } = useOauthTokenExchange();

-  const { callbackPort, organizationId, hasExchangedPrivateKey } =
-    jwt_decode(providerAuthToken) as any;
+  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();
+
+  const { callbackPort, organizationId, hasExchangedPrivateKey } = jwt_decode(
+    providerAuthToken
+  ) as any;

  const handleExchange = async () => {
    try {
@ -92,7 +95,7 @@ export const PasswordStep = ({

        // case: user has orgs, so we navigate the user to select an org
        if (userOrgs.length > 0) {
-          navigateUserToSelectOrg(router, callbackPort);
+          navigateToSelectOrganization(callbackPort);
        }
        // case: no orgs found, so we navigate the user to create an org
        else {
@ -176,7 +179,7 @@ export const PasswordStep = ({

            // case: user has orgs, so we navigate the user to select an org
            if (userOrgs.length > 0) {
-              navigateUserToSelectOrg(router, callbackPort);
+              navigateToSelectOrganization(callbackPort);
            }
            // case: no orgs found, so we navigate the user to create an org
            else {
@ -220,7 +223,7 @@ export const PasswordStep = ({
            const userOrgs = await fetchOrganizations();

            if (userOrgs.length > 0) {
-              navigateUserToSelectOrg(router);
+              navigateToSelectOrganization();
            } else {
              await navigateUserToOrg(router);
            }
@ -270,7 +273,7 @@ export const PasswordStep = ({
    <form onSubmit={handleLogin} className="mx-auto h-full w-full max-w-md px-6 pt-8">
      <div className="mb-8">
        <p className="mx-auto mb-4 flex w-max justify-center bg-gradient-to-b from-white to-bunker-200 bg-clip-text text-center text-xl font-medium text-transparent">
-           What&apos;s your Infisical password?
+          What&apos;s your Infisical password?
        </p>
      </div>
      <div className="relative mx-auto flex max-h-24 w-1/4 w-full min-w-[22rem] items-center justify-center rounded-lg md:max-h-28 lg:w-1/6">
--- a/frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx
@ -7,6 +7,7 @@ import {
  faCircleDot,
  faClock,
  faPlus,
+  faShare,
  faTag
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@ -57,6 +58,7 @@ type Props = {
  ) => Promise<void>;
  tags: WsTag[];
  onCreateTag: () => void;
+  handleSecretShare: (value: string) => void;
 };

 export const SecretDetailSidebar = ({
@ -69,7 +71,8 @@ export const SecretDetailSidebar = ({
  tags,
  onCreateTag,
  environment,
-  secretPath
+  secretPath,
+  handleSecretShare
 }: Props) => {
  const {
    register,
@ -381,7 +384,7 @@ export const SecretDetailSidebar = ({
                  rows={5}
                />
              </FormControl>
-              <div className="my-2 mb-6 border-b border-mineshaft-600 pb-4">
+              <div className="my-2 mb-4 border-b border-mineshaft-600 pb-4">
                <Controller
                  control={control}
                  name="skipMultilineEncoding"
@ -412,7 +415,17 @@ export const SecretDetailSidebar = ({
                  )}
                />
              </div>
-              <div className="dark mb-4 flex-grow text-sm text-bunker-300">
+              <div className="ml-1 flex items-center space-x-2">
+                <Button
+                  className="px-2 py-1"
+                  variant="outline_bg"
+                  leftIcon={<FontAwesomeIcon icon={faShare} />}
+                  onClick={() => handleSecretShare(secret.valueOverride ?? secret.value)}
+                >
+                  Share Secret
+                </Button>
+              </div>
+              <div className="dark mt-4 mb-4 flex-grow text-sm text-bunker-300">
                <div className="mb-2">Version History</div>
                <div className="flex h-48 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
                  {secretVersion?.map(({ createdAt, value, id }, i) => (
--- a/frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx
@ -61,6 +61,7 @@ type Props = {
  onCreateTag: () => void;
  environment: string;
  secretPath: string;
+  handleSecretShare: () => void;
 };

 export const SecretItem = memo(
@ -75,7 +76,8 @@ export const SecretItem = memo(
    onCreateTag,
    onToggleSecretSelect,
    environment,
-    secretPath
+    secretPath,
+    handleSecretShare
  }: Props) => {
    const { currentWorkspace } = useWorkspace();
    const { permission } = useProjectPermission();
@ -420,8 +422,9 @@ export const SecretItem = memo(
                      <Tooltip
                        content={
                          secretReminderRepeatDays && secretReminderRepeatDays > 0
-                            ? `Every ${secretReminderRepeatDays} day${Number(secretReminderRepeatDays) > 1 ? "s" : ""
-                            }
+                            ? `Every ${secretReminderRepeatDays} day${
+                                Number(secretReminderRepeatDays) > 1 ? "s" : ""
+                              }
                          `
                            : "Reminder"
                        }
@ -461,6 +464,20 @@ export const SecretItem = memo(
                        </PopoverTrigger>
                      )}
                    </ProjectPermissionCan>
+                    <IconButton
+                      className="w-0 overflow-hidden p-0 group-hover:mr-2 group-hover:w-5 data-[state=open]:w-6"
+                      variant="plain"
+                      size="md"
+                      ariaLabel="share-secret"
+                      onClick={handleSecretShare}
+                    >
+                      <Tooltip content="Share Secret">
+                        <FontAwesomeSymbol
+                          className="h-3.5 w-3.5"
+                          symbolName={FontAwesomeSpriteName.ShareSecret}
+                        />
+                      </Tooltip>
+                    </IconButton>
                    <PopoverContent
                      className="w-auto border border-mineshaft-600 bg-mineshaft-800 p-2 drop-shadow-2xl"
                      sticky="always"
--- a/frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.tsx
@ -13,6 +13,7 @@ import { secretKeys } from "@app/hooks/api/secrets/queries";
 import { DecryptedSecret, SecretType } from "@app/hooks/api/secrets/types";
 import { secretSnapshotKeys } from "@app/hooks/api/secretSnapshots/queries";
 import { UserWsKeyPair, WsTag } from "@app/hooks/api/types";
+import { AddShareSecretModal } from "@app/views/ShareSecretPage/components/AddShareSecretModal";

 import { useSelectedSecretActions, useSelectedSecrets } from "../../SecretMainPage.store";
 import { Filter, GroupBy, SortDir } from "../../SecretMainPage.types";
@ -95,7 +96,8 @@ export const SecretListView = ({
  const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
    "deleteSecret",
    "secretDetail",
-    "createTag"
+    "createTag",
+    "createSharedSecret"
  ] as const);

  // strip of side effect queries
@ -365,6 +367,11 @@ export const SecretListView = ({
                  onDeleteSecret={onDeleteSecret}
                  onDetailViewSecret={onDetailViewSecret}
                  onCreateTag={onCreateTag}
+                  handleSecretShare={() =>
+                    handlePopUpOpen("createSharedSecret", {
+                      value: secret.valueOverride ?? secret.value
+                    })
+                  }
                />
              ))}
            </div>
@ -391,11 +398,18 @@ export const SecretListView = ({
        onSaveSecret={handleSaveSecret}
        tags={wsTags}
        onCreateTag={() => handlePopUpOpen("createTag")}
+        handleSecretShare={(value: string) => handlePopUpOpen("createSharedSecret", { value })}
      />
      <CreateTagModal
        isOpen={popUp.createTag.isOpen}
        onToggle={(isOpen) => handlePopUpToggle("createTag", isOpen)}
      />
+      <AddShareSecretModal
+        popUp={popUp}
+        handlePopUpToggle={handlePopUpToggle}
+        isPublic={false}
+        inModal
+      />
    </>
  );
 };
--- a/frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.utils.ts
+++ b/frontend/src/views/SecretMainPage/components/SecretListView/SecretListView.utils.ts
@ -10,6 +10,7 @@ import {
  faCopy,
  faEllipsis,
  faKey,
+  faShare,
  faTags
 } from "@fortawesome/free-solid-svg-icons";
 import { z } from "zod";
@ -66,7 +67,8 @@ export enum FontAwesomeSpriteName {
  Override = "secret-override",
  Close = "close",
  CheckedCircle = "check-circle",
-  ReplicatedSecretKey = "secret-replicated"
+  ReplicatedSecretKey = "secret-replicated",
+  ShareSecret = "share-secret"
 }

 // this is an optimization technique
@ -82,5 +84,6 @@ export const FontAwesomeSpriteSymbols = [
  { icon: faCodeBranch, symbol: FontAwesomeSpriteName.Override },
  { icon: faClose, symbol: FontAwesomeSpriteName.Close },
  { icon: faCheckCircle, symbol: FontAwesomeSpriteName.CheckedCircle },
-  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey }
+  { icon: faClone, symbol: FontAwesomeSpriteName.ReplicatedSecretKey },
+  { icon: faShare, symbol: FontAwesomeSpriteName.ShareSecret }
 ];
--- a/frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
+++ b/frontend/src/views/Settings/ProjectSettingsPage/components/ProjectGeneralTab/ProjectGeneralTab.tsx
@ -5,6 +5,7 @@ import { E2EESection } from "../E2EESection";
 import { EnvironmentSection } from "../EnvironmentSection";
 import { PointInTimeVersionLimitSection } from "../PointInTimeVersionLimitSection";
 import { ProjectNameChangeSection } from "../ProjectNameChangeSection";
+import { RebuildSecretIndicesSection } from "../RebuildSecretIndicesSection/RebuildSecretIndicesSection";
 import { SecretTagsSection } from "../SecretTagsSection";

 export const ProjectGeneralTab = () => {
@ -17,6 +18,7 @@ export const ProjectGeneralTab = () => {
      <E2EESection />
      <PointInTimeVersionLimitSection />
      <BackfillSecretReferenceSecretion />
+      <RebuildSecretIndicesSection />
      <DeleteProjectSection />
    </div>
  );
--- a/frontend/src/views/Settings/ProjectSettingsPage/components/RebuildSecretIndicesSection/RebuildSecretIndicesSection.tsx
+++ b/frontend/src/views/Settings/ProjectSettingsPage/components/RebuildSecretIndicesSection/RebuildSecretIndicesSection.tsx
@ -0,0 +1,93 @@
+import { createNotification } from "@app/components/notifications";
+import {
+  decryptAssymmetric,
+  decryptSymmetric
+} from "@app/components/utilities/cryptography/crypto";
+import { Button } from "@app/components/v2";
+import { useProjectPermission, useWorkspace } from "@app/context";
+import { useToggle } from "@app/hooks";
+import { useGetUserWsKey, useNameWorkspaceSecrets } from "@app/hooks/api";
+import { ProjectMembershipRole } from "@app/hooks/api/roles/types";
+import { fetchWorkspaceSecrets } from "@app/hooks/api/workspace/queries";
+
+export const RebuildSecretIndicesSection = () => {
+  const { currentWorkspace } = useWorkspace();
+  const { membership } = useProjectPermission();
+  const nameWorkspaceSecrets = useNameWorkspaceSecrets();
+
+  const [isIndexing, setIsIndexing] = useToggle();
+  const { data: decryptFileKey } = useGetUserWsKey(currentWorkspace?.id!);
+
+  if (!currentWorkspace) return null;
+
+  const onRebuildIndices = async () => {
+    if (!currentWorkspace?.id) return;
+    setIsIndexing.on();
+    try {
+      const encryptedSecrets = await fetchWorkspaceSecrets(currentWorkspace.id);
+
+      if (!currentWorkspace || !decryptFileKey) {
+        return;
+      }
+
+      const key = decryptAssymmetric({
+        ciphertext: decryptFileKey.encryptedKey,
+        nonce: decryptFileKey.nonce,
+        publicKey: decryptFileKey.sender.publicKey,
+        privateKey: localStorage.getItem("PRIVATE_KEY") as string
+      });
+
+      const secretsToUpdate = encryptedSecrets.map((encryptedSecret) => {
+        const secretName = decryptSymmetric({
+          ciphertext: encryptedSecret.secretKeyCiphertext,
+          iv: encryptedSecret.secretKeyIV,
+          tag: encryptedSecret.secretKeyTag,
+          key
+        });
+
+        return {
+          secretName,
+          secretId: encryptedSecret.id
+        };
+      });
+      await nameWorkspaceSecrets.mutateAsync({
+        workspaceId: currentWorkspace.id,
+        secretsToUpdate
+      });
+
+      createNotification({
+        text: "Successfully rebuilt secret indices",
+        type: "success"
+      });
+    } catch (err) {
+      console.log(err);
+    } finally {
+      setIsIndexing.off();
+    }
+  };
+
+  const isAdmin = membership.roles.includes(ProjectMembershipRole.Admin);
+
+  if (!isAdmin) {
+    return null;
+  }
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <div className="flex w-full items-center justify-between">
+        <p className="text-xl font-semibold">Rebuild Secret Indices</p>
+      </div>
+      <p className="mb-4 mt-2 max-w-2xl text-sm text-gray-400">
+        This will rebuild indices of all secrets in the project.
+      </p>
+      <Button
+        variant="outline_bg"
+        isLoading={isIndexing}
+        onClick={onRebuildIndices}
+        isDisabled={!isAdmin}
+      >
+        Rebuild Secret Indices
+      </Button>
+    </div>
+  );
+};
--- a/frontend/src/views/ShareSecretPage/components/AddShareSecretForm.tsx
+++ b/frontend/src/views/ShareSecretPage/components/AddShareSecretForm.tsx
@ -6,14 +6,7 @@ import * as yup from "yup";

 import { createNotification } from "@app/components/notifications";
 import { encryptSymmetric } from "@app/components/utilities/cryptography/crypto";
-import {
-  Button,
-  FormControl,
-  Input,
-  ModalClose,
-  Select,
-  SelectItem
-} from "@app/components/v2";
+import { Button, FormControl, Input, ModalClose, Select, SelectItem } from "@app/components/v2";
 import { useCreatePublicSharedSecret, useCreateSharedSecret } from "@app/hooks/api/secretSharing";

 const schema = yup.object({
@ -31,7 +24,8 @@ export const AddShareSecretForm = ({
  handleSubmit,
  control,
  isSubmitting,
-  setNewSharedSecret
+  setNewSharedSecret,
+  isInputDisabled
 }: {
  isPublic: boolean;
  inModal: boolean;
@ -39,6 +33,7 @@ export const AddShareSecretForm = ({
  control: any;
  isSubmitting: boolean;
  setNewSharedSecret: (value: string) => void;
+  isInputDisabled?: boolean;
 }) => {
  const publicSharedSecretCreator = useCreatePublicSharedSecret();
  const privateSharedSecretCreator = useCreateSharedSecret();
@ -124,12 +119,13 @@ export const AddShareSecretForm = ({
  };
  return (
    <form className="flex w-full flex-col items-center" onSubmit={handleSubmit(onFormSubmit)}>
-      <div className={`${!inModal && "border border-mineshaft-600 bg-mineshaft-800 rounded-md p-6"}`}>
+      <div
+        className={`${!inModal && "rounded-md border border-mineshaft-600 bg-mineshaft-800 p-6"}`}
+      >
        <div className="mb-4">
          <Controller
            control={control}
            name="value"
-            defaultValue=""
            render={({ field, fieldState: { error } }) => (
              <FormControl
                label="Shared Secret"
@ -137,16 +133,17 @@ export const AddShareSecretForm = ({
                errorText={error?.message}
              >
                <textarea
+                  disabled={isInputDisabled}
                  placeholder="Enter sensitive data to share via an encrypted link..."
                  {...field}
-                  className="py-1.5 w-full h-40 placeholder:text-mineshaft-400 rounded-md transition-all group-hover:mr-2 text-bunker-300 hover:border-primary-400/30 focus:border-primary-400/50 outline-none border border-mineshaft-600 bg-mineshaft-900 px-2 min-h-[70px]"
+                  className="h-40 min-h-[70px] w-full rounded-md border border-mineshaft-600 bg-mineshaft-900 py-1.5 px-2 text-bunker-300 outline-none transition-all placeholder:text-mineshaft-400 hover:border-primary-400/30 focus:border-primary-400/50 group-hover:mr-2"
                />
              </FormControl>
            )}
          />
        </div>
        <div className="flex w-full flex-row justify-center">
-          <div className="hidden sm:block sm:w-2/6 flex">
+          <div className="flex hidden sm:block sm:w-2/6">
            <Controller
              control={control}
              name="expiresAfterViews"
@ -163,12 +160,12 @@ export const AddShareSecretForm = ({
              )}
            />
          </div>
-          <div className="hidden sm:flex sm:w-1/7 items-center justify-center px-2 mx-auto">
+          <div className="sm:w-1/7 mx-auto hidden items-center justify-center px-2 sm:flex">
            <p className="px-4 text-sm text-gray-400">OR</p>
          </div>
-          <div className="w-full sm:w-3/6 flex justify-end">
+          <div className="flex w-full justify-end sm:w-3/6">
            <div className="flex justify-start">
-              <div className="flex w-full pr-2 justify-center">
+              <div className="flex w-full justify-center pr-2">
                <Controller
                  control={control}
                  name="expiresInValue"
--- a/frontend/src/views/ShareSecretPage/components/AddShareSecretModal.tsx
+++ b/frontend/src/views/ShareSecretPage/components/AddShareSecretModal.tsx
@ -34,6 +34,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
    control,
    reset,
    handleSubmit,
+    setValue,
    formState: { isSubmitting }
  } = useForm<FormData>({
    resolver: yupResolver(schema)
@ -45,6 +46,8 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
    initialState: false
  });

+  const [isSecretInputDisabled, setIsSecretInputDisabled] = useState(false);
+
  const copyUrlToClipboard = () => {
    navigator.clipboard.writeText(newSharedSecret);
    setIsUrlCopied(true);
@ -55,6 +58,13 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
    }
  }, [isUrlCopied]);

+  useEffect(() => {
+    if (popUp.createSharedSecret.data) {
+      setValue("value", (popUp.createSharedSecret.data as { value: string }).value);
+      setIsSecretInputDisabled(true);
+    }
+  }, [popUp.createSharedSecret.data]);
+
  // eslint-disable-next-line no-nested-ternary
  return inModal ? (
    <Modal
@ -63,6 +73,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
        handlePopUpToggle("createSharedSecret", open);
        reset();
        setNewSharedSecret("");
+        setIsSecretInputDisabled(false);
      }}
    >
      <ModalContent
@ -77,6 +88,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
            handleSubmit={handleSubmit}
            isSubmitting={isSubmitting}
            setNewSharedSecret={setNewSharedSecret}
+            isInputDisabled={isSecretInputDisabled}
          />
        ) : (
          <ViewAndCopySharedSecret
@ -96,6 +108,7 @@ export const AddShareSecretModal = ({ popUp, handlePopUpToggle, isPublic, inModa
      handleSubmit={handleSubmit}
      isSubmitting={isSubmitting}
      setNewSharedSecret={setNewSharedSecret}
+      isInputDisabled={isSecretInputDisabled}
    />
  ) : (
    <ViewAndCopySharedSecret
--- a/frontend/src/views/admin/DashboardPage/DashboardPage.tsx
+++ b/frontend/src/views/admin/DashboardPage/DashboardPage.tsx
@ -13,6 +13,7 @@ import {
  FormControl,
  Input,
  Select,
+  SelectClear,
  SelectItem,
  Switch,
  Tab,
@ -21,7 +22,7 @@ import {
  Tabs
 } from "@app/components/v2";
 import { useOrganization, useServerConfig, useUser } from "@app/context";
-import { useUpdateServerConfig } from "@app/hooks/api";
+import { useGetOrganizations, useUpdateServerConfig } from "@app/hooks/api";

 import { RateLimitPanel } from "./RateLimitPanel";

@ -40,7 +41,8 @@ const formSchema = z.object({
  allowedSignUpDomain: z.string().optional().nullable(),
  trustSamlEmails: z.boolean(),
  trustLdapEmails: z.boolean(),
-  trustOidcEmails: z.boolean()
+  trustOidcEmails: z.boolean(),
+  defaultAuthOrgId: z.string()
 });

 type TDashboardForm = z.infer<typeof formSchema>;
@ -62,16 +64,20 @@ export const AdminDashboardPage = () => {
      allowedSignUpDomain: config.allowedSignUpDomain,
      trustSamlEmails: config.trustSamlEmails,
      trustLdapEmails: config.trustLdapEmails,
-      trustOidcEmails: config.trustOidcEmails
+      trustOidcEmails: config.trustOidcEmails,
+      defaultAuthOrgId: config.defaultAuthOrgId ?? ""
    }
  });

-  const signupMode = watch("signUpMode");
+  const signUpMode = watch("signUpMode");
+  const defaultAuthOrgId = watch("defaultAuthOrgId");

  const { user, isLoading: isUserLoading } = useUser();
  const { orgs } = useOrganization();
  const { mutateAsync: updateServerConfig } = useUpdateServerConfig();

+  const organizations = useGetOrganizations();
+
  const isNotAllowed = !user?.superAdmin;

  // TODO(akhilmhdh): on nextjs 14 roadmap this will be properly addressed with context split
@ -86,10 +92,10 @@ export const AdminDashboardPage = () => {

  const onFormSubmit = async (formData: TDashboardForm) => {
    try {
-      const { signUpMode, allowedSignUpDomain, trustSamlEmails, trustLdapEmails, trustOidcEmails } =
-        formData;
+      const { allowedSignUpDomain, trustSamlEmails, trustLdapEmails, trustOidcEmails } = formData;

      await updateServerConfig({
+        defaultAuthOrgId: defaultAuthOrgId || null,
        allowSignUp: signUpMode !== SignUpModes.Disabled,
        allowedSignUpDomain: signUpMode === SignUpModes.Anyone ? allowedSignUpDomain : null,
        trustSamlEmails,
@ -130,7 +136,7 @@ export const AdminDashboardPage = () => {
            </TabList>
            <TabPanel value={TabSections.Settings}>
              <form
-                className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
+                className="mb-6 space-y-8 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4"
                onSubmit={handleSubmit(onFormSubmit)}
              >
                <div className="flex flex-col justify-start">
@ -146,13 +152,13 @@ export const AdminDashboardPage = () => {
                    name="signUpMode"
                    render={({ field: { onChange, ...field }, fieldState: { error } }) => (
                      <FormControl
-                        className="max-w-72 w-72"
+                        className="max-w-sm"
                        errorText={error?.message}
                        isError={Boolean(error)}
                      >
                        <Select
-                          className="w-72 bg-mineshaft-700"
-                          dropdownContainerClassName="bg-mineshaft-700"
+                          className="w-full bg-mineshaft-700"
+                          dropdownContainerClassName="bg-mineshaft-800"
                          defaultValue={field.value}
                          onValueChange={(e) => onChange(e)}
                          {...field}
@ -164,8 +170,8 @@ export const AdminDashboardPage = () => {
                    )}
                  />
                </div>
-                {signupMode === "anyone" && (
-                  <div className="mt-8 mb-8 flex flex-col justify-start">
+                {signUpMode === "anyone" && (
+                  <div className="flex flex-col justify-start">
                    <div className="mb-4 text-xl font-semibold text-mineshaft-100">
                      Restrict signup by email domain(s)
                    </div>
@ -191,7 +197,52 @@ export const AdminDashboardPage = () => {
                    />
                  </div>
                )}
-                <div className="mt-8 mb-8 flex flex-col justify-start">
+
+                <div className="flex flex-col justify-start">
+                  <div className="mb-2 text-xl font-semibold text-mineshaft-100">
+                    Default organization
+                  </div>
+                  <div className="mb-4 max-w-sm text-sm text-mineshaft-400">
+                    Select the default organization you want to set for SAML/LDAP based logins. When selected, user logins will be automatically scoped to the selected organization.
+                  </div>
+                  <Controller
+                    control={control}
+                    name="defaultAuthOrgId"
+                    render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                      <FormControl
+                        className="max-w-sm"
+                        errorText={error?.message}
+                        isError={Boolean(error)}
+                      >
+                        <Select
+                          placeholder="Allow all organizations"
+                          className="w-full bg-mineshaft-700"
+                          dropdownContainerClassName="bg-mineshaft-800"
+                          defaultValue={field.value ?? " "}
+                          onValueChange={(e) => onChange(e)}
+                          {...field}
+                        >
+                          <SelectClear
+                            selectValue={defaultAuthOrgId}
+                            onClear={() => {
+                              console.log("clearing");
+                              onChange("");
+                            }}
+                          >
+                            Allow all organizations
+                          </SelectClear>
+                          {organizations.data?.map((org) => (
+                            <SelectItem key={org.id} value={org.id}>
+                              {org.name}
+                            </SelectItem>
+                          ))}
+                        </Select>
+                      </FormControl>
+                    )}
+                  />
+                </div>
+
+                <div className="flex flex-col justify-start">
                  <div className="mb-2 text-xl font-semibold text-mineshaft-100">Trust emails</div>
                  <div className="mb-4 max-w-sm text-sm text-mineshaft-400">
                    Select if you want Infisical to trust external emails from SAML/LDAP/OIDC
Author	SHA1	Message	Date
Maidul Islam	285a01af51	Merge pull request #2010 from Infisical/misc/add-documentation-for-bitbucket-cli-integration doc: added bitbucket integration with cli	2024-06-25 16:33:07 -04:00
Maidul Islam	f7e658e62b	rename bit bucket options	2024-06-25 16:31:56 -04:00
Maidul Islam	a8aef2934a	Merge pull request #2021 from Infisical/feat/add-option-to-share-secrets-directly feat: added option to share secret directly from main page	2024-06-25 15:55:04 -04:00
Maidul Islam	cc30476f79	Merge pull request #2022 from Infisical/misc/add-prompt-for-deleting-aws-sm-integration misc: added proper prompt for aws secret manager integration deletion	2024-06-25 15:47:55 -04:00
Sheen Capadngan	5139bf2385	misc: added delete prompt for aws secret manager integ deletion	2024-06-26 01:21:14 +08:00
Akhil Mohan	a016d0d33f	Merge pull request #1999 from akhilmhdh/feat/ui-permission-check-broken Terraform identity management apis	2024-06-25 22:46:53 +05:30
Sheen Capadngan	663be06d30	feat: added share secret to main page side nav	2024-06-26 00:22:47 +08:00
Sheen Capadngan	fa392382da	feat: added option to share secret directly from main page	2024-06-25 23:41:17 +08:00
Sheen Capadngan	9a66514178	Merge pull request #2007 from Infisical/feat/project-setting-for-rebuilding-index feat: added project setting for rebuilding secret indices	2024-06-25 15:25:36 +08:00
Vlad Matsiiako	a3c8d06845	Update overview.mdx	2024-06-24 20:25:53 -07:00
Vlad Matsiiako	71b7be4057	Merge pull request #2017 from handotdev/patch-2 Update overview.mdx	2024-06-24 20:25:02 -07:00
Han Wang	5079a5889a	Update overview.mdx	2024-06-24 17:37:35 -07:00
BlackMagiq	232b375f46	Merge pull request #2015 from Infisical/create-pull-request/patch-1719267521 GH Action: rename new migration file timestamp	2024-06-24 17:07:41 -07:00
github-actions	d2acedf79e	chore: renamed new migration files to latest timestamp (gh-action)	2024-06-24 22:18:39 +00:00
BlackMagiq	9d846319b0	Merge pull request #2014 from Infisical/cert-san Add Certificate Support for Alt Names (SANs)	2024-06-24 15:18:17 -07:00
Daniel Hougaard	376e185e2b	Merge pull request #2006 from Infisical/daniel/expand-single-secret-ref feat(api): Expand single secret references	2024-06-24 20:39:54 +02:00
Daniel Hougaard	a15a0a257c	Update identity-router.ts	2024-06-24 20:38:11 +02:00
Maidul Islam	6facce220c	update select default org login	2024-06-24 14:06:31 -04:00
Maidul Islam	620a423cee	update org selection error message	2024-06-24 13:43:56 -04:00
Maidul Islam	361496c644	Merge pull request #2012 from Infisical/create-pull-request/patch-1719249628 GH Action: rename new migration file timestamp	2024-06-24 13:20:49 -04:00
github-actions	e03f77d9cf	chore: renamed new migration files to latest timestamp (gh-action)	2024-06-24 17:20:27 +00:00
Maidul Islam	60cb420242	Merge pull request #2000 from Infisical/daniel/default-org Feat: Default organization slug for LDAP/SAML	2024-06-24 13:20:02 -04:00
Maidul Islam	1b8a77f507	Merge pull request #2002 from Infisical/patch-ldap Patch LDAP undefined userId, email confirmation code sending	2024-06-24 13:19:48 -04:00
Daniel Hougaard	5a957514df	Feat: Clear select option	2024-06-24 19:12:38 +02:00
Daniel Hougaard	a6865585f3	Fix: Failing to create admin config on first run	2024-06-24 19:11:58 +02:00
Daniel Hougaard	1aaca12781	Update super-admin-dal.ts	2024-06-24 19:11:58 +02:00
Daniel Hougaard	7ab5c02000	Requested changes	2024-06-24 19:11:58 +02:00
Daniel Hougaard	c735beea32	Fix: Requested changes	2024-06-24 19:11:58 +02:00
Daniel Hougaard	2d98560255	Updated "defaultOrgId" and "defaultOrgSlug" to "defaultAuthOrgId" and "defaultAuthOrgSlug"	2024-06-24 19:10:22 +02:00
Daniel Hougaard	91bdd7ea6a	Fix: UI descriptions	2024-06-24 19:09:48 +02:00
Daniel Hougaard	b0f3476e4a	Fix: Completely hide org slug input field when org slug is passed or default slug is provided	2024-06-24 19:09:03 +02:00
Daniel Hougaard	14751df9de	Feat: Default SAML/LDAP organization slug	2024-06-24 19:09:03 +02:00
Daniel Hougaard	e1a4185f76	Hide org slug input when default slug is set	2024-06-24 19:08:19 +02:00
Daniel Hougaard	4905ad1f48	Feat: Default SAML/LDAP organization slug	2024-06-24 19:08:19 +02:00
Daniel Hougaard	56bc25025a	Update Login.utils.tsx	2024-06-24 19:08:19 +02:00
Daniel Hougaard	45da563465	Convert navigate function to hook	2024-06-24 19:08:19 +02:00
Daniel Hougaard	1930d40be8	Feat: Default SAML/LDAP organization slug	2024-06-24 19:05:46 +02:00
Daniel Hougaard	30b8d59796	Feat: Default SAML/LDAP organization slug	2024-06-24 19:05:46 +02:00
Daniel Hougaard	aa6cca738e	Update index.ts	2024-06-24 19:05:46 +02:00
Daniel Hougaard	04dee70a55	Type changes	2024-06-24 19:05:46 +02:00
Daniel Hougaard	dfb53dd333	Helper omit function	2024-06-24 19:05:20 +02:00
Daniel Hougaard	ab19e7df6d	Feat: Default SAML/LDAP organization slug	2024-06-24 19:05:20 +02:00
Sheen Capadngan	745f1c4e12	misc: only display when user is admin	2024-06-24 23:24:07 +08:00
Sheen Capadngan	6029eaa9df	misc: modified step title	2024-06-24 20:17:31 +08:00
Sheen Capadngan	8703314c0c	doc: added bitbucket integration with cli	2024-06-24 20:11:53 +08:00
=	084fc7c99e	feat: resolved gcp auth revoke error	2024-06-23 01:25:27 +05:30
=	b6cc17d62a	feat: updated var names and permission, rate limit changes based on comments	2024-06-23 01:21:26 +05:30
Sheen Capadngan	bd0d0bd333	feat: added project setting for rebuilding secret indices	2024-06-22 22:42:36 +08:00
Daniel Hougaard	c426ba517a	Feat: Expand single secret references	2024-06-21 23:12:38 +02:00
Tuan Dang	91634fbe76	Patch LDAP	2024-06-20 17:49:09 -07:00
=	4072a40fe9	feat: completed all revoke for other identity auth	2024-06-20 21:18:45 +05:30
=	0dc132dda3	feat: added universal auth endpoints for revoke and client secret endpoint to fetch details	2024-06-20 21:18:45 +05:30
=	605ccb13e9	feat: added endpoints and docs for identity get by id and list operation	2024-06-20 21:18:45 +05:30