diff --git a/.env.example b/.env.example index 1e85f10ea2..3c1e86a566 100644 --- a/.env.example +++ b/.env.example @@ -172,7 +172,6 @@ ENTERPRISE_LICENSE_KEY= # Automatically assign new users to a specific organization and role within that organization # Insert an existing organization id or generate a valid CUID for a new one at https://www.getuniqueid.com/cuid (e.g. cjld2cjxh0000qzrmn831i7rn) # (Role Management is an Enterprise feature) -# DEFAULT_ORGANIZATION_ROLE=owner # AUTH_SSO_DEFAULT_TEAM_ID= # AUTH_SKIP_INVITE_FOR_SSO= diff --git a/apps/web/modules/auth/signup/page.test.tsx b/apps/web/modules/auth/signup/page.test.tsx index eaa58eeb41..c16c354322 100644 --- a/apps/web/modules/auth/signup/page.test.tsx +++ b/apps/web/modules/auth/signup/page.test.tsx @@ -89,7 +89,6 @@ vi.mock("@/lib/constants", () => ({ AZURE_OAUTH_ENABLED: true, OIDC_OAUTH_ENABLED: true, DEFAULT_ORGANIZATION_ID: "test-default-organization-id", - DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role", IS_TURNSTILE_CONFIGURED: true, SAML_TENANT: "test-saml-tenant", SAML_PRODUCT: "test-saml-product", diff --git a/apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts b/apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts index 6ecc54a2c0..eaf921b5d9 100644 --- a/apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts +++ b/apps/web/modules/ee/sso/lib/tests/sso-handlers.test.ts @@ -93,7 +93,6 @@ vi.mock("@/lib/constants", () => ({ SKIP_INVITE_FOR_SSO: 0, DEFAULT_TEAM_ID: "team-123", DEFAULT_ORGANIZATION_ID: "org-123", - DEFAULT_ORGANIZATION_ROLE: "member", ENCRYPTION_KEY: "test-encryption-key-32-chars-long", })); diff --git a/apps/web/modules/setup/(fresh-instance)/signup/page.test.tsx b/apps/web/modules/setup/(fresh-instance)/signup/page.test.tsx index 68b692d9c0..e73dbcb8ff 100644 --- a/apps/web/modules/setup/(fresh-instance)/signup/page.test.tsx +++ b/apps/web/modules/setup/(fresh-instance)/signup/page.test.tsx @@ -47,7 +47,6 @@ vi.mock("@/lib/constants", () => ({ AZURE_OAUTH_ENABLED: true, OIDC_OAUTH_ENABLED: true, DEFAULT_ORGANIZATION_ID: "test-default-organization-id", - DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role", IS_TURNSTILE_CONFIGURED: true, SAML_TENANT: "test-saml-tenant", SAML_PRODUCT: "test-saml-product", diff --git a/apps/web/modules/setup/organization/[organizationId]/invite/page.test.tsx b/apps/web/modules/setup/organization/[organizationId]/invite/page.test.tsx index 1ad1ca67a8..65501963af 100644 --- a/apps/web/modules/setup/organization/[organizationId]/invite/page.test.tsx +++ b/apps/web/modules/setup/organization/[organizationId]/invite/page.test.tsx @@ -48,7 +48,6 @@ vi.mock("@/lib/constants", () => ({ AZURE_OAUTH_ENABLED: true, OIDC_OAUTH_ENABLED: true, DEFAULT_ORGANIZATION_ID: "test-default-organization-id", - DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role", IS_TURNSTILE_CONFIGURED: true, SAML_TENANT: "test-saml-tenant", SAML_PRODUCT: "test-saml-product", diff --git a/apps/web/modules/setup/organization/create/page.test.tsx b/apps/web/modules/setup/organization/create/page.test.tsx index d2879107cd..e8eaaddcc6 100644 --- a/apps/web/modules/setup/organization/create/page.test.tsx +++ b/apps/web/modules/setup/organization/create/page.test.tsx @@ -50,7 +50,6 @@ vi.mock("@/lib/constants", () => ({ AZURE_OAUTH_ENABLED: true, OIDC_OAUTH_ENABLED: true, DEFAULT_ORGANIZATION_ID: "test-default-organization-id", - DEFAULT_ORGANIZATION_ROLE: "test-default-organization-role", IS_TURNSTILE_CONFIGURED: true, SAML_TENANT: "test-saml-tenant", SAML_PRODUCT: "test-saml-product", diff --git a/docs/mint.json b/docs/mint.json index e333ddc5e5..83a1d8c700 100644 --- a/docs/mint.json +++ b/docs/mint.json @@ -260,6 +260,7 @@ "group": "Auth & SSO", "icon": "lock", "pages": [ + "self-hosting/auth-behavior", "self-hosting/configuration/auth-sso/open-id-connect", "self-hosting/configuration/auth-sso/azure-ad-oauth", "self-hosting/configuration/auth-sso/google-oauth", diff --git a/docs/self-hosting/auth-behavior.mdx b/docs/self-hosting/auth-behavior.mdx new file mode 100644 index 0000000000..33d273ffed --- /dev/null +++ b/docs/self-hosting/auth-behavior.mdx @@ -0,0 +1,64 @@ +--- +title: "Authentication Behavior" +description: "Learn how authentication and user invitation work in self-hosted Formbricks deployments." +icon: "user" +--- + +## Overview + +In self-hosted Formbricks, user management and authentication can be customized using environment variables. By default, self-hosted instances have user signup disabled, and only organization owners or admins can invite new users. The behavior of the authentication and invitation flow can be further controlled using the following environment variables: + +- `AUTH_SKIP_INVITE_FOR_SSO` +- `AUTH_DEFAULT_TEAM_ID` + +## License Requirement for Role Management and SSO Behavior + + + To control advanced role management features and environment-based SSO behavior, your self-hosted Formbricks + instance must have a valid enterprise license. + + +## Environment Variables + +### `AUTH_SKIP_INVITE_FOR_SSO` + +- **Type:** Boolean (0 or 1) +- **Default:** 0 (invite required) +- **Description:** + - When set to `1`, users who sign up via SSO (Single Sign-On) providers (such as Google, Azure AD, SAML, or OIDC) can create an account without requiring an invitation. + - When set to `0` (default), all users—including those signing up via SSO—must be invited by an organization owner or admin before they can create an account. +- **Use case:** + - Set this to `1` if you want to allow anyone with access to your SSO provider to join your Formbricks instance without a manual invite. + - Keep it at `0` for stricter access control, where only invited users can join, regardless of SSO. + +### `AUTH_DEFAULT_TEAM_ID` + +- **Type:** String (Team ID, a valid cuid) +- **Default:** None (must be set if you want to use default team assignment) +- **Description:** + - When a new user is invited or signs up (if allowed), they will automatically be added to the team with the ID specified in this variable. + - This is useful for onboarding users into a default team, ensuring they have access to relevant projects and resources immediately after joining. +- **Use case:** + - Set this to the ID of your default team to streamline onboarding for new users. + - If not set, users will not be automatically assigned to any team upon signup or invite acceptance. + +## Example `.env` Configuration + +```env +# Allow SSO users to join without invite +AUTH_SKIP_INVITE_FOR_SSO=1 + +# Automatically assign new users to this team +AUTH_DEFAULT_TEAM_ID=team-123 +``` + +Refer to the [Environment Variables documentation](./configuration/environment-variables) for a full list and details. + +--- + +For more information on SSO setup, see: + +- [Google OAuth](./configuration/auth-sso/google-oauth) +- [Azure AD OAuth](./configuration/auth-sso/azure-ad-oauth) +- [Open ID Connect](./configuration/auth-sso/open-id-connect) +- [SAML SSO](./configuration/auth-sso/saml-sso) diff --git a/docs/self-hosting/configuration/environment-variables.mdx b/docs/self-hosting/configuration/environment-variables.mdx index a2e62b037e..915e46c26b 100644 --- a/docs/self-hosting/configuration/environment-variables.mdx +++ b/docs/self-hosting/configuration/environment-variables.mdx @@ -55,7 +55,6 @@ These variables are present inside your machine's docker-compose file. Restart t | TELEMETRY_DISABLED | Disables telemetry if set to 1. | optional | | | DEFAULT_BRAND_COLOR | Default brand color for your app (Can be overwritten from the UI as well). | optional | #64748b | | DEFAULT_ORGANIZATION_ID | Automatically assign new users to a specific organization when joining | optional | | -| DEFAULT_ORGANIZATION_ROLE | Role of the user in the default organization. | optional | owner | | OIDC_DISPLAY_NAME | Display name for Custom OpenID Connect Provider | optional | | | OIDC_CLIENT_ID | Client ID for Custom OpenID Connect Provider | optional (required if OIDC auth is enabled) | | | OIDC_CLIENT_SECRET | Secret for Custom OpenID Connect Provider | optional (required if OIDC auth is enabled) | |