From 703dde783bbd7ffbce8837b356da0452d4dc1569 Mon Sep 17 00:00:00 2001
From: Miguel Serrano <mserranom@users.noreply.github.com>
Date: Fri, 11 Jul 2025 09:14:21 +0200
Subject: [PATCH] Merge pull request #26513 from
 overleaf/msm-fix-sso-disable-managed-group

[web] Fix disable managed users clears SSO enrollment

GitOrigin-RevId: 75742840b5cee98a203ad11e9213e2e31cf18985
---
 .../acceptance/src/helpers/Subscription.mjs   |  4 ++++
 .../test/acceptance/src/helpers/groupSSO.mjs  | 23 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/services/web/test/acceptance/src/helpers/Subscription.mjs b/services/web/test/acceptance/src/helpers/Subscription.mjs
index 420dda56d9..6b6f87e4d6 100644
--- a/services/web/test/acceptance/src/helpers/Subscription.mjs
+++ b/services/web/test/acceptance/src/helpers/Subscription.mjs
@@ -88,6 +88,10 @@ class PromisifiedSubscription {
     await Modules.promises.hooks.fire('enableManagedUsers', this._id)
   }
 
+  async disableManagedUsers() {
+    await Modules.promises.hooks.fire('disableManagedUsers', this._id)
+  }
+
   async enableFeatureSSO() {
     await SubscriptionModel.findOneAndUpdate(
       { _id: new ObjectId(this._id) },
diff --git a/services/web/test/acceptance/src/helpers/groupSSO.mjs b/services/web/test/acceptance/src/helpers/groupSSO.mjs
index 1953b3e787..4388279578 100644
--- a/services/web/test/acceptance/src/helpers/groupSSO.mjs
+++ b/services/web/test/acceptance/src/helpers/groupSSO.mjs
@@ -187,6 +187,29 @@ export async function linkGroupMember(
   return userHelper
 }
 
+export async function checkUserHasSSOLinked(userId, groupId) {
+  const internalProviderId = getProviderId(groupId)
+  const user = await UserGetter.promises.getUser(
+    { _id: userId },
+    { samlIdentifiers: 1, enrollment: 1 }
+  )
+
+  const { enrollment, samlIdentifiers } = user
+  const linkedToGroupSSO = samlIdentifiers.some(
+    identifier => identifier.providerId === internalProviderId
+  )
+  if (!linkedToGroupSSO) {
+    throw new Error('user saml identifiers are not linked to subscription')
+  }
+
+  const userIsEnrolledInSSO = enrollment.sso.some(
+    sso => sso.groupId.toString() === groupId.toString()
+  )
+  if (!userIsEnrolledInSSO) {
+    throw new Error('user is not enrolled in subscription')
+  }
+}
+
 export async function setConfigAndEnableSSO(
   subscriptionHelper,
   adminEmailPassword,