fix: show Connect buttons for unconfigured SSO providers when another provider is already configured

[devin-ai-integration]

Context

When any SSO provider (e.g., SAML) was configured, the "Connect an Identity Provider" section was completely hidden. This was caused by a mutually exclusive ternary in OrgSsoTab — it either showed the "Connect" buttons OR the configured provider management sections, never both. This made it impossible to add a second provider (e.g., OIDC) through the UI once any provider was already set up.

The fix changes the rendering to show both sections independently:

• Configured provider management sections render when at least one provider is configured
• "Connect" buttons render for any providers that are not yet configured
• The "Connect an Identity Provider" card automatically disappears once all providers are configured
• The SSO-disabled empty state is now an early return guard

Steps to verify the change

1. Go to Organization Settings → SSO tab
2. Configure SAML (or any single SSO provider)
3. Verify the SAML management section appears and the "Connect an Identity Provider" section still shows with OIDC and LDAP connect buttons
4. Configure OIDC as well — verify the connect section now only shows LDAP
5. Configure all three — verify the connect section disappears entirely
6. With no providers configured, verify the original "Connect an Identity Provider" view with all three options still works

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

Link to Devin session: https://app.devin.ai/sessions/de20f37b99b744e4af697e919eb017aa

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR fixes a UI bug in OrgSsoTab where configuring any SSO provider completely hid the "Connect an Identity Provider" section, making it impossible to add a second provider through the UI. The fix replaces the previous mutually exclusive ternary with two independent render blocks — one for already-configured providers, one for unconfigured providers — and promotes the loading/admin-disabled states to early returns for clarity.

Confidence Score: 5/5

Safe to merge — purely a frontend UI restructure with no logic errors or security implications.

The change is a straightforward UI fix that correctly separates two independent render blocks. No API calls, permissions, or data mutations are modified. Early return ordering is correct (loading check before admin-disabled check). The modals (SSOModal, OIDCModal, LDAPModal with hideDelete) are appropriately scoped to the Connect section only, consistent with prior behavior. No P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
frontend/src/pages/organization/SettingsPage/components/OrgSsoTab/OrgSsoTab.tsx	Restructures the SSO tab rendering so configured provider sections and the "Connect" section for unconfigured providers render independently, fixing the mutual-exclusion bug; early return guard added for loading and admin-disabled states.

_{Reviews (1): Last reviewed commit: "fix: show Connect buttons for unconfigur..." | Re-trigger Greptile}

[devin-ai-integration]

Test Results: SSO Provider Visibility Fix

Ran the frontend locally against a local dev environment. Used Playwright CDP to intercept API responses and simulate configured SSO providers (since the Free plan doesn't include SSO features).

Results

• TC1: Default state (no providers configured) — passed. All 3 connect buttons (SAML, OIDC, LDAP) visible.
• TC2: SAML configured, OIDC/LDAP unconfigured — passed. SAML management section appears with "Manage" button AND "Connect an Identity Provider" section shows with OIDC and LDAP connect buttons. This is the core bug scenario from the original report.
• TC3: SAML + OIDC configured, LDAP unconfigured — passed. Both SAML and OIDC management sections visible, Connect section shows only LDAP button.
• TC4: All three configured — passed. All management sections visible, Connect section correctly hidden.

Screenshots

TC1: Default state — all 3 connect buttons visible

TC2: SAML configured — OIDC/LDAP connect buttons still visible (core bug fix)

TC3: SAML + OIDC configured — only LDAP connect button remains

TC4: All three configured — connect section hidden

Devin session