From 446c4f048fc2482127104b991f59f5a1207adbc5 Mon Sep 17 00:00:00 2001
From: "junior[bot]" <junior[bot]@sentry.io>
Date: Wed, 13 May 2026 00:17:59 +0000
Subject: [PATCH] fix(auth): conditionally show unlinked member warning based
 on SSO requirement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When an SSO provider is configured but 'Require SSO' is not enabled,
the unlinked members warning incorrectly states that unlinked members
'will be unable to access the organization.' In reality, they can still
log in with email and password — they just can't use the SSO provider.

Pass the require_link flag to the template context and show an accurate
message depending on whether SSO is actually required:
- Required: keep the existing 'unable to access' warning
- Not required: explain they can still use email/password but can't use
  the SSO provider until linked
---
 .../sentry/organization-auth-provider-settings.html    | 10 +++++++++-
 src/sentry/web/frontend/organization_auth_settings.py  |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/sentry/templates/sentry/organization-auth-provider-settings.html b/src/sentry/templates/sentry/organization-auth-provider-settings.html
index 630fdd2341db4c..bfcd18889d5b81 100644
--- a/src/sentry/templates/sentry/organization-auth-provider-settings.html
+++ b/src/sentry/templates/sentry/organization-auth-provider-settings.html
@@ -33,12 +33,20 @@ <h3>{{ provider_name }} Authentication</h3>
         {% if pending_links_count %}
           <legend>Unlinked Members</legend>
 
+          {% if require_link %}
           <p>
             There are currently {{ pending_links_count }} member(s) who have
             not yet linked their account with {{ provider_name }}. Until this
             is done they will be unable to access the organization.
-
           </p>
+          {% else %}
+          <p>
+            There are currently {{ pending_links_count }} member(s) who have
+            not yet linked their account with {{ provider_name }}. They can
+            still access the organization using their email and password, but
+            will not be able to log in via {{ provider_name }} until linked.
+          </p>
+          {% endif %}
 
           <p>
             <button class="btn btn-primary" name="op" value="reinvite">Send Reminders</button>
diff --git a/src/sentry/web/frontend/organization_auth_settings.py b/src/sentry/web/frontend/organization_auth_settings.py
index dbf55d84f4e986..ec7d7048af3c99 100644
--- a/src/sentry/web/frontend/organization_auth_settings.py
+++ b/src/sentry/web/frontend/organization_auth_settings.py
@@ -236,6 +236,7 @@ def handle_existing_provider(
             ),
             "auth_provider": auth_provider,
             "provider_name": provider.name,
+            "require_link": not auth_provider.flags.allow_unlinked,
             "scim_token_display": scim_token_display,
             "scim_url": get_scim_url(auth_provider, organization),
             "content": response,