diff --git a/app/controllers/oidc_accounts_controller.rb b/app/controllers/oidc_accounts_controller.rb
index bfc6597ab..8e346fe79 100644
--- a/app/controllers/oidc_accounts_controller.rb
+++ b/app/controllers/oidc_accounts_controller.rb
@@ -118,17 +118,19 @@ class OidcAccountsController < ApplicationController
if @user.save
# Create the OIDC (or other SSO) identity
- OidcIdentity.create_from_omniauth(
+ identity = OidcIdentity.create_from_omniauth(
build_auth_hash(@pending_auth),
@user
)
- # Log JIT account creation
- SsoAuditLog.log_jit_account_created!(
- user: @user,
- provider: @pending_auth["provider"],
- request: request
- )
+ # Only log JIT account creation if identity was successfully created
+ if identity.persisted?
+ SsoAuditLog.log_jit_account_created!(
+ user: @user,
+ provider: @pending_auth["provider"],
+ request: request
+ )
+ end
# Clear pending auth from session
session.delete(:pending_oidc_auth)
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index cb375d752..337447ee3 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -144,11 +144,15 @@ class SessionsController < ApplicationController
end
def failure
+ # Sanitize reason to known values only
+ known_reasons = %w[sso_provider_unavailable sso_invalid_response sso_failed]
+ sanitized_reason = known_reasons.include?(params[:message]) ? params[:message] : "sso_failed"
+
# Log failed SSO attempt
SsoAuditLog.log_login_failed!(
provider: params[:strategy],
request: request,
- reason: params[:message]
+ reason: sanitized_reason
)
message = case params[:message]
diff --git a/app/views/admin/sso_providers/_form.html.erb b/app/views/admin/sso_providers/_form.html.erb
index 88de8c6c6..61b8a6c17 100644
--- a/app/views/admin/sso_providers/_form.html.erb
+++ b/app/views/admin/sso_providers/_form.html.erb
@@ -158,8 +158,7 @@