npm - @open-mercato/enterprise - Versions diffs - 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6 - Mend

@open-mercato/enterprise 0.4.6-develop-15c18897fc → 0.4.6-develop-34aa847ce6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/src/modules/sso/docs/zitadel-setup.md ADDED Viewed

@@ -0,0 +1,195 @@
+# Zitadel Setup Guide for Open Mercato SSO
+This guide walks through setting up Zitadel as the identity provider for OIDC login and SCIM user provisioning in Open Mercato.
+**Free tier**: Zitadel Cloud offers a free tier with up to 25,000 monthly active users.
+---
+## 1. Create a Zitadel Instance
+1. Go to https://zitadel.com and sign up for a free account
+2. Create a new instance (or use the default one)
+3. Note your instance domain: `https://<instance>.zitadel.cloud`
+## 2. Create Test Users
+1. In the Zitadel Console, go to **Users** → **+ New**
+2. Fill in:
+   - **Username**: e.g., `testuser@yourdomain.com`
+   - **First name** / **Last name**
+   - **Email**: the user's email address
+   - **Password**: set an initial password
+3. Click **Create**
+4. Repeat for 2-3 test users
+## 3. Register the OIDC Application
+1. In the Zitadel Console, go to **Projects** → **+ New**
+2. Name the project `Open Mercato` and click **Continue**
+3. Click **+ New Application**
+4. Configure:
+| Field | Value |
+|-------|-------|
+| **Name** | `Open Mercato` |
+| **Type** | `Web` |
+| **Authentication Method** | `Code (PKCE)` |
+| **Redirect URIs** | `http://localhost:3000/api/sso/callback/oidc` |
+| **Post-Logout URIs** | `http://localhost:3000/login` |
+5. Click **Create**
+6. On the application overview, note:
+   - **Client ID**
+   - **Client Secret** (generate one if using Code flow)
+### OIDC Credentials Summary
+| Credential | Where to find it | Value |
+|------------|-----------------|-------|
+| **Issuer URL** | Instance domain | `https://<instance>.zitadel.cloud` |
+| **Client ID** | Application → General | Copy from console |
+| **Client Secret** | Application → General → Generate | Copy immediately |
+| **Redirect URI** | You configured this | `http://localhost:3000/api/sso/callback/oidc` |
+### Configure Token Claims
+Zitadel includes `email`, `given_name`, `family_name`, and `email_verified` in ID tokens by default when the `openid`, `profile`, and `email` scopes are requested. No additional configuration is needed.
+### Assign Users
+By default, all users in the organization can access the application. To restrict access:
+1. Go to your Project → **Authorizations** → **+ New**
+2. Select specific users or grant roles
+3. Enable "Require authorization" on the project settings if you want to restrict access
+---
+## 4. Create the SSO Config in Open Mercato
+1. Log into Open Mercato as admin
+2. Go to **Settings** → **Single Sign-On** → **Create New**
+3. Select **OIDC** as the protocol
+4. Enter:
+   - **Name**: `Zitadel`
+   - **Issuer URL**: `https://<instance>.zitadel.cloud`
+   - **Client ID**: (paste from Zitadel)
+   - **Client Secret**: (paste from Zitadel)
+5. Add allowed email domains (e.g., `yourdomain.com`)
+6. Test the connection (Verify Discovery)
+7. Activate the config
+### Verify OIDC Login
+1. Open a private/incognito browser window
+2. Go to the Open Mercato login page
+3. Enter an email address belonging to one of your test users
+4. The HRD check should detect SSO and redirect to Zitadel login
+5. Authenticate at Zitadel
+6. You should be redirected back to Open Mercato and logged in
+---
+## 5. Configure SCIM Provisioning
+**Prerequisite**: Generate a SCIM bearer token from Open Mercato via the admin UI (SSO config → Provisioning tab → Generate Token).
+### Zitadel SCIM Support
+Zitadel supports outbound SCIM provisioning through its **Actions** feature (custom workflows). As of 2026, Zitadel also offers a native SCIM provisioning option:
+1. Go to your Project → **Open Mercato** application
+2. Navigate to **Provisioning** or **Actions**
+3. Configure SCIM outbound provisioning:
+| Field | Value |
+|-------|-------|
+| **SCIM Base URL** | `http://localhost:3000/api/sso/scim/v2` (dev) or `https://<your-domain>/api/sso/scim/v2` (prod) |
+| **Bearer Token** | Paste the SCIM token from Open Mercato |
+4. Test the connection
+### Alternative: Manual/API-Based Provisioning
+If Zitadel's native SCIM outbound is not available in your version, use the Zitadel Management API to sync users:
+1. Create a Service User in Zitadel with Management API access
+2. Use the Zitadel Management API to list users
+3. Push user changes to Open Mercato's SCIM endpoint
+---
+## 6. Test the Full Flow
+### Test OIDC Login
+1. Navigate to Open Mercato login
+2. Enter a test user's email
+3. **Expected**: Redirect to Zitadel → authenticate → redirect back to Open Mercato
+4. Verify the user appears in the Open Mercato admin panel
+### Test JIT Provisioning
+If SCIM is not configured and JIT is enabled:
+1. Log in as a new user via OIDC
+2. **Expected**: User is automatically created in Open Mercato with `provisioningMethod: jit`
+3. Verify user profile (name, email) matches Zitadel
+### Test SCIM Provisioning (if configured)
+1. Create a new user in Zitadel
+2. Wait for provisioning cycle (or trigger manually)
+3. **Expected**: User appears in Open Mercato with `provisioningMethod: scim`
+4. Update the user in Zitadel → verify changes propagate
+5. Deactivate the user in Zitadel → verify deactivation in Open Mercato
+---
+## Zitadel SCIM Quirks
+| Quirk | Description | How to handle |
+|-------|-------------|---------------|
+| **Standard-compliant** | Zitadel follows SCIM 2.0 spec closely | Standard parsing works |
+| **`email_verified` claim** | Always included in ID tokens | No special handling needed |
+| **Group claims** | Available via project roles | Configure role mappings if needed |
+| **PKCE support** | Natively supports S256 PKCE | Automatically used by Open Mercato |
+---
+## Troubleshooting
+### OIDC login redirects but fails
+- Verify the Redirect URI matches exactly: `http://localhost:3000/api/sso/callback/oidc`
+- Check that the Issuer URL matches your instance: `https://<instance>.zitadel.cloud`
+- Verify Client ID and Client Secret
+- Check the Zitadel Console → **Events** for error details
+### "redirect_uri_mismatch" error
+- Ensure the redirect URI registered in Zitadel matches exactly (including protocol and port)
+- No trailing slash differences
+- For production, use HTTPS
+### Users can't log in
+- Check that users exist in the same Zitadel organization
+- If "Require authorization" is enabled on the project, ensure users have project grants
+- Check that the email domain matches the allowed domains in Open Mercato SSO config
+### SCIM connection fails
+- For local dev, Zitadel needs to reach your server over the internet
+- Use ngrok: `ngrok http 3000`
+- Update the SCIM Base URL to the ngrok URL
+---
+## Reference
+- [Zitadel OIDC Documentation](https://zitadel.com/docs/guides/integrate/login/oidc)
+- [Zitadel SCIM Documentation](https://zitadel.com/docs/guides/integrate/scim)
+- [Zitadel Actions](https://zitadel.com/docs/guides/manage/customize/actions)
+- [Zitadel Cloud](https://zitadel.com/pricing)

package/src/modules/sso/events.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { createModuleEvents } from '@open-mercato/shared/modules/events'
+const events = [
+  { id: 'sso.login.initiated', label: 'SSO Login Initiated', category: 'lifecycle' },
+  { id: 'sso.login.completed', label: 'SSO Login Completed', category: 'lifecycle' },
+  { id: 'sso.login.failed', label: 'SSO Login Failed', category: 'lifecycle' },
+  { id: 'sso.identity.linked', label: 'SSO Identity Linked', category: 'lifecycle' },
+  { id: 'sso.identity.created', label: 'SSO Identity Created (JIT)', category: 'lifecycle' },
+  { id: 'sso.config.created', label: 'SSO Config Created', entity: 'sso_config', category: 'crud' },
+  { id: 'sso.config.updated', label: 'SSO Config Updated', entity: 'sso_config', category: 'crud' },
+  { id: 'sso.config.deleted', label: 'SSO Config Deleted', entity: 'sso_config', category: 'crud' },
+  { id: 'sso.config.activated', label: 'SSO Config Activated', entity: 'sso_config', category: 'lifecycle' },
+  { id: 'sso.config.deactivated', label: 'SSO Config Deactivated', entity: 'sso_config', category: 'lifecycle' },
+  { id: 'sso.domain.added', label: 'SSO Domain Added', entity: 'sso_config', category: 'lifecycle' },
+  { id: 'sso.domain.removed', label: 'SSO Domain Removed', entity: 'sso_config', category: 'lifecycle' },
+] as const
+export const eventsConfig = createModuleEvents({ moduleId: 'sso', events })
+export const emitSsoEvent = eventsConfig.emit
+export type SsoEventId = typeof events[number]['id']
+export default eventsConfig

package/src/modules/sso/i18n/de.json ADDED Viewed

@@ -0,0 +1,146 @@
+{
+  "common.activating": "Wird aktiviert...",
+  "common.add": "Hinzufügen",
+  "common.back": "Zurück",
+  "common.cancel": "Abbrechen",
+  "common.copied": "In die Zwischenablage kopiert",
+  "common.copy": "Kopieren",
+  "common.create": "Erstellen",
+  "common.creating": "Wird erstellt...",
+  "common.delete": "Löschen",
+  "common.disabled": "Deaktiviert",
+  "common.dismiss": "Verwerfen",
+  "common.edit": "Bearbeiten",
+  "common.enabled": "Aktiviert",
+  "common.loading": "Wird geladen...",
+  "common.next": "Weiter",
+  "common.notFound": "Nicht gefunden",
+  "common.remove": "Entfernen",
+  "common.save": "Speichern",
+  "common.saving": "Wird gespeichert...",
+  "settings.sections.auth": "Authentifizierung",
+  "sso.admin.action.activate": "Aktivieren",
+  "sso.admin.action.deactivate": "Deaktivieren",
+  "sso.admin.action.test": "Erkennung überprüfen",
+  "sso.admin.activated": "SSO-Konfiguration aktiviert",
+  "sso.admin.activity.empty": "Noch keine SSO-Anmeldeaktivität. Aktivitäten werden hier angezeigt, sobald Benutzer sich über SSO anmelden.",
+  "sso.admin.banner.activateNow": "Jetzt aktivieren",
+  "sso.admin.banner.created": "Ihre SSO-Konfiguration wurde erstellt. Möchten Sie sie jetzt aktivieren?",
+  "sso.admin.banner.notYet": "Noch nicht",
+  "sso.admin.column.created": "Erstellt",
+  "sso.admin.column.domains": "Domains",
+  "sso.admin.column.name": "Name",
+  "sso.admin.column.protocol": "Protokoll",
+  "sso.admin.column.status": "Status",
+  "sso.admin.create.title": "SSO konfigurieren",
+  "sso.admin.created": "SSO-Konfiguration erstellt",
+  "sso.admin.deactivated": "SSO-Konfiguration deaktiviert",
+  "sso.admin.delete.confirm": "Sind Sie sicher? Die SSO-Konfiguration wird entfernt. Benutzer mit verknüpften SSO-Identitäten müssen die Passwort-Anmeldung verwenden.",
+  "sso.admin.delete.success": "SSO-Konfiguration gelöscht",
+  "sso.admin.delete.title": "SSO-Konfiguration löschen",
+  "sso.admin.detail.backToList": "Zurück zu SSO",
+  "sso.admin.detail.title": "SSO-Konfiguration",
+  "sso.admin.domains.empty": "Keine Domains konfiguriert. Fügen Sie mindestens eine Domain hinzu, bevor Sie SSO aktivieren.",
+  "sso.admin.empty.cta": "SSO konfigurieren",
+  "sso.admin.empty.description": "Konfigurieren Sie Single Sign-On, damit sich Ihre Benutzer mit Ihrem Identitätsanbieter authentifizieren können.",
+  "sso.admin.empty.title": "Kein SSO konfiguriert",
+  "sso.admin.error.activationFailed": "Aktivierungsstatus konnte nicht aktualisiert werden",
+  "sso.admin.error.alreadyExists": "Für diese Organisation existiert bereits eine SSO-Konfiguration",
+  "sso.admin.error.createFailed": "SSO-Konfiguration konnte nicht erstellt werden",
+  "sso.admin.error.deleteActive": "Eine aktive SSO-Konfiguration kann nicht gelöscht werden — deaktivieren Sie sie zuerst",
+  "sso.admin.error.deleteFailed": "SSO-Konfiguration konnte nicht gelöscht werden",
+  "sso.admin.error.domainAddFailed": "Domain konnte nicht hinzugefügt werden",
+  "sso.admin.error.domainRemoveFailed": "Domain konnte nicht entfernt werden",
+  "sso.admin.error.loadFailed": "SSO-Konfiguration konnte nicht geladen werden",
+  "sso.admin.error.noDomainsForActivation": "Fügen Sie mindestens eine erlaubte E-Mail-Domain hinzu, bevor Sie aktivieren",
+  "sso.admin.error.saveFailed": "SSO-Konfiguration konnte nicht gespeichert werden",
+  "sso.admin.error.testFailed": "Verbindungstest fehlgeschlagen",
+  "sso.admin.field.autoLinkByEmail": "Automatische Verknüpfung per E-Mail",
+  "sso.admin.field.autoLinkByEmailDesc": "Bestehende Benutzer automatisch über übereinstimmende E-Mail-Adresse verknüpfen",
+  "sso.admin.field.changeSecret": "Ändern",
+  "sso.admin.field.clientId": "Client-ID",
+  "sso.admin.field.clientSecret": "Client-Geheimnis",
+  "sso.admin.field.issuer": "Aussteller-URL",
+  "sso.admin.field.jitDisabledByScim": "Nicht verfügbar — SCIM-Verzeichnissynchronisierung ist aktiv. Widerrufen Sie SCIM-Token, um JIT zu aktivieren.",
+  "sso.admin.field.jitEnabled": "Just-in-Time-Bereitstellung",
+  "sso.admin.field.jitEnabledDesc": "Benutzerkonten automatisch bei der ersten SSO-Anmeldung erstellen",
+  "sso.admin.field.name": "Konfigurationsname",
+  "sso.admin.field.protocol": "Protokoll",
+  "sso.admin.field.secretPlaceholder": "Neues Geheimnis eingeben, um das bestehende zu ersetzen",
+  "sso.admin.field.secretRequired": "Client-Geheimnis eingeben",
+  "sso.admin.field.secretSet": "Client-Geheimnis ist konfiguriert",
+  "sso.admin.new": "Neue SSO-Konfiguration",
+  "sso.admin.roles.description": "Ordnen Sie IdP-App-Rollennamen lokalen Rollen zu. Bei jeder SSO-Anmeldung werden SSO-basierte Rollen synchronisiert — Rollen, die der IdP nicht mehr sendet, werden entfernt, während manuell zugewiesene Rollen erhalten bleiben.",
+  "sso.admin.roles.empty": "Keine Rollenzuordnungen konfiguriert. IdP-Rollennamen werden direkt mit lokalen Rollennamen abgeglichen.",
+  "sso.admin.roles.error.duplicate": "Diese IdP-Rolle ist bereits zugeordnet",
+  "sso.admin.roles.error.emptyIdpRole": "IdP-Rollenname ist erforderlich",
+  "sso.admin.roles.error.emptyLocalRole": "Wählen Sie eine lokale Rolle",
+  "sso.admin.roles.error.saveFailed": "Rollenzuordnungen konnten nicht gespeichert werden",
+  "sso.admin.roles.idpRole": "IdP-Rollenname",
+  "sso.admin.roles.idpRolePlaceholder": "z.B. OpenMercato.Admin",
+  "sso.admin.roles.localRole": "Lokale Rolle",
+  "sso.admin.roles.saved": "Rollenzuordnungen gespeichert",
+  "sso.admin.saved": "SSO-Konfiguration gespeichert",
+  "sso.admin.scim.endpointCopied": "SCIM-Endpunkt-URL kopiert",
+  "sso.admin.scim.endpointUrl": "SCIM-Endpunkt-URL",
+  "sso.admin.scim.error.createFailed": "SCIM-Token konnte nicht erstellt werden",
+  "sso.admin.scim.error.revokeFailed": "Token konnte nicht widerrufen werden",
+  "sso.admin.scim.generateToken": "Token generieren",
+  "sso.admin.scim.googleNotSupported": "Google Workspace unterstützt keine SCIM-Bereitstellung. Benutzer werden beim ersten Anmelden per Just-In-Time (JIT) bereitgestellt.",
+  "sso.admin.scim.jitActiveWarning": "SCIM-Bereitstellung ist nicht verfügbar, solange JIT aktiviert ist. Deaktivieren Sie JIT im Tab Allgemein, um SCIM zu konfigurieren.",
+  "sso.admin.scim.log.error": "Fehler",
+  "sso.admin.scim.log.operation": "Vorgang",
+  "sso.admin.scim.log.resource": "Ressource",
+  "sso.admin.scim.log.status": "Status",
+  "sso.admin.scim.log.time": "Zeit",
+  "sso.admin.scim.noTokens": "SCIM-Bereitstellung ist nicht konfiguriert. Generieren Sie ein Bearer-Token, damit Ihr Identitätsanbieter Benutzer automatisch synchronisieren kann.",
+  "sso.admin.scim.recentActivity": "Letzte Bereitstellungsaktivität",
+  "sso.admin.scim.revoke.action": "Widerrufen",
+  "sso.admin.scim.revoke.confirm": "Sind Sie sicher? Dieses Token wird SCIM-Anfragen nicht mehr authentifizieren.",
+  "sso.admin.scim.revoke.title": "Token widerrufen",
+  "sso.admin.scim.revoked": "Token widerrufen",
+  "sso.admin.scim.tokenActive": "Aktiv",
+  "sso.admin.scim.tokenCopied": "Token in die Zwischenablage kopiert",
+  "sso.admin.scim.tokenCreated": "Ihr SCIM-Token wurde erstellt. Kopieren Sie es jetzt — es wird nicht erneut angezeigt.",
+  "sso.admin.scim.tokenNamePlaceholder": "Token-Name (z.B. Entra ID Produktion)",
+  "sso.admin.scim.tokenRevoked": "Widerrufen",
+  "sso.admin.scim.tokens": "Bearer-Token",
+  "sso.admin.search": "Nach Name oder Aussteller suchen...",
+  "sso.admin.section.allowedDomains": "Erlaubte Domains",
+  "sso.admin.section.oidcSettings": "OIDC-Einstellungen",
+  "sso.admin.status.active": "Aktiv",
+  "sso.admin.status.inactive": "Inaktiv",
+  "sso.admin.tab.activity": "Aktivität",
+  "sso.admin.tab.domains": "Domains",
+  "sso.admin.tab.general": "Allgemein",
+  "sso.admin.tab.roles": "Rollenzuordnung",
+  "sso.admin.tab.scim": "Bereitstellung",
+  "sso.admin.test.failed": "Erkennung fehlgeschlagen",
+  "sso.admin.test.success": "Erkennung erfolgreich — Aussteller ist erreichbar",
+  "sso.admin.title": "Single Sign-On",
+  "sso.admin.wizard.credentials.callbackUrl": "Weiterleitungs-URI (in Ihren IdP kopieren)",
+  "sso.admin.wizard.credentials.namePlaceholder": "z.B. Zitadel Produktion",
+  "sso.admin.wizard.credentials.title": "OIDC-Anmeldedaten",
+  "sso.admin.wizard.domain.duplicate": "Domain bereits hinzugefügt",
+  "sso.admin.wizard.domain.invalid": "Ungültiges Domain-Format",
+  "sso.admin.wizard.domain.limit": "Maximal 20 Domains pro Konfiguration",
+  "sso.admin.wizard.domains.description": "Benutzer mit E-Mail-Adressen, die diesen Domains entsprechen, werden zu Ihrem SSO-Anbieter weitergeleitet.",
+  "sso.admin.wizard.domains.placeholder": "beispiel.de",
+  "sso.admin.wizard.domains.title": "Erlaubte E-Mail-Domains",
+  "sso.admin.wizard.options.title": "Optionen",
+  "sso.admin.wizard.protocol.oidcDesc": "Funktioniert mit Zitadel, Microsoft Entra ID, Google Workspace, Okta und mehr",
+  "sso.admin.wizard.protocol.samlDesc": "Demnächst verfügbar",
+  "sso.admin.wizard.protocol.title": "Protokoll auswählen",
+  "sso.admin.wizard.review.note": "Die Konfiguration wird als inaktiv erstellt. Sie können sie von der Detailseite aus aktivieren, nachdem Sie alles überprüft haben.",
+  "sso.admin.wizard.review.save": "Konfiguration erstellen",
+  "sso.admin.wizard.review.testing": "Wird getestet...",
+  "sso.admin.wizard.review.title": "Überprüfen und speichern",
+  "sso.login.continueWithSso": "Mit SSO fortfahren",
+  "sso.login.errors.emailNotVerified": "Ihre E-Mail-Adresse ist vom Identitätsanbieter nicht verifiziert. Bitte verifizieren Sie Ihre E-Mail und versuchen Sie es erneut.",
+  "sso.login.errors.failed": "SSO-Anmeldung fehlgeschlagen. Bitte versuchen Sie es erneut.",
+  "sso.login.errors.idpError": "Der Identitätsanbieter hat einen Fehler zurückgegeben. Bitte versuchen Sie es erneut oder kontaktieren Sie Ihren Administrator.",
+  "sso.login.errors.missingConfig": "SSO ist für dieses Konto nicht konfiguriert.",
+  "sso.login.errors.missingParams": "Der SSO-Rückruf war unvollständig. Bitte versuchen Sie es erneut.",
+  "sso.login.errors.stateMissing": "Die SSO-Sitzung ist abgelaufen. Bitte versuchen Sie es erneut.",
+  "sso.login.ssoEnabled": "SSO ist für dieses Konto aktiviert"
+}

package/src/modules/sso/i18n/en.json ADDED Viewed

@@ -0,0 +1,146 @@
+{
+  "common.activating": "Activating...",
+  "common.add": "Add",
+  "common.back": "Back",
+  "common.cancel": "Cancel",
+  "common.copied": "Copied to clipboard",
+  "common.copy": "Copy",
+  "common.create": "Create",
+  "common.creating": "Creating...",
+  "common.delete": "Delete",
+  "common.disabled": "Disabled",
+  "common.dismiss": "Dismiss",
+  "common.edit": "Edit",
+  "common.enabled": "Enabled",
+  "common.loading": "Loading...",
+  "common.next": "Next",
+  "common.notFound": "Not found",
+  "common.remove": "Remove",
+  "common.save": "Save",
+  "common.saving": "Saving...",
+  "settings.sections.auth": "Auth",
+  "sso.admin.action.activate": "Activate",
+  "sso.admin.action.deactivate": "Deactivate",
+  "sso.admin.action.test": "Verify Discovery",
+  "sso.admin.activated": "SSO configuration activated",
+  "sso.admin.activity.empty": "No SSO login activity yet. Activity will appear here once users start logging in via SSO.",
+  "sso.admin.banner.activateNow": "Activate Now",
+  "sso.admin.banner.created": "Your SSO configuration has been created. Would you like to activate it now?",
+  "sso.admin.banner.notYet": "Not Yet",
+  "sso.admin.column.created": "Created",
+  "sso.admin.column.domains": "Domains",
+  "sso.admin.column.name": "Name",
+  "sso.admin.column.protocol": "Protocol",
+  "sso.admin.column.status": "Status",
+  "sso.admin.create.title": "Configure SSO",
+  "sso.admin.created": "SSO configuration created",
+  "sso.admin.deactivated": "SSO configuration deactivated",
+  "sso.admin.delete.confirm": "Are you sure? This will remove the SSO configuration. Users with linked SSO identities will need to use password login.",
+  "sso.admin.delete.success": "SSO configuration deleted",
+  "sso.admin.delete.title": "Delete SSO Configuration",
+  "sso.admin.detail.backToList": "Back to SSO",
+  "sso.admin.detail.title": "SSO Configuration",
+  "sso.admin.domains.empty": "No domains configured. Add at least one domain before activating SSO.",
+  "sso.admin.empty.cta": "Configure SSO",
+  "sso.admin.empty.description": "Configure Single Sign-On to let your users authenticate with your identity provider.",
+  "sso.admin.empty.title": "No SSO configured",
+  "sso.admin.error.activationFailed": "Failed to update activation status",
+  "sso.admin.error.alreadyExists": "An SSO configuration already exists for this organization",
+  "sso.admin.error.createFailed": "Failed to create SSO configuration",
+  "sso.admin.error.deleteActive": "Cannot delete an active SSO configuration — deactivate it first",
+  "sso.admin.error.deleteFailed": "Failed to delete SSO configuration",
+  "sso.admin.error.domainAddFailed": "Failed to add domain",
+  "sso.admin.error.domainRemoveFailed": "Failed to remove domain",
+  "sso.admin.error.loadFailed": "Failed to load SSO configuration",
+  "sso.admin.error.noDomainsForActivation": "Add at least one allowed email domain before activating",
+  "sso.admin.error.saveFailed": "Failed to save SSO configuration",
+  "sso.admin.error.testFailed": "Connection test failed",
+  "sso.admin.field.autoLinkByEmail": "Auto-link by Email",
+  "sso.admin.field.autoLinkByEmailDesc": "Automatically link existing users by matching email address",
+  "sso.admin.field.changeSecret": "Change",
+  "sso.admin.field.clientId": "Client ID",
+  "sso.admin.field.clientSecret": "Client Secret",
+  "sso.admin.field.issuer": "Issuer URL",
+  "sso.admin.field.jitDisabledByScim": "Unavailable — SCIM directory sync is active. Revoke SCIM tokens to enable JIT.",
+  "sso.admin.field.jitEnabled": "Just-in-Time Provisioning",
+  "sso.admin.field.jitEnabledDesc": "Automatically create user accounts on first SSO login",
+  "sso.admin.field.name": "Configuration Name",
+  "sso.admin.field.protocol": "Protocol",
+  "sso.admin.field.secretPlaceholder": "Enter new secret to replace existing",
+  "sso.admin.field.secretRequired": "Enter client secret",
+  "sso.admin.field.secretSet": "Client secret is configured",
+  "sso.admin.new": "New SSO Config",
+  "sso.admin.roles.description": "Map IdP app role names to local roles. On each SSO login, SSO-sourced roles are synced — roles no longer sent by the IdP are removed, while manually-assigned roles are preserved.",
+  "sso.admin.roles.empty": "No role mappings configured. IdP role names will be matched directly against local role names.",
+  "sso.admin.roles.error.duplicate": "This IdP role is already mapped",
+  "sso.admin.roles.error.emptyIdpRole": "IdP role name is required",
+  "sso.admin.roles.error.emptyLocalRole": "Select a local role",
+  "sso.admin.roles.error.saveFailed": "Failed to save role mappings",
+  "sso.admin.roles.idpRole": "IdP Role Name",
+  "sso.admin.roles.idpRolePlaceholder": "e.g. OpenMercato.Admin",
+  "sso.admin.roles.localRole": "Local Role",
+  "sso.admin.roles.saved": "Role mappings saved",
+  "sso.admin.saved": "SSO configuration saved",
+  "sso.admin.scim.endpointCopied": "SCIM endpoint URL copied",
+  "sso.admin.scim.endpointUrl": "SCIM Endpoint URL",
+  "sso.admin.scim.error.createFailed": "Failed to create SCIM token",
+  "sso.admin.scim.error.revokeFailed": "Failed to revoke token",
+  "sso.admin.scim.generateToken": "Generate Token",
+  "sso.admin.scim.googleNotSupported": "Google Workspace does not support SCIM provisioning. Users are provisioned via Just-In-Time (JIT) on first login.",
+  "sso.admin.scim.jitActiveWarning": "SCIM provisioning is unavailable while JIT provisioning is enabled. Disable JIT in the General tab to configure SCIM.",
+  "sso.admin.scim.log.error": "Error",
+  "sso.admin.scim.log.operation": "Operation",
+  "sso.admin.scim.log.resource": "Resource",
+  "sso.admin.scim.log.status": "Status",
+  "sso.admin.scim.log.time": "Time",
+  "sso.admin.scim.noTokens": "SCIM provisioning is not configured. Generate a bearer token to enable your identity provider to sync users automatically.",
+  "sso.admin.scim.recentActivity": "Recent Provisioning Activity",
+  "sso.admin.scim.revoke.action": "Revoke",
+  "sso.admin.scim.revoke.confirm": "Are you sure? This token will no longer authenticate SCIM requests.",
+  "sso.admin.scim.revoke.title": "Revoke Token",
+  "sso.admin.scim.revoked": "Token revoked",
+  "sso.admin.scim.tokenActive": "Active",
+  "sso.admin.scim.tokenCopied": "Token copied to clipboard",
+  "sso.admin.scim.tokenCreated": "Your SCIM token has been created. Copy it now — it will not be shown again.",
+  "sso.admin.scim.tokenNamePlaceholder": "Token name (e.g., Entra ID Production)",
+  "sso.admin.scim.tokenRevoked": "Revoked",
+  "sso.admin.scim.tokens": "Bearer Tokens",
+  "sso.admin.search": "Search by name or issuer...",
+  "sso.admin.section.allowedDomains": "Allowed Domains",
+  "sso.admin.section.oidcSettings": "OIDC Settings",
+  "sso.admin.status.active": "Active",
+  "sso.admin.status.inactive": "Inactive",
+  "sso.admin.tab.activity": "Activity",
+  "sso.admin.tab.domains": "Domains",
+  "sso.admin.tab.general": "General",
+  "sso.admin.tab.roles": "Role Mappings",
+  "sso.admin.tab.scim": "Provisioning",
+  "sso.admin.test.failed": "Discovery failed",
+  "sso.admin.test.success": "Discovery successful — issuer is reachable",
+  "sso.admin.title": "Single Sign-On",
+  "sso.admin.wizard.credentials.callbackUrl": "Redirect URI (copy to your IdP)",
+  "sso.admin.wizard.credentials.namePlaceholder": "e.g., Zitadel Production",
+  "sso.admin.wizard.credentials.title": "OIDC Credentials",
+  "sso.admin.wizard.domain.duplicate": "Domain already added",
+  "sso.admin.wizard.domain.invalid": "Invalid domain format",
+  "sso.admin.wizard.domain.limit": "Maximum 20 domains per configuration",
+  "sso.admin.wizard.domains.description": "Users with email addresses matching these domains will be redirected to your SSO provider.",
+  "sso.admin.wizard.domains.placeholder": "example.com",
+  "sso.admin.wizard.domains.title": "Allowed Email Domains",
+  "sso.admin.wizard.options.title": "Options",
+  "sso.admin.wizard.protocol.oidcDesc": "Works with Zitadel, Microsoft Entra ID, Google Workspace, Okta, and more",
+  "sso.admin.wizard.protocol.samlDesc": "Coming soon",
+  "sso.admin.wizard.protocol.title": "Select Protocol",
+  "sso.admin.wizard.review.note": "The configuration will be created as inactive. You can activate it from the detail page after verifying everything is correct.",
+  "sso.admin.wizard.review.save": "Create Configuration",
+  "sso.admin.wizard.review.testing": "Testing...",
+  "sso.admin.wizard.review.title": "Review & Save",
+  "sso.login.continueWithSso": "Continue with SSO",
+  "sso.login.errors.emailNotVerified": "Your email address is not verified by the identity provider. Please verify your email and try again.",
+  "sso.login.errors.failed": "SSO login failed. Please try again.",
+  "sso.login.errors.idpError": "The identity provider returned an error. Please try again or contact your administrator.",
+  "sso.login.errors.missingConfig": "SSO is not configured for this account.",
+  "sso.login.errors.missingParams": "SSO callback was incomplete. Please try again.",
+  "sso.login.errors.stateMissing": "SSO session expired. Please try again.",
+  "sso.login.ssoEnabled": "SSO is enabled for this account"
+}