feat(idp_table_relational): adding inital idp tables for relational repository (#10334)

backend/v3/domain/azuretenanttype_enumer.go

@@ -0,0 +1,82 @@
+// Code generated by "enumer -type AzureTenantType -transform lower -trimprefix AzureTenantType"; DO NOT EDIT.
+
+package domain
+
+import (
+	"fmt"
+	"strings"
+)
+
+const _AzureTenantTypeName = "commonorganizationsconsumers"
+
+var _AzureTenantTypeIndex = [...]uint8{0, 6, 19, 28}
+
+const _AzureTenantTypeLowerName = "commonorganizationsconsumers"
+
+func (i AzureTenantType) String() string {
+	if i >= AzureTenantType(len(_AzureTenantTypeIndex)-1) {
+		return fmt.Sprintf("AzureTenantType(%d)", i)
+	}
+	return _AzureTenantTypeName[_AzureTenantTypeIndex[i]:_AzureTenantTypeIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _AzureTenantTypeNoOp() {
+	var x [1]struct{}
+	_ = x[AzureTenantTypeCommon-(0)]
+	_ = x[AzureTenantTypeOrganizations-(1)]
+	_ = x[AzureTenantTypeConsumers-(2)]
+}
+
+var _AzureTenantTypeValues = []AzureTenantType{AzureTenantTypeCommon, AzureTenantTypeOrganizations, AzureTenantTypeConsumers}
+
+var _AzureTenantTypeNameToValueMap = map[string]AzureTenantType{
+	_AzureTenantTypeName[0:6]:        AzureTenantTypeCommon,
+	_AzureTenantTypeLowerName[0:6]:   AzureTenantTypeCommon,
+	_AzureTenantTypeName[6:19]:       AzureTenantTypeOrganizations,
+	_AzureTenantTypeLowerName[6:19]:  AzureTenantTypeOrganizations,
+	_AzureTenantTypeName[19:28]:      AzureTenantTypeConsumers,
+	_AzureTenantTypeLowerName[19:28]: AzureTenantTypeConsumers,
+}
+
+var _AzureTenantTypeNames = []string{
+	_AzureTenantTypeName[0:6],
+	_AzureTenantTypeName[6:19],
+	_AzureTenantTypeName[19:28],
+}
+
+// AzureTenantTypeString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func AzureTenantTypeString(s string) (AzureTenantType, error) {
+	if val, ok := _AzureTenantTypeNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _AzureTenantTypeNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to AzureTenantType values", s)
+}
+
+// AzureTenantTypeValues returns all values of the enum
+func AzureTenantTypeValues() []AzureTenantType {
+	return _AzureTenantTypeValues
+}
+
+// AzureTenantTypeStrings returns a slice of all String values of the enum
+func AzureTenantTypeStrings() []string {
+	strs := make([]string, len(_AzureTenantTypeNames))
+	copy(strs, _AzureTenantTypeNames)
+	return strs
+}
+
+// IsAAzureTenantType returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i AzureTenantType) IsAAzureTenantType() bool {
+	for _, v := range _AzureTenantTypeValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}

backend/v3/domain/errors.go

@@ -1,7 +1,29 @@
 package domain
 
-import "errors"
-
-var (
-	ErrNoAdminSpecified = errors.New("at least one admin must be specified")
+import (
+	"errors"
+	"fmt"
 )
+
+var ErrNoAdminSpecified = errors.New("at least one admin must be specified")
+
+type wrongIDPTypeError struct {
+	expected IDPType
+	got      string
+}
+
+func NewIDPWrongTypeError(expected IDPType, got fmt.Stringer) error {
+	return &wrongIDPTypeError{
+		expected: expected,
+		got:      got.String(),
+	}
+}
+
+func (e *wrongIDPTypeError) Error() string {
+	return fmt.Sprintf("wrong idp type returned, expected: %v, got: %v", e.expected, e.got)
+}
+
+func (e *wrongIDPTypeError) Is(target error) bool {
+	_, ok := target.(*wrongIDPTypeError)
+	return ok
+}

backend/v3/domain/id_provider.go

@@ -0,0 +1,355 @@
+package domain
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/backend/v3/storage/database"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+)
+
+//go:generate enumer -type IDPType -transform lower -trimprefix IDPType
+type IDPType uint8
+
+const (
+	IDPTypeOIDC IDPType = iota + 1
+	IDPTypeJWT
+	IDPTypeOAuth
+	IDPTypeSAML
+	IDPTypeLDAP
+	IDPTypeGitHub
+	IDPTypeGitHubEnterprise
+	IDPTypeGitLab
+	IDPTypeGitLabSelfHosted
+	IDPTypeAzure
+	IDPTypeGoogle
+	IDPTypeApple
+)
+
+//go:generate enumer -type IDPState -transform lower -trimprefix IDPState -sql
+type IDPState uint8
+
+const (
+	IDPStateActive IDPState = iota
+	IDPStateInactive
+)
+
+//go:generate enumer -type IDPAutoLinkingField -transform lower -trimprefix IDPAutoLinkingField
+type IDPAutoLinkingField uint8
+
+const (
+	IDPAutoLinkingFieldUserName IDPAutoLinkingField = iota + 1
+	IDPAutoLinkingFieldEmail
+)
+
+type OIDCMappingField int8
+
+const (
+	OIDCMappingFieldUnspecified OIDCMappingField = iota
+	OIDCMappingFieldPreferredLoginName
+	OIDCMappingFieldEmail
+	// count is for validation purposes
+	//nolint: unused
+	oidcMappingFieldCount
+)
+
+type IdentityProvider struct {
+	InstanceID string   `json:"instanceId,omitempty" db:"instance_id"`
+	OrgID      *string  `json:"orgId,omitempty" db:"org_id"`
+	ID         string   `json:"id,omitempty" db:"id"`
+	State      IDPState `json:"state,omitempty" db:"state"`
+	Name       string   `json:"name,omitempty" db:"name"`
+	// Type represents the type of and idp. It is a pointer because it can be nil during the migration of the events
+	Type              *IDPType             `json:"type,omitempty" db:"type"`
+	AllowCreation     bool                 `json:"allowCreation,omitempty" db:"allow_creation"`
+	AutoRegister      bool                 `json:"autoRegister,omitempty" db:"auto_register"`
+	AllowAutoCreation bool                 `json:"allowAutoCreation,omitempty" db:"allow_auto_creation"`
+	AllowAutoUpdate   bool                 `json:"allowAutoUpdate,omitempty" db:"allow_auto_update"`
+	AllowLinking      bool                 `json:"allowLinking,omitempty" db:"allow_linking"`
+	AutoLinkingField  *IDPAutoLinkingField `json:"autoLinkingField,omitempty" db:"auto_linking_field"`
+	StylingType       *int16               `json:"stylingType,omitempty" db:"styling_type"`
+	Payload           json.RawMessage      `json:"payload,omitempty" db:"payload"`
+	CreatedAt         time.Time            `json:"createdAt,omitzero" db:"created_at"`
+	UpdatedAt         time.Time            `json:"updatedAt,omitzero" db:"updated_at"`
+}
+
+type OIDC struct {
+	ClientID              string              `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Issuer                string              `json:"issuer,omitempty"`
+	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+	IDPDisplayNameMapping OIDCMappingField    `json:"IDPDisplayNameMapping,omitempty"`
+	UserNameMapping       OIDCMappingField    `json:"usernameMapping,omitempty"`
+	IsIDTokenMapping      bool                `json:"idTokenMapping,omitempty"`
+	UsePKCE               bool                `json:"usePKCE,omitempty"`
+}
+
+type IDPOIDC struct {
+	*IdentityProvider
+	OIDC
+}
+
+type JWT struct {
+	IDPConfigID  string `json:"idpConfigId"`
+	JWTEndpoint  string `json:"jwtEndpoint,omitempty"`
+	Issuer       string `json:"issuer,omitempty"`
+	KeysEndpoint string `json:"keysEndpoint,omitempty"`
+	HeaderName   string `json:"headerName,omitempty"`
+}
+
+type IDPJWT struct {
+	*IdentityProvider
+	JWT
+}
+
+type OAuth struct {
+	ClientID              string              `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
+	UserEndpoint          string              `json:"userEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+	IDAttribute           string              `json:"idAttribute,omitempty"`
+	UsePKCE               bool                `json:"usePKCE,omitempty"`
+}
+
+type IDPOAuth struct {
+	*IdentityProvider
+	OAuth
+}
+
+//go:generate enumer -type AzureTenantType -transform lower -trimprefix AzureTenantType
+type AzureTenantType uint8
+
+const (
+	AzureTenantTypeCommon AzureTenantType = iota
+	AzureTenantTypeOrganizations
+	AzureTenantTypeConsumers
+)
+
+type Azure struct {
+	ClientID        string              `json:"client_id,omitempty"`
+	ClientSecret    *crypto.CryptoValue `json:"client_secret,omitempty"`
+	Scopes          []string            `json:"scopes,omitempty"`
+	Tenant          AzureTenantType     `json:"tenant,omitempty"`
+	IsEmailVerified bool                `json:"isEmailVerified,omitempty"`
+}
+
+type IDPAzureAD struct {
+	*IdentityProvider
+	Azure
+}
+
+type Google struct {
+	ClientID     string              `json:"clientId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret"`
+	Scopes       []string            `json:"scopes,omitempty"`
+}
+
+type IDPGoogle struct {
+	*IdentityProvider
+	Google
+}
+
+type Github struct {
+	ClientID     string              `json:"clientId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret"`
+	Scopes       []string            `json:"scopes,omitempty"`
+}
+
+type IDPGithub struct {
+	*IdentityProvider
+	Github
+}
+
+type GithubEnterprise struct {
+	ClientID              string              `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
+	UserEndpoint          string              `json:"userEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+}
+
+type IDPGithubEnterprise struct {
+	*IdentityProvider
+	GithubEnterprise
+}
+
+type Gitlab struct {
+	ClientID     string              `json:"clientId,omitempty"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Scopes       []string            `json:"scopes,omitempty"`
+}
+
+type IDPGitlab struct {
+	*IdentityProvider
+	Gitlab
+}
+
+type GitlabSelfHosting struct {
+	Issuer       string              `json:"issuer"`
+	ClientID     string              `json:"clientId,omitempty"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Scopes       []string            `json:"scopes,omitempty"`
+}
+
+type IDPGitlabSelfHosting struct {
+	*IdentityProvider
+	GitlabSelfHosting
+}
+
+type LDAP struct {
+	Servers           []string            `json:"servers"`
+	StartTLS          bool                `json:"startTLS"`
+	BaseDN            string              `json:"baseDN"`
+	BindDN            string              `json:"bindDN"`
+	BindPassword      *crypto.CryptoValue `json:"bindPassword"`
+	UserBase          string              `json:"userBase"`
+	UserObjectClasses []string            `json:"userObjectClasses"`
+	UserFilters       []string            `json:"userFilters"`
+	Timeout           time.Duration       `json:"timeout"`
+	RootCA            []byte              `json:"rootCA"`
+
+	LDAPAttributes
+}
+
+type LDAPAttributes struct {
+	IDAttribute                string `json:"idAttribute,omitempty"`
+	FirstNameAttribute         string `json:"firstNameAttribute,omitempty"`
+	LastNameAttribute          string `json:"lastNameAttribute,omitempty"`
+	DisplayNameAttribute       string `json:"displayNameAttribute,omitempty"`
+	NickNameAttribute          string `json:"nickNameAttribute,omitempty"`
+	PreferredUsernameAttribute string `json:"preferredUsernameAttribute,omitempty"`
+	EmailAttribute             string `json:"emailAttribute,omitempty"`
+	EmailVerifiedAttribute     string `json:"emailVerifiedAttribute,omitempty"`
+	PhoneAttribute             string `json:"phoneAttribute,omitempty"`
+	PhoneVerifiedAttribute     string `json:"phoneVerifiedAttribute,omitempty"`
+	PreferredLanguageAttribute string `json:"preferredLanguageAttribute,omitempty"`
+	AvatarURLAttribute         string `json:"avatarURLAttribute,omitempty"`
+	ProfileAttribute           string `json:"profileAttribute,omitempty"`
+}
+
+type IDPLDAP struct {
+	*IdentityProvider
+	LDAP
+}
+
+type Apple struct {
+	ClientID   string              `json:"clientId"`
+	TeamID     string              `json:"teamId"`
+	KeyID      string              `json:"keyId"`
+	PrivateKey *crypto.CryptoValue `json:"privateKey"`
+	Scopes     []string            `json:"scopes,omitempty"`
+}
+
+type IDPApple struct {
+	*IdentityProvider
+	Apple
+}
+
+type SAML struct {
+	Metadata                      []byte                   `json:"metadata,omitempty"`
+	Key                           *crypto.CryptoValue      `json:"key,omitempty"`
+	Certificate                   []byte                   `json:"certificate,omitempty"`
+	Binding                       string                   `json:"binding,omitempty"`
+	WithSignedRequest             bool                     `json:"withSignedRequest,omitempty"`
+	NameIDFormat                  *domain.SAMLNameIDFormat `json:"nameIDFormat,omitempty"`
+	TransientMappingAttributeName string                   `json:"transientMappingAttributeName,omitempty"`
+	FederatedLogoutEnabled        bool                     `json:"federatedLogoutEnabled,omitempty"`
+	SignatureAlgorithm            string                   `json:"signatureAlgorithm,omitempty"`
+}
+
+type IDPSAML struct {
+	*IdentityProvider
+	SAML
+}
+
+// IDPIdentifierCondition is used to help specify a single identity_provider,
+// it will either be used as the  identity_provider ID or identity_provider name,
+// as identity_provider can be identified either using (instanceID + OrgID + ID) OR (instanceID + OrgID + name)
+type IDPIdentifierCondition interface {
+	database.Condition
+}
+
+type idProviderColumns interface {
+	InstanceIDColumn() database.Column
+	OrgIDColumn() database.Column
+	IDColumn() database.Column
+	StateColumn() database.Column
+	NameColumn() database.Column
+	TypeColumn() database.Column
+	AllowCreationColumn() database.Column
+	AutoRegisterColumn() database.Column
+	AllowAutoCreationColumn() database.Column
+	AllowAutoUpdateColumn() database.Column
+	AllowLinkingColumn() database.Column
+	AllowAutoLinkingColumn() database.Column
+	StylingTypeColumn() database.Column
+	PayloadColumn() database.Column
+	CreatedAtColumn() database.Column
+	UpdatedAtColumn() database.Column
+}
+
+type idProviderConditions interface {
+	InstanceIDCondition(id string) database.Condition
+	OrgIDCondition(id *string) database.Condition
+	IDCondition(id string) IDPIdentifierCondition
+	StateCondition(state IDPState) database.Condition
+	NameCondition(name string) IDPIdentifierCondition
+	TypeCondition(typee IDPType) database.Condition
+	AutoRegisterCondition(allow bool) database.Condition
+	AllowCreationCondition(allow bool) database.Condition
+	AllowAutoCreationCondition(allow bool) database.Condition
+	AllowAutoUpdateCondition(allow bool) database.Condition
+	AllowLinkingCondition(allow bool) database.Condition
+	AllowAutoLinkingCondition(linkingType IDPAutoLinkingField) database.Condition
+	StylingTypeCondition(style int16) database.Condition
+	PayloadCondition(payload string) database.Condition
+}
+
+type idProviderChanges interface {
+	SetName(name string) database.Change
+	SetState(state IDPState) database.Change
+	SetAllowCreation(allow bool) database.Change
+	SetAutoRegister(allow bool) database.Change
+	SetAllowAutoCreation(allow bool) database.Change
+	SetAllowAutoUpdate(allow bool) database.Change
+	SetAllowLinking(allow bool) database.Change
+	SetAutoAllowLinking(allow bool) database.Change
+	SetStylingType(stylingType int16) database.Change
+	SetPayload(payload string) database.Change
+	SetUpdatedAt(createdAt *time.Time) database.Change
+}
+
+type IDProviderRepository interface {
+	idProviderColumns
+	idProviderConditions
+	idProviderChanges
+
+	Get(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IdentityProvider, error)
+	List(ctx context.Context, client database.QueryExecutor, conditions ...database.Condition) ([]*IdentityProvider, error)
+
+	Create(ctx context.Context, client database.QueryExecutor, idp *IdentityProvider) error
+	Update(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string, changes ...database.Change) (int64, error)
+	Delete(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (int64, error)
+
+	GetOIDC(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPOIDC, error)
+	GetJWT(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPJWT, error)
+
+	GetOAuth(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPOAuth, error)
+
+	GetAzureAD(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPAzureAD, error)
+	GetGoogle(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPGoogle, error)
+	GetGithub(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPGithub, error)
+	GetGithubEnterprise(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPGithubEnterprise, error)
+	GetGitlab(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPGitlab, error)
+	GetGitlabSelfHosting(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPGitlabSelfHosting, error)
+	GetLDAP(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPLDAP, error)
+	GetApple(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPApple, error)
+	GetSAML(ctx context.Context, client database.QueryExecutor, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPSAML, error)
+}

backend/v3/domain/idpautolinkingfield_enumer.go

@@ -0,0 +1,79 @@
+// Code generated by "enumer -type IDPAutoLinkingField -transform lower -trimprefix IDPAutoLinkingField"; DO NOT EDIT.
+
+package domain
+
+import (
+	"fmt"
+	"strings"
+)
+
+const _IDPAutoLinkingFieldName = "usernameemail"
+
+var _IDPAutoLinkingFieldIndex = [...]uint8{0, 8, 13}
+
+const _IDPAutoLinkingFieldLowerName = "usernameemail"
+
+func (i IDPAutoLinkingField) String() string {
+	i -= 1
+	if i >= IDPAutoLinkingField(len(_IDPAutoLinkingFieldIndex)-1) {
+		return fmt.Sprintf("IDPAutoLinkingField(%d)", i+1)
+	}
+	return _IDPAutoLinkingFieldName[_IDPAutoLinkingFieldIndex[i]:_IDPAutoLinkingFieldIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _IDPAutoLinkingFieldNoOp() {
+	var x [1]struct{}
+	_ = x[IDPAutoLinkingFieldUserName-(1)]
+	_ = x[IDPAutoLinkingFieldEmail-(2)]
+}
+
+var _IDPAutoLinkingFieldValues = []IDPAutoLinkingField{IDPAutoLinkingFieldUserName, IDPAutoLinkingFieldEmail}
+
+var _IDPAutoLinkingFieldNameToValueMap = map[string]IDPAutoLinkingField{
+	_IDPAutoLinkingFieldName[0:8]:       IDPAutoLinkingFieldUserName,
+	_IDPAutoLinkingFieldLowerName[0:8]:  IDPAutoLinkingFieldUserName,
+	_IDPAutoLinkingFieldName[8:13]:      IDPAutoLinkingFieldEmail,
+	_IDPAutoLinkingFieldLowerName[8:13]: IDPAutoLinkingFieldEmail,
+}
+
+var _IDPAutoLinkingFieldNames = []string{
+	_IDPAutoLinkingFieldName[0:8],
+	_IDPAutoLinkingFieldName[8:13],
+}
+
+// IDPAutoLinkingFieldString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func IDPAutoLinkingFieldString(s string) (IDPAutoLinkingField, error) {
+	if val, ok := _IDPAutoLinkingFieldNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _IDPAutoLinkingFieldNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to IDPAutoLinkingField values", s)
+}
+
+// IDPAutoLinkingFieldValues returns all values of the enum
+func IDPAutoLinkingFieldValues() []IDPAutoLinkingField {
+	return _IDPAutoLinkingFieldValues
+}
+
+// IDPAutoLinkingFieldStrings returns a slice of all String values of the enum
+func IDPAutoLinkingFieldStrings() []string {
+	strs := make([]string, len(_IDPAutoLinkingFieldNames))
+	copy(strs, _IDPAutoLinkingFieldNames)
+	return strs
+}
+
+// IsAIDPAutoLinkingField returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i IDPAutoLinkingField) IsAIDPAutoLinkingField() bool {
+	for _, v := range _IDPAutoLinkingFieldValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}

backend/v3/domain/idpstate_enumer.go

@@ -0,0 +1,109 @@
+// Code generated by "enumer -type IDPState -transform lower -trimprefix IDPState -sql"; DO NOT EDIT.
+
+package domain
+
+import (
+	"database/sql/driver"
+	"fmt"
+	"strings"
+)
+
+const _IDPStateName = "activeinactive"
+
+var _IDPStateIndex = [...]uint8{0, 6, 14}
+
+const _IDPStateLowerName = "activeinactive"
+
+func (i IDPState) String() string {
+	if i >= IDPState(len(_IDPStateIndex)-1) {
+		return fmt.Sprintf("IDPState(%d)", i)
+	}
+	return _IDPStateName[_IDPStateIndex[i]:_IDPStateIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _IDPStateNoOp() {
+	var x [1]struct{}
+	_ = x[IDPStateActive-(0)]
+	_ = x[IDPStateInactive-(1)]
+}
+
+var _IDPStateValues = []IDPState{IDPStateActive, IDPStateInactive}
+
+var _IDPStateNameToValueMap = map[string]IDPState{
+	_IDPStateName[0:6]:       IDPStateActive,
+	_IDPStateLowerName[0:6]:  IDPStateActive,
+	_IDPStateName[6:14]:      IDPStateInactive,
+	_IDPStateLowerName[6:14]: IDPStateInactive,
+}
+
+var _IDPStateNames = []string{
+	_IDPStateName[0:6],
+	_IDPStateName[6:14],
+}
+
+// IDPStateString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func IDPStateString(s string) (IDPState, error) {
+	if val, ok := _IDPStateNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _IDPStateNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to IDPState values", s)
+}
+
+// IDPStateValues returns all values of the enum
+func IDPStateValues() []IDPState {
+	return _IDPStateValues
+}
+
+// IDPStateStrings returns a slice of all String values of the enum
+func IDPStateStrings() []string {
+	strs := make([]string, len(_IDPStateNames))
+	copy(strs, _IDPStateNames)
+	return strs
+}
+
+// IsAIDPState returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i IDPState) IsAIDPState() bool {
+	for _, v := range _IDPStateValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
+
+func (i IDPState) Value() (driver.Value, error) {
+	return i.String(), nil
+}
+
+func (i *IDPState) Scan(value interface{}) error {
+	if value == nil {
+		return nil
+	}
+
+	var str string
+	switch v := value.(type) {
+	case []byte:
+		str = string(v)
+	case string:
+		str = v
+	case fmt.Stringer:
+		str = v.String()
+	default:
+		return fmt.Errorf("invalid value of IDPState: %[1]T(%[1]v)", value)
+	}
+
+	val, err := IDPStateString(str)
+	if err != nil {
+		return err
+	}
+
+	*i = val
+	return nil
+}

backend/v3/domain/idptype_enumer.go

@@ -0,0 +1,119 @@
+// Code generated by "enumer -type IDPType -transform lower -trimprefix IDPType"; DO NOT EDIT.
+
+package domain
+
+import (
+	"fmt"
+	"strings"
+)
+
+const _IDPTypeName = "oidcjwtoauthsamlldapgithubgithubenterprisegitlabgitlabselfhostedazuregoogleapple"
+
+var _IDPTypeIndex = [...]uint8{0, 4, 7, 12, 16, 20, 26, 42, 48, 64, 69, 75, 80}
+
+const _IDPTypeLowerName = "oidcjwtoauthsamlldapgithubgithubenterprisegitlabgitlabselfhostedazuregoogleapple"
+
+func (i IDPType) String() string {
+	i -= 1
+	if i >= IDPType(len(_IDPTypeIndex)-1) {
+		return fmt.Sprintf("IDPType(%d)", i+1)
+	}
+	return _IDPTypeName[_IDPTypeIndex[i]:_IDPTypeIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _IDPTypeNoOp() {
+	var x [1]struct{}
+	_ = x[IDPTypeOIDC-(1)]
+	_ = x[IDPTypeJWT-(2)]
+	_ = x[IDPTypeOAuth-(3)]
+	_ = x[IDPTypeSAML-(4)]
+	_ = x[IDPTypeLDAP-(5)]
+	_ = x[IDPTypeGitHub-(6)]
+	_ = x[IDPTypeGitHubEnterprise-(7)]
+	_ = x[IDPTypeGitLab-(8)]
+	_ = x[IDPTypeGitLabSelfHosted-(9)]
+	_ = x[IDPTypeAzure-(10)]
+	_ = x[IDPTypeGoogle-(11)]
+	_ = x[IDPTypeApple-(12)]
+}
+
+var _IDPTypeValues = []IDPType{IDPTypeOIDC, IDPTypeJWT, IDPTypeOAuth, IDPTypeSAML, IDPTypeLDAP, IDPTypeGitHub, IDPTypeGitHubEnterprise, IDPTypeGitLab, IDPTypeGitLabSelfHosted, IDPTypeAzure, IDPTypeGoogle, IDPTypeApple}
+
+var _IDPTypeNameToValueMap = map[string]IDPType{
+	_IDPTypeName[0:4]:        IDPTypeOIDC,
+	_IDPTypeLowerName[0:4]:   IDPTypeOIDC,
+	_IDPTypeName[4:7]:        IDPTypeJWT,
+	_IDPTypeLowerName[4:7]:   IDPTypeJWT,
+	_IDPTypeName[7:12]:       IDPTypeOAuth,
+	_IDPTypeLowerName[7:12]:  IDPTypeOAuth,
+	_IDPTypeName[12:16]:      IDPTypeSAML,
+	_IDPTypeLowerName[12:16]: IDPTypeSAML,
+	_IDPTypeName[16:20]:      IDPTypeLDAP,
+	_IDPTypeLowerName[16:20]: IDPTypeLDAP,
+	_IDPTypeName[20:26]:      IDPTypeGitHub,
+	_IDPTypeLowerName[20:26]: IDPTypeGitHub,
+	_IDPTypeName[26:42]:      IDPTypeGitHubEnterprise,
+	_IDPTypeLowerName[26:42]: IDPTypeGitHubEnterprise,
+	_IDPTypeName[42:48]:      IDPTypeGitLab,
+	_IDPTypeLowerName[42:48]: IDPTypeGitLab,
+	_IDPTypeName[48:64]:      IDPTypeGitLabSelfHosted,
+	_IDPTypeLowerName[48:64]: IDPTypeGitLabSelfHosted,
+	_IDPTypeName[64:69]:      IDPTypeAzure,
+	_IDPTypeLowerName[64:69]: IDPTypeAzure,
+	_IDPTypeName[69:75]:      IDPTypeGoogle,
+	_IDPTypeLowerName[69:75]: IDPTypeGoogle,
+	_IDPTypeName[75:80]:      IDPTypeApple,
+	_IDPTypeLowerName[75:80]: IDPTypeApple,
+}
+
+var _IDPTypeNames = []string{
+	_IDPTypeName[0:4],
+	_IDPTypeName[4:7],
+	_IDPTypeName[7:12],
+	_IDPTypeName[12:16],
+	_IDPTypeName[16:20],
+	_IDPTypeName[20:26],
+	_IDPTypeName[26:42],
+	_IDPTypeName[42:48],
+	_IDPTypeName[48:64],
+	_IDPTypeName[64:69],
+	_IDPTypeName[69:75],
+	_IDPTypeName[75:80],
+}
+
+// IDPTypeString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func IDPTypeString(s string) (IDPType, error) {
+	if val, ok := _IDPTypeNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _IDPTypeNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to IDPType values", s)
+}
+
+// IDPTypeValues returns all values of the enum
+func IDPTypeValues() []IDPType {
+	return _IDPTypeValues
+}
+
+// IDPTypeStrings returns a slice of all String values of the enum
+func IDPTypeStrings() []string {
+	strs := make([]string, len(_IDPTypeNames))
+	copy(strs, _IDPTypeNames)
+	return strs
+}
+
+// IsAIDPType returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i IDPType) IsAIDPType() bool {
+	for _, v := range _IDPTypeValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}

backend/v3/domain/organization.go

@@ -32,7 +32,7 @@ type organizationColumns interface {
 	IDColumn() database.Column
 	// NameColumn returns the column for the name field.
 	NameColumn() database.Column
-	// InstanceIDColumn returns the column for the default org id field
+	// InstanceIDColumn returns the column for the instance id field
 	InstanceIDColumn() database.Column
 	// StateColumn returns the column for the name field.
 	StateColumn() database.Column

backend/v3/storage/database/dialect/postgres/migration/005_identity_providers_table.go

@@ -0,0 +1,16 @@
+package migration
+
+import (
+	_ "embed"
+)
+
+var (
+	//go:embed 005_identity_providers_table/up.sql
+	up005IdentityProvidersTable string
+	//go:embed 005_identity_providers_table/down.sql
+	down005IdentityProvidersTable string
+)
+
+func init() {
+	registerSQLMigration(5, up005IdentityProvidersTable, down005IdentityProvidersTable)
+}

backend/v3/storage/database/dialect/postgres/migration/005_identity_providers_table/down.sql

@@ -0,0 +1,2 @@
+DROP TABLE zitadel.identity_providers;
+DROP TYPE zitadel.idp_state;

backend/v3/storage/database/dialect/postgres/migration/005_identity_providers_table/up.sql

@@ -0,0 +1,44 @@
+CREATE TYPE zitadel.idp_state AS ENUM (
+    'active',
+    'inactive'
+);
+
+CREATE TABLE zitadel.identity_providers (
+    instance_id TEXT NOT NULL
+    , org_id TEXT
+    , id TEXT NOT NULL CHECK (id <> '')
+    , state zitadel.idp_state NOT NULL DEFAULT 'active'
+    , name TEXT NOT NULL CHECK (name <> '')
+    , type SMALLINT DEFAULT NULL
+    , auto_register BOOLEAN NOT NULL DEFAULT TRUE
+    , allow_creation BOOLEAN NOT NULL DEFAULT TRUE
+    , allow_auto_creation BOOLEAN NOT NULL DEFAULT TRUE
+    , allow_auto_update BOOLEAN NOT NULL DEFAULT TRUE
+    , allow_linking BOOLEAN NOT NULL DEFAULT TRUE
+    , auto_linking_field SMALLINT DEFAULT NULL
+    , styling_type SMALLINT
+    , payload JSONB
+    
+    , created_at TIMESTAMPTZ NOT NULL DEFAULT now()
+    , updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+    
+    , PRIMARY KEY (instance_id, id)
+    , CONSTRAINT identity_providers_id_unique UNIQUE NULLS NOT DISTINCT (instance_id, org_id, id)
+    , CONSTRAINT identity_providers_name_unique UNIQUE NULLS NOT DISTINCT (instance_id, org_id, name)
+    , FOREIGN KEY (instance_id) REFERENCES zitadel.instances(id)
+    , FOREIGN KEY (instance_id, org_id) REFERENCES zitadel.organizations(instance_id, id)
+);
+
+-- CREATE INDEX idx_identity_providers_org_id ON identity_providers(instance_id, org_id) WHERE org_id IS NOT NULL;
+CREATE INDEX idx_identity_providers_state ON zitadel.identity_providers(instance_id, state);
+CREATE INDEX idx_identity_providers_type ON zitadel.identity_providers(instance_id, type);
+-- CREATE INDEX idx_identity_providers_created_at ON identity_providers(created_at);
+-- CREATE INDEX idx_identity_providers_deleted_at ON identity_providers(deleted_at) WHERE deleted_at IS NOT NULL;
+
+
+CREATE TRIGGER trigger_set_updated_at
+BEFORE UPDATE ON zitadel.identity_providers
+FOR EACH ROW
+WHEN (NEW.updated_at IS NULL)
+EXECUTE FUNCTION zitadel.set_updated_at();
+

backend/v3/storage/database/events_testing/events_test.go

@@ -15,7 +15,9 @@ import (
 	"github.com/zitadel/zitadel/backend/v3/storage/database"
 	"github.com/zitadel/zitadel/backend/v3/storage/database/dialect/postgres"
 	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	v2beta "github.com/zitadel/zitadel/pkg/grpc/instance/v2beta"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	v2beta_org "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
 	"github.com/zitadel/zitadel/pkg/grpc/system"
 )
@@ -25,9 +27,12 @@ const ConnString = "host=localhost port=5432 user=zitadel password=zitadel dbnam
 var (
 	dbPool       *pgxpool.Pool
 	CTX          context.Context
+	IAMCTX       context.Context
 	Instance     *integration.Instance
 	SystemClient system.SystemServiceClient
 	OrgClient    v2beta_org.OrganizationServiceClient
+	AdminClient  admin.AdminServiceClient
+	MgmtClient   mgmt.ManagementServiceClient
 )
 
 var pool database.Pool
@@ -40,8 +45,11 @@ func TestMain(m *testing.M) {
 		CTX = integration.WithSystemAuthorization(ctx)
 		Instance = integration.NewInstance(CTX)
 
+		IAMCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
 		SystemClient = integration.SystemClient()
 		OrgClient = Instance.Client.OrgV2beta
+		AdminClient = Instance.Client.Admin
+		MgmtClient = Instance.Client.Mgmt
 
 		defer func() {
 			_, err := Instance.Client.InstanceV2Beta.DeleteInstance(CTX, &v2beta.DeleteInstanceRequest{

backend/v3/storage/database/repository/id_provider.go

@@ -0,0 +1,638 @@
+package repository
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/backend/v3/domain"
+	"github.com/zitadel/zitadel/backend/v3/storage/database"
+)
+
+var _ domain.IDProviderRepository = (*idProvider)(nil)
+
+type idProvider struct{}
+
+func IDProviderRepository() domain.IDProviderRepository {
+	return new(idProvider)
+}
+
+const queryIDProviderStmt = `SELECT instance_id, org_id, id, state, name, type, auto_register, allow_creation, allow_auto_creation,` +
+	` allow_auto_update, allow_linking, auto_linking_field, styling_type, payload, created_at, updated_at` +
+	` FROM zitadel.identity_providers`
+
+func (i *idProvider) Get(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IdentityProvider, error) {
+	builder := database.StatementBuilder{}
+
+	builder.WriteString(queryIDProviderStmt)
+
+	conditions := []database.Condition{id, i.InstanceIDCondition(instanceID), i.OrgIDCondition(orgID)}
+
+	writeCondition(&builder, database.And(conditions...))
+
+	return scanIDProvider(ctx, client, &builder)
+}
+
+func (i *idProvider) List(ctx context.Context, client database.QueryExecutor, conditions ...database.Condition) ([]*domain.IdentityProvider, error) {
+	builder := database.StatementBuilder{}
+
+	builder.WriteString(queryIDProviderStmt)
+
+	if conditions != nil {
+		writeCondition(&builder, database.And(conditions...))
+	}
+
+	orderBy := database.OrderBy(i.CreatedAtColumn())
+	orderBy.Write(&builder)
+
+	return scanIDProviders(ctx, client, &builder)
+}
+
+const createIDProviderStmtStart = `INSERT INTO zitadel.identity_providers` +
+	` (instance_id, org_id, id, state, name, type, allow_creation, allow_auto_creation,` +
+	` allow_auto_update, allow_linking, styling_type, payload) VALUES (`
+
+const createIDProviderStmtEnd = `) RETURNING created_at, updated_at`
+
+func (i *idProvider) Create(ctx context.Context, client database.QueryExecutor, idp *domain.IdentityProvider) error {
+	builder := database.StatementBuilder{}
+
+	builder.WriteString(createIDProviderStmtStart)
+
+	builder.WriteArgs(
+		idp.InstanceID,
+		idp.OrgID,
+		idp.ID,
+		idp.State,
+		idp.Name,
+		idp.Type,
+		idp.AllowCreation,
+		idp.AllowAutoCreation,
+		idp.AllowAutoUpdate,
+		idp.AllowLinking,
+		idp.StylingType,
+		string(idp.Payload))
+
+	builder.WriteString(createIDProviderStmtEnd)
+
+	err := client.QueryRow(ctx, builder.String(), builder.Args()...).Scan(&idp.CreatedAt, &idp.UpdatedAt)
+	return err
+}
+
+func (i *idProvider) Update(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string, changes ...database.Change) (int64, error) {
+	if changes == nil {
+		return 0, database.ErrNoChanges
+	}
+	changes = append(changes, i.SetUpdatedAt(nil))
+	builder := database.StatementBuilder{}
+	builder.WriteString(`UPDATE zitadel.identity_providers SET `)
+
+	conditions := []database.Condition{
+		id,
+		i.InstanceIDCondition(instanceID),
+		i.OrgIDCondition(orgID),
+	}
+	database.Changes(changes).Write(&builder)
+	writeCondition(&builder, database.And(conditions...))
+
+	stmt := builder.String()
+
+	return client.Exec(ctx, stmt, builder.Args()...)
+}
+
+func (i *idProvider) Delete(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (int64, error) {
+	builder := database.StatementBuilder{}
+
+	builder.WriteString(`DELETE FROM zitadel.identity_providers`)
+
+	conditions := []database.Condition{
+		id,
+		i.InstanceIDCondition(instanceID),
+		i.OrgIDCondition(orgID),
+	}
+	writeCondition(&builder, database.And(conditions...))
+
+	return client.Exec(ctx, builder.String(), builder.Args()...)
+}
+
+func (i *idProvider) GetOIDC(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPOIDC, error) {
+	idpOIDC := &domain.IDPOIDC{}
+	var err error
+
+	idpOIDC.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpOIDC.Type != nil {
+		idpType = *idpOIDC.Type
+	}
+
+	if idpType != domain.IDPTypeOIDC {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeOIDC, idpType)
+	}
+
+	err = json.Unmarshal(idpOIDC.Payload, idpOIDC)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpOIDC, nil
+}
+
+func (i *idProvider) GetJWT(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPJWT, error) {
+	idpJWT := &domain.IDPJWT{}
+	var err error
+
+	idpJWT.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpJWT.Type != nil {
+		idpType = *idpJWT.Type
+	}
+
+	if idpType != domain.IDPTypeJWT {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeJWT, idpType)
+	}
+
+	err = json.Unmarshal(idpJWT.Payload, idpJWT)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpJWT, nil
+}
+
+func (i *idProvider) GetOAuth(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPOAuth, error) {
+	idpOAuth := &domain.IDPOAuth{}
+	var err error
+
+	idpOAuth.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpOAuth.Type != nil {
+		idpType = *idpOAuth.Type
+	}
+
+	if idpType != domain.IDPTypeOAuth {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeOAuth, idpType)
+	}
+
+	err = json.Unmarshal(idpOAuth.Payload, idpOAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpOAuth, nil
+}
+
+func (i *idProvider) GetAzureAD(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPAzureAD, error) {
+	idpAzure := &domain.IDPAzureAD{}
+	var err error
+
+	idpAzure.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpAzure.Type != nil {
+		idpType = *idpAzure.Type
+	}
+
+	if idpType != domain.IDPTypeAzure {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeAzure, idpType)
+	}
+
+	err = json.Unmarshal(idpAzure.Payload, idpAzure)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpAzure, nil
+}
+
+func (i *idProvider) GetGoogle(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPGoogle, error) {
+	idpGoogle := &domain.IDPGoogle{}
+	var err error
+
+	idpGoogle.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpGoogle.Type != nil {
+		idpType = *idpGoogle.Type
+	}
+
+	if idpType != domain.IDPTypeGoogle {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeGoogle, idpType)
+	}
+
+	err = json.Unmarshal(idpGoogle.Payload, idpGoogle)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpGoogle, nil
+}
+
+func (i *idProvider) GetGithub(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPGithub, error) {
+	idpGithub := &domain.IDPGithub{}
+	var err error
+
+	idpGithub.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpGithub.Type != nil {
+		idpType = *idpGithub.Type
+	}
+
+	if idpType != domain.IDPTypeGitHub {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeGitHub, idpType)
+	}
+
+	err = json.Unmarshal(idpGithub.Payload, idpGithub)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpGithub, nil
+}
+
+func (i *idProvider) GetGithubEnterprise(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPGithubEnterprise, error) {
+	idpGithubEnterprise := &domain.IDPGithubEnterprise{}
+	var err error
+
+	idpGithubEnterprise.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpGithubEnterprise.Type != nil {
+		idpType = *idpGithubEnterprise.Type
+	}
+
+	if idpType != domain.IDPTypeGitHubEnterprise {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeGitHubEnterprise, idpType)
+	}
+
+	err = json.Unmarshal(idpGithubEnterprise.Payload, idpGithubEnterprise)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpGithubEnterprise, nil
+}
+
+func (i *idProvider) GetGitlab(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPGitlab, error) {
+	idpGitlab := &domain.IDPGitlab{}
+	var err error
+
+	idpGitlab.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpGitlab.Type != nil {
+		idpType = *idpGitlab.Type
+	}
+
+	if idpType != domain.IDPTypeGitLab {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeGitLab, idpType)
+	}
+
+	err = json.Unmarshal(idpGitlab.Payload, idpGitlab)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpGitlab, nil
+}
+
+func (i *idProvider) GetGitlabSelfHosting(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPGitlabSelfHosting, error) {
+	idpGitlabSelfHosting := &domain.IDPGitlabSelfHosting{}
+	var err error
+
+	idpGitlabSelfHosting.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if idpGitlabSelfHosting.Type != nil {
+		idpType = *idpGitlabSelfHosting.Type
+	}
+
+	if idpType != domain.IDPTypeGitLabSelfHosted {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeGitLabSelfHosted, idpType)
+	}
+
+	err = json.Unmarshal(idpGitlabSelfHosting.Payload, idpGitlabSelfHosting)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpGitlabSelfHosting, nil
+}
+
+func (i *idProvider) GetLDAP(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPLDAP, error) {
+	ldap := &domain.IDPLDAP{}
+	var err error
+
+	ldap.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if ldap.Type != nil {
+		idpType = *ldap.Type
+	}
+
+	if idpType != domain.IDPTypeLDAP {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeLDAP, idpType)
+	}
+
+	err = json.Unmarshal(ldap.Payload, ldap)
+	if err != nil {
+		return nil, err
+	}
+
+	return ldap, nil
+}
+
+func (i *idProvider) GetApple(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPApple, error) {
+	apple := &domain.IDPApple{}
+	var err error
+
+	apple.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if apple.Type != nil {
+		idpType = *apple.Type
+	}
+
+	if idpType != domain.IDPTypeApple {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeApple, idpType)
+	}
+
+	err = json.Unmarshal(apple.Payload, apple)
+	if err != nil {
+		return nil, err
+	}
+
+	return apple, nil
+}
+
+func (i *idProvider) GetSAML(ctx context.Context, client database.QueryExecutor, id domain.IDPIdentifierCondition, instanceID string, orgID *string) (*domain.IDPSAML, error) {
+	saml := &domain.IDPSAML{}
+	var err error
+
+	saml.IdentityProvider, err = i.Get(ctx, client, id, instanceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var idpType domain.IDPType
+	if saml.Type != nil {
+		idpType = *saml.Type
+	}
+
+	if idpType != domain.IDPTypeSAML {
+		return nil, domain.NewIDPWrongTypeError(domain.IDPTypeSAML, idpType)
+	}
+
+	err = json.Unmarshal(saml.Payload, saml)
+	if err != nil {
+		return nil, err
+	}
+
+	return saml, nil
+}
+
+// -------------------------------------------------------------
+// columns
+// -------------------------------------------------------------
+
+func (idProvider) InstanceIDColumn() database.Column {
+	return database.NewColumn("identity_providers", "instance_id")
+}
+
+func (idProvider) OrgIDColumn() database.Column {
+	return database.NewColumn("identity_providers", "org_id")
+}
+
+func (idProvider) IDColumn() database.Column {
+	return database.NewColumn("identity_providers", "id")
+}
+
+func (idProvider) StateColumn() database.Column {
+	return database.NewColumn("identity_providers", "state")
+}
+
+func (idProvider) NameColumn() database.Column {
+	return database.NewColumn("identity_providers", "name")
+}
+
+func (idProvider) TypeColumn() database.Column {
+	return database.NewColumn("identity_providers", "type")
+}
+
+func (idProvider) AutoRegisterColumn() database.Column {
+	return database.NewColumn("identity_providers", "auto_register")
+}
+
+func (idProvider) AllowCreationColumn() database.Column {
+	return database.NewColumn("identity_providers", "allow_creation")
+}
+
+func (idProvider) AllowAutoCreationColumn() database.Column {
+	return database.NewColumn("identity_providers", "allow_auto_creation")
+}
+
+func (idProvider) AllowAutoUpdateColumn() database.Column {
+	return database.NewColumn("identity_providers", "allow_auto_update")
+}
+
+func (idProvider) AllowLinkingColumn() database.Column {
+	return database.NewColumn("identity_providers", "allow_linking")
+}
+
+func (idProvider) AllowAutoLinkingColumn() database.Column {
+	return database.NewColumn("identity_providers", "auto_linking_field")
+}
+
+func (idProvider) StylingTypeColumn() database.Column {
+	return database.NewColumn("identity_providers", "styling_type")
+}
+
+func (idProvider) PayloadColumn() database.Column {
+	return database.NewColumn("identity_providers", "payload")
+}
+
+func (idProvider) CreatedAtColumn() database.Column {
+	return database.NewColumn("identity_providers", "created_at")
+}
+
+func (idProvider) UpdatedAtColumn() database.Column {
+	return database.NewColumn("identity_providers", "updated_at")
+}
+
+// -------------------------------------------------------------
+// conditions
+// -------------------------------------------------------------
+
+func (i idProvider) InstanceIDCondition(id string) database.Condition {
+	return database.NewTextCondition(i.InstanceIDColumn(), database.TextOperationEqual, id)
+}
+
+func (i idProvider) OrgIDCondition(id *string) database.Condition {
+	if id == nil {
+		return database.IsNull(i.OrgIDColumn())
+	}
+	return database.NewTextCondition(i.OrgIDColumn(), database.TextOperationEqual, *id)
+}
+
+func (i idProvider) IDCondition(id string) domain.IDPIdentifierCondition {
+	return database.NewTextCondition(i.IDColumn(), database.TextOperationEqual, id)
+}
+
+func (i idProvider) StateCondition(state domain.IDPState) database.Condition {
+	return database.NewTextCondition(i.StateColumn(), database.TextOperationEqual, state.String())
+}
+
+func (i idProvider) NameCondition(name string) domain.IDPIdentifierCondition {
+	return database.NewTextCondition(i.NameColumn(), database.TextOperationEqual, name)
+}
+
+func (i idProvider) TypeCondition(typ domain.IDPType) database.Condition {
+	return database.NewNumberCondition(i.TypeColumn(), database.NumberOperationEqual, typ)
+}
+
+func (i idProvider) AutoRegisterCondition(allow bool) database.Condition {
+	return database.NewBooleanCondition(i.AutoRegisterColumn(), allow)
+}
+
+func (i idProvider) AllowCreationCondition(allow bool) database.Condition {
+	return database.NewBooleanCondition(i.AllowCreationColumn(), allow)
+}
+
+func (i idProvider) AllowAutoCreationCondition(allow bool) database.Condition {
+	return database.NewBooleanCondition(i.AllowAutoCreationColumn(), allow)
+}
+
+func (i idProvider) AllowAutoUpdateCondition(allow bool) database.Condition {
+	return database.NewBooleanCondition(i.AllowAutoUpdateColumn(), allow)
+}
+
+func (i idProvider) AllowLinkingCondition(allow bool) database.Condition {
+	return database.NewBooleanCondition(i.AllowLinkingColumn(), allow)
+}
+
+func (i idProvider) AllowAutoLinkingCondition(linkingType domain.IDPAutoLinkingField) database.Condition {
+	return database.NewTextCondition(i.AllowAutoLinkingColumn(), database.TextOperationEqual, linkingType.String())
+}
+
+func (i idProvider) StylingTypeCondition(style int16) database.Condition {
+	return database.NewNumberCondition(i.StylingTypeColumn(), database.NumberOperationEqual, style)
+}
+
+func (i idProvider) PayloadCondition(payload string) database.Condition {
+	return database.NewTextCondition(i.PayloadColumn(), database.TextOperationEqual, payload)
+}
+
+// -------------------------------------------------------------
+// changes
+// -------------------------------------------------------------
+
+func (i idProvider) SetName(name string) database.Change {
+	return database.NewChange(i.NameColumn(), name)
+}
+
+func (i idProvider) SetState(state domain.IDPState) database.Change {
+	return database.NewChange(i.StateColumn(), state)
+}
+
+func (i idProvider) SetAllowCreation(allow bool) database.Change {
+	return database.NewChange(i.AllowCreationColumn(), allow)
+}
+
+func (i idProvider) SetAutoRegister(allow bool) database.Change {
+	return database.NewChange(i.AutoRegisterColumn(), allow)
+}
+
+func (i idProvider) SetAllowAutoCreation(allow bool) database.Change {
+	return database.NewChange(i.AllowAutoCreationColumn(), allow)
+}
+
+func (i idProvider) SetAllowAutoUpdate(allow bool) database.Change {
+	return database.NewChange(i.AllowAutoUpdateColumn(), allow)
+}
+
+func (i idProvider) SetAllowLinking(allow bool) database.Change {
+	return database.NewChange(i.AllowLinkingColumn(), allow)
+}
+
+func (i idProvider) SetAutoAllowLinking(allow bool) database.Change {
+	return database.NewChange(i.AllowAutoLinkingColumn(), allow)
+}
+
+func (i idProvider) SetStylingType(stylingType int16) database.Change {
+	return database.NewChange(i.StylingTypeColumn(), stylingType)
+}
+
+func (i idProvider) SetPayload(payload string) database.Change {
+	return database.NewChange(i.PayloadColumn(), payload)
+}
+
+func (i idProvider) SetUpdatedAt(updatedAt *time.Time) database.Change {
+	return database.NewChangePtr(i.UpdatedAtColumn(), updatedAt)
+}
+
+func scanIDProvider(ctx context.Context, querier database.Querier, builder *database.StatementBuilder) (*domain.IdentityProvider, error) {
+	idp := &domain.IdentityProvider{}
+	rows, err := querier.Query(ctx, builder.String(), builder.Args()...)
+	if err != nil {
+		return nil, err
+	}
+
+	err = rows.(database.CollectableRows).CollectExactlyOneRow(idp)
+	if err != nil {
+		return nil, err
+	}
+
+	return idp, err
+}
+
+func scanIDProviders(ctx context.Context, querier database.Querier, builder *database.StatementBuilder) ([]*domain.IdentityProvider, error) {
+	idps := []*domain.IdentityProvider{}
+
+	rows, err := querier.Query(ctx, builder.String(), builder.Args()...)
+	if err != nil {
+		return nil, err
+	}
+
+	err = rows.(database.CollectableRows).Collect(&idps)
+	if err != nil {
+		return nil, err
+	}
+
+	return idps, nil
+}

backend/v3/storage/database/repository/org_test.go

@@ -609,11 +609,6 @@ func TestGetOrganization(t *testing.T) {
 			}
 			require.NoError(t, err)
 
-			if org.Name == "non existent org" {
-				assert.Nil(t, returnedOrg)
-				return
-			}
-
 			assert.Equal(t, returnedOrg.ID, org.ID)
 			assert.Equal(t, returnedOrg.Name, org.Name)
 			assert.Equal(t, returnedOrg.InstanceID, org.InstanceID)
@@ -931,9 +926,7 @@ func TestDeleteOrganization(t *testing.T) {
 			return test{
 				name: "happy path delete organization filter id",
 				testFunc: func(t *testing.T) {
-					organizations := make([]*domain.Organization, noOfOrganizations)
-					for i := range noOfOrganizations {
-
+					for range noOfOrganizations {
 						org := domain.Organization{
 							ID:         organizationId,
 							Name:       gofakeit.Name(),
@@ -945,7 +938,6 @@ func TestDeleteOrganization(t *testing.T) {
 						err := organizationRepo.Create(t.Context(), tx, &org)
 						require.NoError(t, err)
 
-						organizations[i] = &org
 					}
 				},
 				orgIdentifierCondition: organizationRepo.IDCondition(organizationId),
@@ -958,9 +950,7 @@ func TestDeleteOrganization(t *testing.T) {
 			return test{
 				name: "happy path delete organization filter name",
 				testFunc: func(t *testing.T) {
-					organizations := make([]*domain.Organization, noOfOrganizations)
-					for i := range noOfOrganizations {
-
+					for range noOfOrganizations {
 						org := domain.Organization{
 							ID:         gofakeit.Name(),
 							Name:       organizationName,
@@ -972,7 +962,6 @@ func TestDeleteOrganization(t *testing.T) {
 						err := organizationRepo.Create(t.Context(), tx, &org)
 						require.NoError(t, err)
 
-						organizations[i] = &org
 					}
 				},
 				orgIdentifierCondition: organizationRepo.NameCondition(database.TextOperationEqual, organizationName),
@@ -991,28 +980,21 @@ func TestDeleteOrganization(t *testing.T) {
 			return test{
 				name: "deleted already deleted organization",
 				testFunc: func(t *testing.T) {
-					noOfOrganizations := 1
-					organizations := make([]*domain.Organization, noOfOrganizations)
-					for i := range noOfOrganizations {
-
-						org := domain.Organization{
-							ID:         gofakeit.Name(),
-							Name:       organizationName,
-							InstanceID: instanceId,
-							State:      domain.OrgStateActive,
-						}
-
-						// create organization
-						err := organizationRepo.Create(t.Context(), tx, &org)
-						require.NoError(t, err)
-
-						organizations[i] = &org
+					org := domain.Organization{
+						ID:         gofakeit.Name(),
+						Name:       organizationName,
+						InstanceID: instanceId,
+						State:      domain.OrgStateActive,
 					}
 
+					// create organization
+					err := organizationRepo.Create(t.Context(), tx, &org)
+					require.NoError(t, err)
+
 					// delete organization
 					affectedRows, err := organizationRepo.Delete(t.Context(), tx,
 						database.And(
-							organizationRepo.InstanceIDCondition(organizations[0].InstanceID),
+							organizationRepo.InstanceIDCondition(org.InstanceID),
 							organizationRepo.NameCondition(database.TextOperationEqual, organizationName),
 						),
 					)

internal/api/grpc/admin/instance.go

@@ -29,7 +29,7 @@ func (s *Server) ListInstanceDomains(ctx context.Context, req *admin_pb.ListInst
 		return nil, err
 	}
 	return &admin_pb.ListInstanceDomainsResponse{
-		Result: instance_grpc.DomainsToPb(domains.Domains),
+		Result:        instance_grpc.DomainsToPb(domains.Domains),
 		SortingColumn: req.SortingColumn,
 		Details: object.ToListDetails(
 			domains.Count,
@@ -49,7 +49,7 @@ func (s *Server) ListInstanceTrustedDomains(ctx context.Context, req *admin_pb.L
 		return nil, err
 	}
 	return &admin_pb.ListInstanceTrustedDomainsResponse{
-		Result: instance_grpc.TrustedDomainsToPb(domains.Domains),
+		Result:        instance_grpc.TrustedDomainsToPb(domains.Domains),
 		SortingColumn: req.SortingColumn,
 		Details: object.ToListDetails(
 			domains.Count,

internal/query/projection/projection.go

@@ -93,6 +93,7 @@ var (
 	OrganizationRelationalProjection       *handler.Handler
 	InstanceDomainRelationalProjection     *handler.Handler
 	OrganizationDomainRelationalProjection *handler.Handler
+	IDPTemplateRelationalProjection        *handler.Handler
 
 	ProjectGrantFields      *handler.FieldHandler
 	OrgDomainVerifiedFields *handler.FieldHandler
@@ -208,6 +209,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es handler.EventStore,
 	OrganizationRelationalProjection = newOrgRelationalProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["organizations_relational"]))
 	InstanceDomainRelationalProjection = newInstanceDomainRelationalProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["instance_domains_relational"]))
 	OrganizationDomainRelationalProjection = newOrgDomainRelationalProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["organization_domains_relational"]))
+	IDPTemplateRelationalProjection = newIDPTemplateRelationalProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["idp_templates_relational"]))
 
 	newProjectionsList()
 	newFieldsList()
@@ -395,5 +397,6 @@ func newProjectionsList() {
 		OrganizationRelationalProjection,
 		InstanceDomainRelationalProjection,
 		OrganizationDomainRelationalProjection,
+		IDPTemplateRelationalProjection,
 	}
 }