From a71eaeaed2f5f31a16ae5f5a45d3d6f079be0a10 Mon Sep 17 00:00:00 2001
From: Patrick-Pimentel-Bitwarden <ppimentel@bitwarden.com>
Date: Mon, 27 Oct 2025 14:21:24 -0400
Subject: [PATCH] feat(prevent-bad-existing-sso-user): [PM-24579] Prevent
 Existing Non Confirmed and Accepted SSO Users (#6348)

* feat(prevent-bad-existing-sso-user): [PM-24579] Precent Existing Non Confirmed and Accepted SSO Users - Added in logic to block existing sso org users who are not in the confirmed or accepted state.

* fix(prevent-bad-existing-sso-user): [PM-24579] Precent Existing Non Confirmed and Accepted SSO Users - Added docs as well as made clear what statuses are permissible.

* test(prevent-bad-existing-sso-user): [PM-24579] Precent Existing Non Confirmed and Accepted SSO Users - Added tests.
---
 bitwarden-server.sln                          |    7 +
 .../src/Sso/Controllers/AccountController.cs  |  339 ++++--
 .../Controllers/AccountControllerTest.cs      | 1029 +++++++++++++++++
 .../test/SSO.Test/SSO.Test.csproj             |   35 +
 src/Core/Constants.cs                         |    1 +
 src/Core/Resources/SharedResources.en.resx    |    6 +
 6 files changed, 1320 insertions(+), 97 deletions(-)
 create mode 100644 bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
 create mode 100644 bitwarden_license/test/SSO.Test/SSO.Test.csproj

diff --git a/bitwarden-server.sln b/bitwarden-server.sln
index d2fc61166e..6786ad610c 100644
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@@ -136,6 +136,8 @@ EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RustSdk", "util\RustSdk\RustSdk.csproj", "{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}"
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharedWeb.Test", "test\SharedWeb.Test\SharedWeb.Test.csproj", "{AD59537D-5259-4B7A-948F-0CF58E80B359}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SSO.Test", "bitwarden_license\test\SSO.Test\SSO.Test.csproj", "{7D98784C-C253-43FB-9873-25B65C6250D6}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -348,6 +350,10 @@ Global
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.Build.0 = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -404,6 +410,7 @@ Global
 		{17A89266-260A-4A03-81AE-C0468C6EE06E} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{AD59537D-5259-4B7A-948F-0CF58E80B359} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
+		{7D98784C-C253-43FB-9873-25B65C6250D6} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}
diff --git a/bitwarden_license/src/Sso/Controllers/AccountController.cs b/bitwarden_license/src/Sso/Controllers/AccountController.cs
index 98a581e8ca..35266d219b 100644
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@@ -57,6 +57,7 @@ public class AccountController : Controller
     private readonly IDataProtectorTokenFactory<SsoTokenable> _dataProtector;
     private readonly IOrganizationDomainRepository _organizationDomainRepository;
     private readonly IRegisterUserCommand _registerUserCommand;
+    private readonly IFeatureService _featureService;
 
     public AccountController(
         IAuthenticationSchemeProvider schemeProvider,
@@ -77,7 +78,8 @@ public class AccountController : Controller
         Core.Services.IEventService eventService,
         IDataProtectorTokenFactory<SsoTokenable> dataProtector,
         IOrganizationDomainRepository organizationDomainRepository,
-        IRegisterUserCommand registerUserCommand)
+        IRegisterUserCommand registerUserCommand,
+        IFeatureService featureService)
     {
         _schemeProvider = schemeProvider;
         _clientStore = clientStore;
@@ -98,10 +100,11 @@ public class AccountController : Controller
         _dataProtector = dataProtector;
         _organizationDomainRepository = organizationDomainRepository;
         _registerUserCommand = registerUserCommand;
+        _featureService = featureService;
     }
 
     [HttpGet]
-    public async Task<IActionResult> PreValidate(string domainHint)
+    public async Task<IActionResult> PreValidateAsync(string domainHint)
     {
         try
         {
@@ -160,7 +163,7 @@ public class AccountController : Controller
     }
 
     [HttpGet]
-    public async Task<IActionResult> Login(string returnUrl)
+    public async Task<IActionResult> LoginAsync(string returnUrl)
     {
         var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
 
@@ -235,37 +238,69 @@ public class AccountController : Controller
     [HttpGet]
     public async Task<IActionResult> ExternalCallback()
     {
+        // Feature flag (PM-24579): Prevent SSO on existing non-compliant users.
+        var preventOrgUserLoginIfStatusInvalid =
+            _featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers);
+
         // Read external identity from the temporary cookie
         var result = await HttpContext.AuthenticateAsync(
             AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
-        if (result?.Succeeded != true)
-        {
-            throw new Exception(_i18nService.T("ExternalAuthenticationError"));
-        }
 
-        // Debugging
-        var externalClaims = result.Principal.Claims.Select(c => $"{c.Type}: {c.Value}");
-        _logger.LogDebug("External claims: {@claims}", externalClaims);
+        if (preventOrgUserLoginIfStatusInvalid)
+        {
+            if (!result.Succeeded)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }
+        else
+        {
+            if (result?.Succeeded != true)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }
 
         // See if the user has logged in with this SSO provider before and has already been provisioned.
         // This is signified by the user existing in the User table and the SSOUser table for the SSO provider they're using.
         var (user, provider, providerUserId, claims, ssoConfigData) = await FindUserFromExternalProviderAsync(result);
 
+        // We will look these up as required (lazy resolution) to avoid multiple DB hits.
+        Organization organization = null;
+        OrganizationUser orgUser = null;
+
         // The user has not authenticated with this SSO provider before.
         // They could have an existing Bitwarden account in the User table though.
         if (user == null)
         {
             // If we're manually linking to SSO, the user's external identifier will be passed as query string parameter.
-            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier") ?
-                result.Properties.Items["user_identifier"] : null;
-            user = await AutoProvisionUserAsync(provider, providerUserId, claims, userIdentifier, ssoConfigData);
+            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier")
+                ? result.Properties.Items["user_identifier"]
+                : null;
+
+            var (provisionedUser, foundOrganization, foundOrCreatedOrgUser) =
+                await AutoProvisionUserAsync(
+                    provider,
+                    providerUserId,
+                    claims,
+                    userIdentifier,
+                    ssoConfigData);
+
+            user = provisionedUser;
+
+            if (preventOrgUserLoginIfStatusInvalid)
+            {
+                organization = foundOrganization;
+                orgUser = foundOrCreatedOrgUser;
+            }
         }
 
-        // Either the user already authenticated with the SSO provider, or we've just provisioned them.
-        // Either way, we have associated the SSO login with a Bitwarden user.
-        // We will now sign the Bitwarden user in.
-        if (user != null)
+        if (preventOrgUserLoginIfStatusInvalid)
         {
+            if (user == null) throw new Exception(_i18nService.T("UserShouldBeFound"));
+
+            await PreventOrgUserLoginIfStatusInvalidAsync(organization, provider, orgUser, user);
+
             // This allows us to collect any additional claims or properties
             // for the specific protocols used and store them in the local auth cookie.
             // this is typically used to store data needed for signout from those protocols.
@@ -278,12 +313,41 @@ public class AccountController : Controller
             ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
 
             // Issue authentication cookie for user
-            await HttpContext.SignInAsync(new IdentityServerUser(user.Id.ToString())
+            await HttpContext.SignInAsync(
+                new IdentityServerUser(user.Id.ToString())
+                {
+                    DisplayName = user.Email,
+                    IdentityProvider = provider,
+                    AdditionalClaims = additionalLocalClaims.ToArray()
+                }, localSignInProps);
+        }
+        else
+        {
+            // Either the user already authenticated with the SSO provider, or we've just provisioned them.
+            // Either way, we have associated the SSO login with a Bitwarden user.
+            // We will now sign the Bitwarden user in.
+            if (user != null)
             {
-                DisplayName = user.Email,
-                IdentityProvider = provider,
-                AdditionalClaims = additionalLocalClaims.ToArray()
-            }, localSignInProps);
+                // This allows us to collect any additional claims or properties
+                // for the specific protocols used and store them in the local auth cookie.
+                // this is typically used to store data needed for signout from those protocols.
+                var additionalLocalClaims = new List<Claim>();
+                var localSignInProps = new AuthenticationProperties
+                {
+                    IsPersistent = true,
+                    ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(1)
+                };
+                ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
+
+                // Issue authentication cookie for user
+                await HttpContext.SignInAsync(
+                    new IdentityServerUser(user.Id.ToString())
+                    {
+                        DisplayName = user.Email,
+                        IdentityProvider = provider,
+                        AdditionalClaims = additionalLocalClaims.ToArray()
+                    }, localSignInProps);
+            }
         }
 
         // Delete temporary cookie used during external authentication
@@ -310,7 +374,7 @@ public class AccountController : Controller
     }
 
     [HttpGet]
-    public async Task<IActionResult> Logout(string logoutId)
+    public async Task<IActionResult> LogoutAsync(string logoutId)
     {
         // Build a model so the logged out page knows what to display
         var (updatedLogoutId, redirectUri, externalAuthenticationScheme) = await GetLoggedOutDataAsync(logoutId);
@@ -333,6 +397,7 @@ public class AccountController : Controller
             // This triggers a redirect to the external provider for sign-out
             return SignOut(new AuthenticationProperties { RedirectUri = url }, externalAuthenticationScheme);
         }
+
         if (redirectUri != null)
         {
             return View("Redirect", new RedirectViewModel { RedirectUrl = redirectUri });
@@ -347,7 +412,8 @@ public class AccountController : Controller
     /// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`.
     /// The claims on the external identity are used to determine an `externalId`, and that is used to find the appropriate `SsoUser` and `User` records.
     /// </summary>
-    private async Task<(User user, string provider, string providerUserId, IEnumerable<Claim> claims, SsoConfigurationData config)>
+    private async Task<(User user, string provider, string providerUserId, IEnumerable<Claim> claims,
+            SsoConfigurationData config)>
         FindUserFromExternalProviderAsync(AuthenticateResult result)
     {
         var provider = result.Properties.Items["scheme"];
@@ -374,9 +440,10 @@ public class AccountController : Controller
         // Ensure the NameIdentifier used is not a transient name ID, if so, we need a different attribute
         //  for the user identifier.
         static bool nameIdIsNotTransient(Claim c) => c.Type == ClaimTypes.NameIdentifier
-            && (c.Properties == null
-            || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat, out var claimFormat)
-            || claimFormat != SamlNameIdFormats.Transient);
+                                                     && (c.Properties == null
+                                                         || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat,
+                                                             out var claimFormat)
+                                                         || claimFormat != SamlNameIdFormats.Transient);
 
         // Try to determine the unique id of the external user (issued by the provider)
         // the most common claim type for that are the sub claim and the NameIdentifier
@@ -418,24 +485,20 @@ public class AccountController : Controller
     /// <param name="providerUserId">The external identity provider's user identifier.</param>
     /// <param name="claims">The claims from the external IdP.</param>
     /// <param name="userIdentifier">The user identifier used for manual SSO linking.</param>
-    /// <param name="config">The SSO configuration for the organization.</param>
-    /// <returns>The User to sign in.</returns>
+    /// <param name="ssoConfigData">The SSO configuration for the organization.</param>
+    /// <returns>Guaranteed to return the user to sign in as well as the found organization and org user.</returns>
     /// <exception cref="Exception">An exception if the user cannot be provisioned as requested.</exception>
-    private async Task<User> AutoProvisionUserAsync(string provider, string providerUserId,
-        IEnumerable<Claim> claims, string userIdentifier, SsoConfigurationData config)
+    private async Task<(User user, Organization foundOrganization, OrganizationUser foundOrgUser)>
+        AutoProvisionUserAsync(
+            string provider,
+            string providerUserId,
+            IEnumerable<Claim> claims,
+            string userIdentifier,
+            SsoConfigurationData ssoConfigData
+        )
     {
-        var name = GetName(claims, config.GetAdditionalNameClaimTypes());
-        var email = GetEmailAddress(claims, config.GetAdditionalEmailClaimTypes());
-        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
-        {
-            email = providerUserId;
-        }
-
-        if (!Guid.TryParse(provider, out var orgId))
-        {
-            // TODO: support non-org (server-wide) SSO in the future?
-            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
-        }
+        var name = GetName(claims, ssoConfigData.GetAdditionalNameClaimTypes());
+        var email = TryGetEmailAddress(claims, ssoConfigData, providerUserId);
 
         User existingUser = null;
         if (string.IsNullOrWhiteSpace(userIdentifier))
@@ -444,15 +507,19 @@ public class AccountController : Controller
             {
                 throw new Exception(_i18nService.T("CannotFindEmailClaim"));
             }
+
             existingUser = await _userRepository.GetByEmailAsync(email);
         }
         else
         {
-            existingUser = await GetUserFromManualLinkingData(userIdentifier);
+            existingUser = await GetUserFromManualLinkingDataAsync(userIdentifier);
         }
 
-        // Try to find the OrganizationUser if it exists.
-        var (organization, orgUser) = await FindOrganizationUser(existingUser, email, orgId);
+        // Try to find the org (we error if we can't find an org)
+        var organization = await TryGetOrganizationByProviderAsync(provider);
+
+        // Try to find an org user (null org user possible and valid here)
+        var orgUser = await TryGetOrganizationUserByUserAndOrgOrEmail(existingUser, organization.Id, email);
 
         //----------------------------------------------------
         // Scenario 1: We've found the user in the User table
@@ -473,22 +540,22 @@ public class AccountController : Controller
                 throw new Exception(_i18nService.T("UserAlreadyExistsInviteProcess"));
             }
 
-            EnsureOrgUserStatusAllowed(orgUser.Status, organization.DisplayName(),
-                allowedStatuses: [OrganizationUserStatusType.Accepted, OrganizationUserStatusType.Confirmed]);
-
+            EnsureAcceptedOrConfirmedOrgUserStatus(orgUser.Status, organization.DisplayName());
 
             // Since we're in the auto-provisioning logic, this means that the user exists, but they have not
             // authenticated with the org's SSO provider before now (otherwise we wouldn't be auto-provisioning them).
             // We've verified that the user is Accepted or Confnirmed, so we can create an SsoUser link and proceed
             // with authentication.
-            await CreateSsoUserRecord(providerUserId, existingUser.Id, orgId, orgUser);
-            return existingUser;
+            await CreateSsoUserRecordAsync(providerUserId, existingUser.Id, organization.Id, orgUser);
+
+            return (existingUser, organization, orgUser);
         }
 
         // Before any user creation - if Org User doesn't exist at this point - make sure there are enough seats to add one
         if (orgUser == null && organization.Seats.HasValue)
         {
-            var occupiedSeats = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var occupiedSeats =
+                await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
             var initialSeatCount = organization.Seats.Value;
             var availableSeats = initialSeatCount - occupiedSeats.Total;
             if (availableSeats < 1)
@@ -506,8 +573,10 @@ public class AccountController : Controller
                 {
                     if (organization.Seats.Value != initialSeatCount)
                     {
-                        await _organizationService.AdjustSeatsAsync(orgId, initialSeatCount - organization.Seats.Value);
+                        await _organizationService.AdjustSeatsAsync(organization.Id,
+                            initialSeatCount - organization.Seats.Value);
                     }
+
                     _logger.LogInformation(e, "SSO auto provisioning failed");
                     throw new Exception(_i18nService.T("NoSeatsAvailable", organization.DisplayName()));
                 }
@@ -519,7 +588,8 @@ public class AccountController : Controller
         var emailDomain = CoreHelpers.GetEmailDomain(email);
         if (!string.IsNullOrWhiteSpace(emailDomain))
         {
-            var organizationDomain = await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(orgId, emailDomain);
+            var organizationDomain =
+                await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(organization.Id, emailDomain);
             emailVerified = organizationDomain?.VerifiedDate.HasValue ?? false;
         }
 
@@ -537,7 +607,7 @@ public class AccountController : Controller
 
         // If the organization has 2fa policy enabled, make sure to default jit user 2fa to email
         var twoFactorPolicy =
-            await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.TwoFactorAuthentication);
+            await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.TwoFactorAuthentication);
         if (twoFactorPolicy != null && twoFactorPolicy.Enabled)
         {
             user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
@@ -560,13 +630,14 @@ public class AccountController : Controller
         {
             orgUser = new OrganizationUser
             {
-                OrganizationId = orgId,
+                OrganizationId = organization.Id,
                 UserId = user.Id,
                 Type = OrganizationUserType.User,
                 Status = OrganizationUserStatusType.Invited
             };
             await _organizationUserRepository.CreateAsync(orgUser);
         }
+
         //-----------------------------------------------------------------
         // Scenario 3: There is already an existing OrganizationUser
         // That was established through an invitation. We just need to
@@ -579,12 +650,47 @@ public class AccountController : Controller
         }
 
         // Create the SsoUser record to link the user to the SSO provider.
-        await CreateSsoUserRecord(providerUserId, user.Id, orgId, orgUser);
+        await CreateSsoUserRecordAsync(providerUserId, user.Id, organization.Id, orgUser);
 
-        return user;
+        return (user, organization, orgUser);
     }
 
-    private async Task<User> GetUserFromManualLinkingData(string userIdentifier)
+    /// <summary>
+    /// Validates an organization user is allowed to log in via SSO and blocks invalid statuses.
+    /// Lazily resolves the organization and organization user if not provided.
+    /// </summary>
+    /// <param name="organization">The target organization; if null, resolved from provider.</param>
+    /// <param name="provider">The SSO scheme provider value (organization id as a GUID string).</param>
+    /// <param name="orgUser">The organization-user record; if null, looked up by user/org or user email for invited users.</param>
+    /// <param name="user">The user attempting to sign in (existing or newly provisioned).</param>
+    /// <exception cref="Exception">Thrown if the organization cannot be resolved from provider;
+    /// the organization user cannot be found; or the organization user status is not allowed.</exception>
+    private async Task PreventOrgUserLoginIfStatusInvalidAsync(
+        Organization organization,
+        string provider,
+        OrganizationUser orgUser,
+        User user)
+    {
+        // Lazily get organization if not already known
+        organization ??= await TryGetOrganizationByProviderAsync(provider);
+
+        // Lazily get the org user if not already known
+        orgUser ??= await TryGetOrganizationUserByUserAndOrgOrEmail(
+            user,
+            organization.Id,
+            user.Email);
+
+        if (orgUser != null)
+        {
+            EnsureAcceptedOrConfirmedOrgUserStatus(orgUser.Status, organization.DisplayName());
+        }
+        else
+        {
+            throw new Exception(_i18nService.T("CouldNotFindOrganizationUser", user.Id, organization.Id));
+        }
+    }
+
+    private async Task<User> GetUserFromManualLinkingDataAsync(string userIdentifier)
     {
         User user = null;
         var split = userIdentifier.Split(",");
@@ -592,6 +698,7 @@ public class AccountController : Controller
         {
             throw new Exception(_i18nService.T("InvalidUserIdentifier"));
         }
+
         var userId = split[0];
         var token = split[1];
 
@@ -611,38 +718,73 @@ public class AccountController : Controller
                 throw new Exception(_i18nService.T("UserIdAndTokenMismatch"));
             }
         }
+
         return user;
     }
 
-    private async Task<(Organization, OrganizationUser)> FindOrganizationUser(User existingUser, string email, Guid orgId)
+    /// <summary>
+    /// Tries to get the organization by the provider which is org id for us as we use the scheme
+    /// to identify organizations - not identity providers.
+    /// </summary>
+    /// <param name="provider">Org id string from SSO scheme property</param>
+    /// <exception cref="Exception">Errors if the provider string is not a valid org id guid or if the org cannot be found by the id.</exception>
+    private async Task<Organization> TryGetOrganizationByProviderAsync(string provider)
     {
-        OrganizationUser orgUser = null;
-        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        if (!Guid.TryParse(provider, out var organizationId))
+        {
+            // TODO: support non-org (server-wide) SSO in the future?
+            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
         if (organization == null)
         {
-            throw new Exception(_i18nService.T("CouldNotFindOrganization", orgId));
+            throw new Exception(_i18nService.T("CouldNotFindOrganization", organizationId));
         }
 
+        return organization;
+    }
+
+    /// <summary>
+    /// Attempts to get an <see cref="OrganizationUser"/> for a given organization
+    /// by first checking for an existing user relationship, and if none is found,
+    /// by looking up an invited user via their email address.
+    /// </summary>
+    /// <param name="user">The existing user entity to be looked up in OrganizationUsers table.</param>
+    /// <param name="organizationId">Organization id from the provider data.</param>
+    /// <param name="email">Email to use as a fallback in case of an invited user not in the Org Users
+    /// table yet.</param>
+    private async Task<OrganizationUser> TryGetOrganizationUserByUserAndOrgOrEmail(
+        User user,
+        Guid organizationId,
+        string email)
+    {
+        OrganizationUser orgUser = null;
+
         // Try to find OrgUser via existing User Id.
         // This covers any OrganizationUser state after they have accepted an invite.
-        if (existingUser != null)
+        if (user != null)
         {
-            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(existingUser.Id);
-            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == orgId);
+            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == organizationId);
         }
 
         // If no Org User found by Existing User Id - search all the organization's users via email.
         // This covers users who are Invited but haven't accepted their invite yet.
-        orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(orgId, email);
+        orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(organizationId, email);
 
-        return (organization, orgUser);
+        return orgUser;
     }
 
-    private void EnsureOrgUserStatusAllowed(
+    private void EnsureAcceptedOrConfirmedOrgUserStatus(
         OrganizationUserStatusType status,
-        string organizationDisplayName,
-        params OrganizationUserStatusType[] allowedStatuses)
+        string organizationDisplayName)
     {
+        // The only permissible org user statuses allowed.
+        OrganizationUserStatusType[] allowedStatuses =
+            [OrganizationUserStatusType.Accepted, OrganizationUserStatusType.Confirmed];
+
         // if this status is one of the allowed ones, just return
         if (allowedStatuses.Contains(status))
         {
@@ -667,7 +809,6 @@ public class AccountController : Controller
         }
     }
 
-
     private IActionResult InvalidJson(string errorMessageKey, Exception ex = null)
     {
         Response.StatusCode = ex == null ? 400 : 500;
@@ -679,13 +820,13 @@ public class AccountController : Controller
         });
     }
 
-    private string GetEmailAddress(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
+    private string TryGetEmailAddressFromClaims(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
     {
         var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value) && c.Value.Contains("@"));
 
         var email = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
-                SamlClaimTypes.Email, "mail", "emailaddress");
+                    filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
+                        SamlClaimTypes.Email, "mail", "emailaddress");
         if (!string.IsNullOrWhiteSpace(email))
         {
             return email;
@@ -706,8 +847,8 @@ public class AccountController : Controller
         var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value));
 
         var name = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
-                SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
+                   filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
+                       SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
         if (!string.IsNullOrWhiteSpace(name))
         {
             return name;
@@ -725,7 +866,8 @@ public class AccountController : Controller
         return null;
     }
 
-    private async Task CreateSsoUserRecord(string providerUserId, Guid userId, Guid orgId, OrganizationUser orgUser)
+    private async Task CreateSsoUserRecordAsync(string providerUserId, Guid userId, Guid orgId,
+        OrganizationUser orgUser)
     {
         // Delete existing SsoUser (if any) - avoids error if providerId has changed and the sso link is stale
         var existingSsoUser = await _ssoUserRepository.GetByUserIdOrganizationIdAsync(orgId, userId);
@@ -740,12 +882,7 @@ public class AccountController : Controller
             await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_FirstSsoLogin);
         }
 
-        var ssoUser = new SsoUser
-        {
-            ExternalId = providerUserId,
-            UserId = userId,
-            OrganizationId = orgId,
-        };
+        var ssoUser = new SsoUser { ExternalId = providerUserId, UserId = userId, OrganizationId = orgId, };
         await _ssoUserRepository.CreateAsync(ssoUser);
     }
 
@@ -769,18 +906,6 @@ public class AccountController : Controller
         }
     }
 
-    private async Task<string> GetProviderAsync(string returnUrl)
-    {
-        var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
-        if (context?.IdP != null && await _schemeProvider.GetSchemeAsync(context.IdP) != null)
-        {
-            return context.IdP;
-        }
-        var schemes = await _schemeProvider.GetAllSchemesAsync();
-        var providers = schemes.Select(x => x.Name).ToList();
-        return providers.FirstOrDefault();
-    }
-
     private async Task<(string, string, string)> GetLoggedOutDataAsync(string logoutId)
     {
         // Get context information (client name, post logout redirect URI and iframe for federated signout)
@@ -812,9 +937,29 @@ public class AccountController : Controller
         return (logoutId, logout?.PostLogoutRedirectUri, externalAuthenticationScheme);
     }
 
+    /**
+     * Tries to get a user's email from the claims and SSO configuration data or the provider user id if
+     * the claims email extraction returns null.
+     */
+    private string TryGetEmailAddress(
+        IEnumerable<Claim> claims,
+        SsoConfigurationData config,
+        string providerUserId)
+    {
+        var email = TryGetEmailAddressFromClaims(claims, config.GetAdditionalEmailClaimTypes());
+
+        // If email isn't populated from claims and providerUserId has @, assume it is the email.
+        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
+        {
+            email = providerUserId;
+        }
+
+        return email;
+    }
+
     public bool IsNativeClient(DIM.AuthorizationRequest context)
     {
         return !context.RedirectUri.StartsWith("https", StringComparison.Ordinal)
-           && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
+               && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
     }
 }
diff --git a/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs b/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
new file mode 100644
index 0000000000..7dbc98d261
--- /dev/null
+++ b/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
@@ -0,0 +1,1029 @@
+using System.Reflection;
+using System.Security.Claims;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Sso.Controllers;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Duende.IdentityModel;
+using Duende.IdentityServer.Configuration;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using Xunit.Abstractions;
+using AuthenticationOptions = Duende.IdentityServer.Configuration.AuthenticationOptions;
+
+namespace Bit.SSO.Test.Controllers;
+
+[ControllerCustomize(typeof(AccountController)), SutProviderCustomize]
+public class AccountControllerTest
+{
+    private readonly ITestOutputHelper _output;
+
+    public AccountControllerTest(ITestOutputHelper output)
+    {
+        _output = output;
+    }
+
+    private static IAuthenticationService SetupHttpContextWithAuth(
+        SutProvider<AccountController> sutProvider,
+        AuthenticateResult authResult,
+        IAuthenticationService? authService = null)
+    {
+        var schemeProvider = Substitute.For<IAuthenticationSchemeProvider>();
+        schemeProvider.GetDefaultAuthenticateSchemeAsync()
+            .Returns(new AuthenticationScheme("idsrv", "idsrv", typeof(IAuthenticationHandler)));
+
+        var resolvedAuthService = authService ?? Substitute.For<IAuthenticationService>();
+        resolvedAuthService.AuthenticateAsync(
+                Arg.Any<HttpContext>(),
+                AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+            .Returns(authResult);
+
+        var services = new ServiceCollection();
+        services.AddSingleton(resolvedAuthService);
+        services.AddSingleton<IAuthenticationSchemeProvider>(schemeProvider);
+        services.AddSingleton(new IdentityServerOptions
+        {
+            Authentication = new AuthenticationOptions
+            {
+                CookieAuthenticationScheme = "idsrv"
+            }
+        });
+        var sp = services.BuildServiceProvider();
+
+        sutProvider.Sut.ControllerContext = new ControllerContext
+        {
+            HttpContext = new DefaultHttpContext
+            {
+                RequestServices = sp
+            }
+        };
+
+        return resolvedAuthService;
+    }
+
+    private static void InvokeEnsureOrgUserStatusAllowed(
+        AccountController controller,
+        OrganizationUserStatusType status)
+    {
+        var method = typeof(AccountController).GetMethod(
+            "EnsureAcceptedOrConfirmedOrgUserStatus",
+            BindingFlags.Instance | BindingFlags.NonPublic);
+        Assert.NotNull(method);
+        method.Invoke(controller, [status, "Org"]);
+    }
+
+    private static AuthenticateResult BuildSuccessfulExternalAuth(Guid orgId, string providerUserId, string email)
+    {
+        var claims = new[]
+        {
+            new Claim(JwtClaimTypes.Subject, providerUserId),
+            new Claim(JwtClaimTypes.Email, email)
+        };
+        var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "External"));
+        var properties = new AuthenticationProperties
+        {
+            Items =
+            {
+                ["scheme"] = orgId.ToString(),
+                ["return_url"] = "~/",
+                ["state"] = "state",
+                ["user_identifier"] = string.Empty
+            }
+        };
+        var ticket = new AuthenticationTicket(principal, properties, AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
+        return AuthenticateResult.Success(ticket);
+    }
+
+    private static void ConfigureSsoAndUser(
+        SutProvider<AccountController> sutProvider,
+        Guid orgId,
+        string providerUserId,
+        User user,
+        Organization? organization = null,
+        OrganizationUser? orgUser = null)
+    {
+        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        ssoConfigRepository.GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+
+        userRepository.GetBySsoUserAsync(providerUserId, orgId).Returns(user);
+
+        if (organization != null)
+        {
+            organizationRepository.GetByIdAsync(orgId).Returns(organization);
+        }
+        if (organization != null && orgUser != null)
+        {
+            organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id).Returns(orgUser);
+            organizationUserRepository.GetManyByUserAsync(user.Id).Returns([orgUser]);
+        }
+    }
+
+    private enum MeasurementScenario
+    {
+        ExistingSsoLinkedAccepted,
+        ExistingUserNoOrgUser,
+        JitProvision
+    }
+
+    private sealed class LookupCounts
+    {
+        public int UserGetBySso { get; init; }
+        public int UserGetByEmail { get; init; }
+        public int OrgGetById { get; init; }
+        public int OrgUserGetByOrg { get; init; }
+        public int OrgUserGetByEmail { get; init; }
+    }
+
+    private async Task<LookupCounts> MeasureCountsForScenarioAsync(
+        SutProvider<AccountController> sutProvider,
+        MeasurementScenario scenario,
+        bool preventNonCompliant)
+    {
+        var orgId = Guid.NewGuid();
+        var providerUserId = $"meas-{scenario}-{(preventNonCompliant ? "on" : "off")}";
+        var email = scenario == MeasurementScenario.JitProvision
+            ? "jit.compare@example.com"
+            : "existing.compare@example.com";
+
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var user = new User { Id = Guid.NewGuid(), Email = email };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, email);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        // SSO config present
+        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+        var featureService = sutProvider.GetDependency<IFeatureService>();
+        var interactionService = sutProvider.GetDependency<IIdentityServerInteractionService>();
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        ssoConfigRepository.GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+
+        switch (scenario)
+        {
+            case MeasurementScenario.ExistingSsoLinkedAccepted:
+                userRepository.GetBySsoUserAsync(providerUserId, orgId).Returns(user);
+                organizationRepository.GetByIdAsync(orgId).Returns(organization);
+                organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id)
+                    .Returns(new OrganizationUser
+                    {
+                        OrganizationId = orgId,
+                        UserId = user.Id,
+                        Status = OrganizationUserStatusType.Accepted,
+                        Type = OrganizationUserType.User
+                    });
+                break;
+            case MeasurementScenario.ExistingUserNoOrgUser:
+                userRepository.GetBySsoUserAsync(providerUserId, orgId).Returns(user);
+                organizationRepository.GetByIdAsync(orgId).Returns(organization);
+                organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id)
+                    .Returns((OrganizationUser?)null);
+                break;
+            case MeasurementScenario.JitProvision:
+                userRepository.GetBySsoUserAsync(providerUserId, orgId).Returns((User?)null);
+                userRepository.GetByEmailAsync(email).Returns((User?)null);
+                organizationRepository.GetByIdAsync(orgId).Returns(organization);
+                organizationUserRepository.GetByOrganizationEmailAsync(orgId, email)
+                    .Returns((OrganizationUser?)null);
+                break;
+        }
+
+        featureService.IsEnabled(Arg.Any<string>()).Returns(preventNonCompliant);
+        interactionService.GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        try
+        {
+            _ = await sutProvider.Sut.ExternalCallback();
+        }
+        catch
+        {
+            // Ignore exceptions for measurement; some flows can throw based on status enforcement
+        }
+
+        var counts = new LookupCounts
+        {
+            UserGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync)),
+            UserGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync)),
+            OrgGetById = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync)),
+            OrgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync)),
+            OrgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync)),
+        };
+
+        userRepository.ClearReceivedCalls();
+        organizationRepository.ClearReceivedCalls();
+        organizationUserRepository.ClearReceivedCalls();
+
+        return counts;
+    }
+
+    [Theory, BitAutoData]
+    public void EnsureOrgUserStatusAllowed_AllowsAcceptedAndConfirmed(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Act
+        var ex1 = Record.Exception(() =>
+            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Accepted));
+        var ex2 = Record.Exception(() =>
+            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Confirmed));
+
+        // Assert
+        Assert.Null(ex1);
+        Assert.Null(ex2);
+    }
+
+    [Theory, BitAutoData]
+    public void EnsureOrgUserStatusAllowed_Invited_ThrowsAcceptInvite(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Act
+        var ex = Assert.Throws<TargetInvocationException>(() =>
+            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Invited));
+
+        // Assert
+        Assert.IsType<Exception>(ex.InnerException);
+        Assert.Equal("AcceptInviteBeforeUsingSSO", ex.InnerException!.Message);
+    }
+
+    [Theory, BitAutoData]
+    public void EnsureOrgUserStatusAllowed_Revoked_ThrowsAccessRevoked(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Act
+        var ex = Assert.Throws<TargetInvocationException>(() =>
+            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, OrganizationUserStatusType.Revoked));
+
+        // Assert
+        Assert.IsType<Exception>(ex.InnerException);
+        Assert.Equal("OrganizationUserAccessRevoked", ex.InnerException!.Message);
+    }
+
+    [Theory, BitAutoData]
+    public void EnsureOrgUserStatusAllowed_UnknownStatus_ThrowsUnknown(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        var unknown = (OrganizationUserStatusType)999;
+
+        // Act
+        var ex = Assert.Throws<TargetInvocationException>(() =>
+            InvokeEnsureOrgUserStatusAllowed(sutProvider.Sut, unknown));
+
+        // Assert
+        Assert.IsType<Exception>(ex.InnerException);
+        Assert.Equal("OrganizationUserUnknownStatus", ex.InnerException!.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_NoOrgUser_ThrowsCouldNotFindOrganizationUser(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-missing-orguser";
+        var user = new User { Id = Guid.NewGuid(), Email = "missing.orguser@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        // i18n returns the key so we can assert on message contents
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        // SSO config + user link exists, but no org user membership
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser: null);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organization.Id, user.Id).Returns((OrganizationUser?)null);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act + Assert
+        var ex = await Assert.ThrowsAsync<Exception>(() => sutProvider.Sut.ExternalCallback());
+        Assert.Equal("CouldNotFindOrganizationUser", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserInvited_ThrowsAcceptInvite(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-invited-orguser";
+        var user = new User { Id = Guid.NewGuid(), Email = "invited.orguser@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Invited,
+            Type = OrganizationUserType.User
+        };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act + Assert
+        var ex = await Assert.ThrowsAsync<Exception>(() => sutProvider.Sut.ExternalCallback());
+        Assert.Equal("AcceptInviteBeforeUsingSSO", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserRevoked_ThrowsAccessRevoked(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-revoked-orguser";
+        var user = new User { Id = Guid.NewGuid(), Email = "revoked.orguser@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Revoked,
+            Type = OrganizationUserType.User
+        };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act + Assert
+        var ex = await Assert.ThrowsAsync<Exception>(() => sutProvider.Sut.ExternalCallback());
+        Assert.Equal("OrganizationUserAccessRevoked", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_OrgUserUnknown_ThrowsUnknown(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-unknown-orguser";
+        var user = new User { Id = Guid.NewGuid(), Email = "unknown.orguser@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var unknownStatus = (OrganizationUserStatusType)999;
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = user.Id,
+            Status = unknownStatus,
+            Type = OrganizationUserType.User
+        };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>(), Arg.Any<object?[]>())
+            .Returns(ci => (string)ci[0]!);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act + Assert
+        var ex = await Assert.ThrowsAsync<Exception>(() => sutProvider.Sut.ExternalCallback());
+        Assert.Equal("OrganizationUserUnknownStatus", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_WithExistingUserAndAcceptedMembership_RedirectsToReturnUrl(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-123";
+        var user = new User { Id = Guid.NewGuid(), Email = "user@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Test Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Accepted,
+            Type = OrganizationUserType.User
+        };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        var authService = SetupHttpContextWithAuth(sutProvider, authResult);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        var result = await sutProvider.Sut.ExternalCallback();
+
+        // Assert
+        var redirect = Assert.IsType<RedirectResult>(result);
+        Assert.Equal("~/", redirect.Url);
+
+        await authService.Received().SignInAsync(
+            Arg.Any<HttpContext>(),
+            Arg.Any<string?>(),
+            Arg.Any<ClaimsPrincipal>(),
+            Arg.Any<AuthenticationProperties>());
+
+        await authService.Received().SignOutAsync(
+            Arg.Any<HttpContext>(),
+            AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme,
+            Arg.Any<AuthenticationProperties>());
+    }
+
+    /// <summary>
+    /// PM-24579: Temporary test, remove with feature flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantFalse_SkipsOrgLookupAndSignsIn(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-flag-off";
+        var user = new User { Id = Guid.NewGuid(), Email = "flagoff@example.com" };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        var authService = SetupHttpContextWithAuth(sutProvider, authResult);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(false);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        var result = await sutProvider.Sut.ExternalCallback();
+
+        // Assert
+        var redirect = Assert.IsType<RedirectResult>(result);
+        Assert.Equal("~/", redirect.Url);
+
+        await authService.Received().SignInAsync(
+            Arg.Any<HttpContext>(),
+            Arg.Any<string?>(),
+            Arg.Any<ClaimsPrincipal>(),
+            Arg.Any<AuthenticationProperties>());
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs()
+            .GetByOrganizationAsync(Guid.Empty, Guid.Empty);
+    }
+
+    /// <summary>
+    /// PM-24579: Permanent test, remove the True in PreventNonCompliantTrue and remove the configure for the feature
+    /// flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingSsoLinkedAccepted_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-existing";
+        var user = new User { Id = Guid.NewGuid(), Email = "existing@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = user.Id,
+            Status = OrganizationUserStatusType.Accepted,
+            Type = OrganizationUserType.User
+        };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try
+        {
+            _ = await sutProvider.Sut.ExternalCallback();
+        }
+        catch
+        {
+            // ignore for measurement only
+        }
+
+        // Assert (measurement only - no asserts on counts)
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync))
+            + organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetManyByUserAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+
+        // Snapshot assertions
+        Assert.Equal(1, userGetBySso);
+        Assert.Equal(0, userGetByEmail);
+        Assert.Equal(1, orgGet);
+        Assert.Equal(1, orgUserGetByOrg);
+        Assert.Equal(0, orgUserGetByEmail);
+    }
+
+    /// <summary>
+    /// PM-24579: Permanent test, remove the True in PreventNonCompliantTrue and remove the configure for the feature
+    /// flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_JitProvision_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-jit";
+        var email = "jit.measure@example.com";
+        var organization = new Organization { Id = orgId, Name = "Org", Seats = null };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, email);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        ssoConfigRepository.GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+
+        // JIT (no existing user or sso link)
+        userRepository.GetBySsoUserAsync(providerUserId, orgId).Returns((User?)null);
+        userRepository.GetByEmailAsync(email).Returns((User?)null);
+        organizationRepository.GetByIdAsync(orgId).Returns(organization);
+        organizationUserRepository.GetByOrganizationEmailAsync(orgId, email).Returns((OrganizationUser?)null);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try
+        {
+            _ = await sutProvider.Sut.ExternalCallback();
+        }
+        catch
+        {
+            // JIT path may throw due to Invited status under enforcement; ignore for measurement
+        }
+
+        // Assert (measurement only - no asserts on counts)
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+
+        // Snapshot assertions
+        Assert.Equal(1, userGetBySso);
+        Assert.Equal(1, userGetByEmail);
+        Assert.Equal(1, orgGet);
+        Assert.Equal(0, orgUserGetByOrg);
+        Assert.Equal(1, orgUserGetByEmail);
+    }
+
+    /// <summary>
+    /// PM-24579: Permanent test, remove the True in PreventNonCompliantTrue and remove the configure for the feature
+    /// flag.
+    ///
+    /// This test will trigger both the GetByOrganizationAsync and the fallback attempt to get by email
+    /// GetByOrganizationEmailAsync.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantTrue_ExistingUser_NoOrgUser_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-existing-no-orguser";
+        var user = new User { Id = Guid.NewGuid(), Email = "existing2@example.com" };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        ConfigureSsoAndUser(
+            sutProvider,
+            orgId,
+            providerUserId,
+            user,
+            organization,
+            orgUser: null);
+
+        // Ensure orgUser lookup returns null
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(organization.Id, user.Id).Returns((OrganizationUser?)null);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(true);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try
+        {
+            _ = await sutProvider.Sut.ExternalCallback();
+        }
+        catch
+        {
+            // ignore for measurement only
+        }
+
+        // Assert (measurement only - no asserts on counts)
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync))
+            + organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetManyByUserAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+
+        // Snapshot assertions
+        Assert.Equal(1, userGetBySso);
+        Assert.Equal(0, userGetByEmail);
+        Assert.Equal(1, orgGet);
+        Assert.Equal(1, orgUserGetByOrg);
+        Assert.Equal(1, orgUserGetByEmail);
+    }
+
+    /// <summary>
+    /// PM-24579: Temporary test, remove with feature flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantFalse_ExistingSsoLinkedAccepted_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-existing-flagoff";
+        var user = new User { Id = Guid.NewGuid(), Email = "existing.flagoff@example.com" };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+        sutProvider.GetDependency<IUserRepository>().GetBySsoUserAsync(providerUserId, orgId).Returns(user);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(false);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try { _ = await sutProvider.Sut.ExternalCallback(); } catch { }
+
+        // Assert (measurement)
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"[flag off] GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"[flag off] GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"[flag off] GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"[flag off] GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"[flag off] GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+    }
+
+    /// <summary>
+    /// PM-24579: Temporary test, remove with feature flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantFalse_ExistingUser_NoOrgUser_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-existing-no-orguser-flagoff";
+        var user = new User { Id = Guid.NewGuid(), Email = "existing2.flagoff@example.com" };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, user.Email!);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+        sutProvider.GetDependency<IUserRepository>().GetBySsoUserAsync(providerUserId, orgId).Returns(user);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(false);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try { _ = await sutProvider.Sut.ExternalCallback(); } catch { }
+
+        // Assert (measurement)
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"[flag off] GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"[flag off] GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"[flag off] GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"[flag off] GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"[flag off] GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+    }
+
+    /// <summary>
+    /// PM-24579: Temporary test, remove with feature flag.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_PreventNonCompliantFalse_JitProvision_MeasureLookups(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-measure-jit-flagoff";
+        var email = "jit.flagoff@example.com";
+        var organization = new Organization { Id = orgId, Name = "Org", Seats = null };
+
+        var authResult = BuildSuccessfulExternalAuth(orgId, providerUserId, email);
+        SetupHttpContextWithAuth(sutProvider, authResult);
+
+        var ssoConfig = new SsoConfig { OrganizationId = orgId, Enabled = true };
+        var ssoData = new SsoConfigurationData();
+        ssoConfig.SetData(ssoData);
+        sutProvider.GetDependency<ISsoConfigRepository>().GetByOrganizationIdAsync(orgId).Returns(ssoConfig);
+
+        // JIT (no existing user or sso link)
+        sutProvider.GetDependency<IUserRepository>().GetBySsoUserAsync(providerUserId, orgId).Returns((User?)null);
+        sutProvider.GetDependency<IUserRepository>().GetByEmailAsync(email).Returns((User?)null);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(orgId).Returns(organization);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationEmailAsync(orgId, email).Returns((OrganizationUser?)null);
+
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(Arg.Any<string>()).Returns(false);
+        sutProvider.GetDependency<IIdentityServerInteractionService>()
+            .GetAuthorizationContextAsync("~/").Returns((AuthorizationRequest?)null);
+
+        // Act
+        try { _ = await sutProvider.Sut.ExternalCallback(); } catch { }
+
+        // Assert (measurement)
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+        var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        var userGetBySso = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetBySsoUserAsync));
+        var userGetByEmail = userRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IUserRepository.GetByEmailAsync));
+        var orgGet = organizationRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationRepository.GetByIdAsync));
+        var orgUserGetByOrg = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationAsync));
+        var orgUserGetByEmail = organizationUserRepository.ReceivedCalls().Count(c => c.GetMethodInfo().Name == nameof(IOrganizationUserRepository.GetByOrganizationEmailAsync));
+
+        _output.WriteLine($"[flag off] GetBySsoUserAsync: {userGetBySso}");
+        _output.WriteLine($"[flag off] GetByEmailAsync: {userGetByEmail}");
+        _output.WriteLine($"[flag off] GetByIdAsync (Org): {orgGet}");
+        _output.WriteLine($"[flag off] GetByOrganizationAsync (OrgUser): {orgUserGetByOrg}");
+        _output.WriteLine($"[flag off] GetByOrganizationEmailAsync (OrgUser): {orgUserGetByEmail}");
+    }
+
+    [Theory, BitAutoData]
+    public async Task AutoProvisionUserAsync_WithExistingAcceptedUser_CreatesSsoLinkAndReturnsUser(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var orgId = Guid.NewGuid();
+        var providerUserId = "ext-456";
+        var email = "jit@example.com";
+        var existingUser = new User { Id = Guid.NewGuid(), Email = email };
+        var organization = new Organization { Id = orgId, Name = "Org" };
+        var orgUser = new OrganizationUser
+        {
+            OrganizationId = orgId,
+            UserId = existingUser.Id,
+            Status = OrganizationUserStatusType.Accepted,
+            Type = OrganizationUserType.User
+        };
+
+        // Arrange repository expectations for the flow
+        sutProvider.GetDependency<IUserRepository>().GetByEmailAsync(email).Returns(existingUser);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(orgId).Returns(organization);
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyByUserAsync(existingUser.Id)
+            .Returns(new List<OrganizationUser> { orgUser });
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationEmailAsync(orgId, email).Returns(orgUser);
+
+        // No existing SSO link so first SSO login event is logged
+        sutProvider.GetDependency<ISsoUserRepository>().GetByUserIdOrganizationIdAsync(orgId, existingUser.Id).Returns((SsoUser?)null);
+
+        var claims = new[]
+        {
+            new Claim(JwtClaimTypes.Email, email),
+            new Claim(JwtClaimTypes.Name, "Jit User")
+        } as IEnumerable<Claim>;
+        var config = new SsoConfigurationData();
+
+        var method = typeof(AccountController).GetMethod(
+            "AutoProvisionUserAsync",
+            BindingFlags.Instance | BindingFlags.NonPublic);
+        Assert.NotNull(method);
+
+        // Act
+        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method!.Invoke(sutProvider.Sut, new object[]
+        {
+            orgId.ToString(),
+            providerUserId,
+            claims,
+            null!,
+            config
+        })!;
+
+        var returned = await task;
+
+        // Assert
+        Assert.Equal(existingUser.Id, returned.user.Id);
+
+        await sutProvider.GetDependency<ISsoUserRepository>().Received().CreateAsync(Arg.Is<SsoUser>(s =>
+            s.OrganizationId == orgId && s.UserId == existingUser.Id && s.ExternalId == providerUserId));
+
+        await sutProvider.GetDependency<Core.Services.IEventService>().Received().LogOrganizationUserEventAsync(
+            orgUser,
+            EventType.OrganizationUser_FirstSsoLogin);
+    }
+
+    /// <summary>
+    /// PM-24579: Temporary comparison test to ensure the feature flag ON does not
+    /// regress lookup counts compared to OFF. When removing the flag, delete this
+    /// comparison test and keep the specific scenario snapshot tests if desired.
+    /// </summary>
+    [Theory, BitAutoData]
+    public async Task ExternalCallback_Measurements_FlagOnVsOff_Comparisons(
+        SutProvider<AccountController> sutProvider)
+    {
+        // Arrange
+        var scenarios = new[]
+        {
+            MeasurementScenario.ExistingSsoLinkedAccepted,
+            MeasurementScenario.ExistingUserNoOrgUser,
+            MeasurementScenario.JitProvision
+        };
+
+        foreach (var scenario in scenarios)
+        {
+            // Act
+            var onCounts = await MeasureCountsForScenarioAsync(sutProvider, scenario, preventNonCompliant: true);
+            var offCounts = await MeasureCountsForScenarioAsync(sutProvider, scenario, preventNonCompliant: false);
+
+            // Assert: off should not exceed on in any measured lookup type
+            Assert.True(offCounts.UserGetBySso <= onCounts.UserGetBySso, $"{scenario}: off UserGetBySso={offCounts.UserGetBySso} > on {onCounts.UserGetBySso}");
+            Assert.True(offCounts.UserGetByEmail <= onCounts.UserGetByEmail, $"{scenario}: off UserGetByEmail={offCounts.UserGetByEmail} > on {onCounts.UserGetByEmail}");
+            Assert.True(offCounts.OrgGetById <= onCounts.OrgGetById, $"{scenario}: off OrgGetById={offCounts.OrgGetById} > on {onCounts.OrgGetById}");
+            Assert.True(offCounts.OrgUserGetByOrg <= onCounts.OrgUserGetByOrg, $"{scenario}: off OrgUserGetByOrg={offCounts.OrgUserGetByOrg} > on {onCounts.OrgUserGetByOrg}");
+            Assert.True(offCounts.OrgUserGetByEmail <= onCounts.OrgUserGetByEmail, $"{scenario}: off OrgUserGetByEmail={offCounts.OrgUserGetByEmail} > on {onCounts.OrgUserGetByEmail}");
+
+            _output.WriteLine($"Scenario={scenario} | ON: SSO={onCounts.UserGetBySso}, Email={onCounts.UserGetByEmail}, Org={onCounts.OrgGetById}, OrgUserByOrg={onCounts.OrgUserGetByOrg}, OrgUserByEmail={onCounts.OrgUserGetByEmail}");
+            _output.WriteLine($"Scenario={scenario} | OFF: SSO={offCounts.UserGetBySso}, Email={offCounts.UserGetByEmail}, Org={offCounts.OrgGetById}, OrgUserByOrg={offCounts.OrgUserGetByOrg}, OrgUserByEmail={offCounts.OrgUserGetByEmail}");
+        }
+    }
+}
diff --git a/bitwarden_license/test/SSO.Test/SSO.Test.csproj b/bitwarden_license/test/SSO.Test/SSO.Test.csproj
new file mode 100644
index 0000000000..4b509c9a50
--- /dev/null
+++ b/bitwarden_license/test/SSO.Test/SSO.Test.csproj
@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net8.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+      <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+      <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
+    </ItemGroup>
+
+    <ItemGroup>
+        <Using Include="Xunit"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\src\Sso\Sso.csproj" />
+      <ProjectReference Include="..\..\..\test\Common\Common.csproj" />
+    </ItemGroup>
+
+</Project>
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 579fe0e253..96b04f11f3 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -151,6 +151,7 @@ public static class FeatureFlagKeys
     public const string ChangeExistingPasswordRefactor = "pm-16117-change-existing-password-refactor";
     public const string Otp6Digits = "pm-18612-otp-6-digits";
     public const string FailedTwoFactorEmail = "pm-24425-send-2fa-failed-email";
+    public const string PM24579_PreventSsoOnExistingNonCompliantUsers = "pm-24579-prevent-sso-on-existing-non-compliant-users";
     public const string DisableAlternateLoginMethods = "pm-22110-disable-alternate-login-methods";
     public const string PM23174ManageAccountRecoveryPermissionDrivesTheNeedToSetMasterPassword =
         "pm-23174-manage-account-recovery-permission-drives-the-need-to-set-master-password";
diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx
index 28ae70ca96..ca150f2106 100644
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@@ -508,9 +508,15 @@
   <data name="UserIdAndTokenMismatch" xml:space="preserve">
     <value>Supplied userId and token did not match.</value>
   </data>
+  <data name="UserShouldBeFound" xml:space="preserve">
+    <value>User should have been defined by this point.</value>
+  </data>
   <data name="CouldNotFindOrganization" xml:space="preserve">
     <value>Could not find organization for '{0}'</value>
   </data>
+  <data name="CouldNotFindOrganizationUser" xml:space="preserve">
+    <value>Could not find organization user for user '{0}' organization '{1}'</value>
+  </data>
   <data name="NoSeatsAvailable" xml:space="preserve">
     <value>No seats available for organization, '{0}'</value>
   </data>