[AC-1145] Add trusted devices option to SSO Config Data (#2909)

* [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
3 years ago · 620a7e0a8d
17 changed files with 112 additions and 31 deletions
--- a/.gitignore
+++ b/.gitignore
@ -225,3 +225,4 @@ src/Identity/Identity.zip
				@@ -225,3 +225,4 @@ src/Identity/Identity.zip
 src/Notifications/Notifications.zip
 bitwarden_license/src/Portal/Portal.zip
 bitwarden_license/src/Sso/Sso.zip
+src/Api/flags.json
--- a/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
+++ b/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
@ -41,8 +41,14 @@ public class SsoConfigurationDataRequest : IValidatableObject
				@@ -41,8 +41,14 @@ public class SsoConfigurationDataRequest : IValidatableObject

    [Required]
    public SsoType ConfigType { get; set; }
+    public MemberDecryptionType MemberDecryptionType { get; set; }

-    public bool KeyConnectorEnabled { get; set; }
+    [Obsolete("Use MemberDecryptionType instead")]
+    public bool KeyConnectorEnabled
+    {
+        // Setter is kept for backwards compatibility with older clients that still use this property.
+        set { MemberDecryptionType = value ? MemberDecryptionType.KeyConnector : MemberDecryptionType.MasterPassword; }
+    }
    public string KeyConnectorUrl { get; set; }

    // OIDC
@ -166,7 +172,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
				@@ -166,7 +172,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
        return new SsoConfigurationData
        {
            ConfigType = ConfigType,
-            KeyConnectorEnabled = KeyConnectorEnabled,
+            MemberDecryptionType = MemberDecryptionType,
            KeyConnectorUrl = KeyConnectorUrl,
            Authority = Authority,
            ClientId = ClientId,
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@ -8,6 +8,8 @@ using Bit.Api.Models.Request.Organizations;
				@@ -8,6 +8,8 @@ using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Models.Response.Organizations;
 using Bit.Api.SecretsManager;
+using Bit.Core;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
@ -46,6 +48,7 @@ public class OrganizationsController : Controller
				@@ -46,6 +48,7 @@ public class OrganizationsController : Controller
    private readonly IOrganizationApiKeyRepository _organizationApiKeyRepository;
    private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
    private readonly ICloudGetOrganizationLicenseQuery _cloudGetOrganizationLicenseQuery;
+    private readonly IFeatureService _featureService;
    private readonly GlobalSettings _globalSettings;

    public OrganizationsController(
@ -65,6 +68,7 @@ public class OrganizationsController : Controller
				@@ -65,6 +68,7 @@ public class OrganizationsController : Controller
        IOrganizationApiKeyRepository organizationApiKeyRepository,
        IUpdateOrganizationLicenseCommand updateOrganizationLicenseCommand,
        ICloudGetOrganizationLicenseQuery cloudGetOrganizationLicenseQuery,
+        IFeatureService featureService,
        GlobalSettings globalSettings)
    {
        _organizationRepository = organizationRepository;
@ -83,6 +87,7 @@ public class OrganizationsController : Controller
				@@ -83,6 +87,7 @@ public class OrganizationsController : Controller
        _organizationApiKeyRepository = organizationApiKeyRepository;
        _updateOrganizationLicenseCommand = updateOrganizationLicenseCommand;
        _cloudGetOrganizationLicenseQuery = cloudGetOrganizationLicenseQuery;
+        _featureService = featureService;
        _globalSettings = globalSettings;
    }

@ -391,8 +396,7 @@ public class OrganizationsController : Controller
				@@ -391,8 +396,7 @@ public class OrganizationsController : Controller
        var user = await _userService.GetUserByPrincipalAsync(User);

        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgGuidId);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true &&
-            user.UsesKeyConnector)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && user.UsesKeyConnector)
        {
            throw new BadRequestException("Your organization's Single Sign-On settings prevent you from leaving.");
        }
@ -678,6 +682,12 @@ public class OrganizationsController : Controller
				@@ -678,6 +682,12 @@ public class OrganizationsController : Controller
            throw new NotFoundException();
        }

+        if (model.Data.MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption &&
+            !_featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, _currentContext))
+        {
+            throw new BadRequestException(nameof(model.Data.MemberDecryptionType), "Invalid member decryption type.");
+        }
+
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(id);
        ssoConfig = ssoConfig == null ? model.ToSsoConfig(id) : model.ToSsoConfig(ssoConfig);
        organization.Identifier = model.Identifier;
--- a/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Models.Data;
 using Bit.Core.Enums;
 using Bit.Core.Enums.Provider;
 using Bit.Core.Models.Api;
@ -62,7 +63,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
				@@ -62,7 +63,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
        if (organization.SsoConfig != null)
        {
            var ssoConfigData = SsoConfigurationData.Deserialize(organization.SsoConfig);
-            KeyConnectorEnabled = ssoConfigData.KeyConnectorEnabled && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
+            KeyConnectorEnabled = ssoConfigData.MemberDecryptionType == MemberDecryptionType.KeyConnector && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl);
            KeyConnectorUrl = ssoConfigData.KeyConnectorUrl;
        }
    }
--- a/src/Core/Auth/Enums/MemberDecryptionType.cs
+++ b/src/Core/Auth/Enums/MemberDecryptionType.cs
@ -0,0 +1,8 @@
				@@ -0,0 +1,8 @@
+namespace Bit.Core.Auth.Enums;
+
+public enum MemberDecryptionType
+{
+    MasterPassword = 0,
+    KeyConnector = 1,
+    TrustedDeviceEncryption = 2
+}
--- a/src/Core/Auth/Models/Data/SsoConfigurationData.cs
+++ b/src/Core/Auth/Models/Data/SsoConfigurationData.cs
@ -22,7 +22,25 @@ public class SsoConfigurationData
				@@ -22,7 +22,25 @@ public class SsoConfigurationData

    public SsoType ConfigType { get; set; }

-    public bool KeyConnectorEnabled { get; set; }
+    public MemberDecryptionType MemberDecryptionType { get; set; }
+
+    /// <summary>
+    /// Legacy property to determine if KeyConnector was enabled.
+    /// Kept for backwards compatibility with old configs that will not have
+    /// the new <see cref="MemberDecryptionType"/> when deserialized from the database.
+    /// </summary>
+    [Obsolete("Use MemberDecryptionType instead")]
+    public bool KeyConnectorEnabled
+    {
+        get => MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        set
+        {
+            if (value)
+            {
+                MemberDecryptionType = MemberDecryptionType.KeyConnector;
+            }
+        }
+    }
    public string KeyConnectorUrl { get; set; }

    // OIDC
--- a/src/Core/Auth/Services/Implementations/SsoConfigService.cs
+++ b/src/Core/Auth/Services/Implementations/SsoConfigService.cs
@ -1,8 +1,10 @@
				@@ -1,8 +1,10 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
+using Bit.Core.Models.Data.Organizations.Policies;
 using Bit.Core.Repositories;
 using Bit.Core.Services;

@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
				@@ -12,21 +14,30 @@ public class SsoConfigService : ISsoConfigService
 {
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly IPolicyRepository _policyRepository;
+    private readonly IPolicyService _policyService;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IUserService _userService;
+    private readonly IOrganizationService _organizationService;
    private readonly IEventService _eventService;

    public SsoConfigService(
        ISsoConfigRepository ssoConfigRepository,
        IPolicyRepository policyRepository,
+        IPolicyService policyService,
        IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
+        IUserService userService,
+        IOrganizationService organizationService,
        IEventService eventService)
    {
        _ssoConfigRepository = ssoConfigRepository;
        _policyRepository = policyRepository;
+        _policyService = policyService;
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
+        _userService = userService;
+        _organizationService = organizationService;
        _eventService = eventService;
    }

@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
				@@ -39,19 +50,31 @@ public class SsoConfigService : ISsoConfigService
            config.CreationDate = now;
        }

-        var useKeyConnector = config.GetData().KeyConnectorEnabled;
+        var useKeyConnector = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
        if (useKeyConnector)
        {
            await VerifyDependenciesAsync(config, organization);
        }

        var oldConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(config.OrganizationId);
-        var disabledKeyConnector = oldConfig?.GetData()?.KeyConnectorEnabled == true && !useKeyConnector;
+        var disabledKeyConnector = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector && !useKeyConnector;
        if (disabledKeyConnector && await AnyOrgUserHasKeyConnectorEnabledAsync(config.OrganizationId))
        {
            throw new BadRequestException("Key Connector cannot be disabled at this moment.");
        }

+        // Automatically enable reset password policy if trusted device encryption is selected
+        if (config.GetData().MemberDecryptionType == MemberDecryptionType.TrustedDeviceEncryption)
+        {
+            var resetPolicy = await _policyRepository.GetByOrganizationIdTypeAsync(config.OrganizationId, PolicyType.ResetPassword) ??
+                              new Policy { OrganizationId = config.OrganizationId, Type = PolicyType.ResetPassword, };
+
+            resetPolicy.Enabled = true;
+            resetPolicy.SetDataModel(new ResetPasswordDataModel { AutoEnrollEnabled = true });
+
+            await _policyService.SaveAsync(resetPolicy, _userService, _organizationService, null);
+        }
+
        await LogEventsAsync(config, oldConfig);
        await _ssoConfigRepository.UpsertAsync(config);
    }
@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
				@@ -97,8 +120,9 @@ public class SsoConfigService : ISsoConfigService
            await _eventService.LogOrganizationEventAsync(organization, e);
        }

-        var keyConnectorEnabled = config.GetData().KeyConnectorEnabled;
-        if (oldConfig?.GetData()?.KeyConnectorEnabled != keyConnectorEnabled)
+        var keyConnectorEnabled = config.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        var oldKeyConnectorEnabled = oldConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector;
+        if (oldKeyConnectorEnabled != keyConnectorEnabled)
        {
            var e = keyConnectorEnabled
                ? EventType.Organization_EnabledKeyConnector
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -30,6 +30,7 @@ public static class FeatureFlagKeys
				@@ -30,6 +30,7 @@ public static class FeatureFlagKeys
    public const string SecretsManager = "secrets-manager";
    public const string DisplayEuEnvironment = "display-eu-environment";
    public const string DisplayLowKdfIterationWarning = "display-kdf-iteration-warning";
+    public const string TrustedDeviceEncryption = "trusted-device-encryption";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
+++ b/src/Core/Models/Data/Organizations/SelfHostedOrganizationDetails.cs
@ -1,5 +1,6 @@
				@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Models.OrganizationConnectionConfigs;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Business;
@ -56,7 +57,7 @@ public class SelfHostedOrganizationDetails : Organization
				@@ -56,7 +57,7 @@ public class SelfHostedOrganizationDetails : Organization
        }

        if (!license.UseKeyConnector && UseKeyConnector && SsoConfig?.Data != null &&
-            SsoConfig.GetData().KeyConnectorEnabled)
+            SsoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            exception = $"Your organization currently has Key Connector enabled. " +
                $"Your new license does not allow for the use of Key Connector. Disable your Key Connector.";
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@ -262,7 +262,7 @@ public class OrganizationService : IOrganizationService
				@@ -262,7 +262,7 @@ public class OrganizationService : IOrganizationService
        if (!newPlan.HasKeyConnector && organization.UseKeyConnector)
        {
            var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
-            if (ssoConfig != null && ssoConfig.GetData().KeyConnectorEnabled)
+            if (ssoConfig != null && ssoConfig.GetData().MemberDecryptionType == MemberDecryptionType.KeyConnector)
            {
                throw new BadRequestException("Your new plan does not allow the Key Connector feature. " +
                                              "Disable your Key Connector.");
@ -2153,7 +2153,7 @@ public class OrganizationService : IOrganizationService
				@@ -2153,7 +2153,7 @@ public class OrganizationService : IOrganizationService
    private async Task ValidateDeleteOrganizationAsync(Organization organization)
    {
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organization.Id);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            throw new BadRequestException("You cannot delete an Organization that is using Key Connector.");
        }
--- a/src/Core/Services/Implementations/PolicyService.cs
+++ b/src/Core/Services/Implementations/PolicyService.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
-using Bit.Core.Auth.Repositories;
+using Bit.Core.Auth.Enums;
+using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@ -185,7 +186,7 @@ public class PolicyService : IPolicyService
				@@ -185,7 +186,7 @@ public class PolicyService : IPolicyService
    {

        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(org.Id);
-        if (ssoConfig?.GetData()?.KeyConnectorEnabled == true)
+        if (ssoConfig?.GetData()?.MemberDecryptionType == MemberDecryptionType.KeyConnector)
        {
            throw new BadRequestException("Key Connector is enabled.");
        }
--- a/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/CustomTokenRequestValidator.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
 using System.Security.Claims;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Repositories;
@ -129,7 +130,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
				@@ -129,7 +130,7 @@ public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenReque
            var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organizationId);
            var ssoConfigData = ssoConfig.GetData();

-            if (ssoConfigData is { KeyConnectorEnabled: true } && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl))
+            if (ssoConfigData is { MemberDecryptionType: MemberDecryptionType.KeyConnector } && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl))
            {
                context.Result.CustomResponse["KeyConnectorUrl"] = ssoConfigData.KeyConnectorUrl;
                // Prevent clients redirecting to set-password
--- a/test/Api.Test/Controllers/OrganizationsControllerTests.cs
+++ b/test/Api.Test/Controllers/OrganizationsControllerTests.cs
@ -2,6 +2,7 @@
				@@ -2,6 +2,7 @@
 using AutoFixture.Xunit2;
 using Bit.Api.Controllers;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
@ -38,6 +39,7 @@ public class OrganizationsControllerTests : IDisposable
				@@ -38,6 +39,7 @@ public class OrganizationsControllerTests : IDisposable
    private readonly ICreateOrganizationApiKeyCommand _createOrganizationApiKeyCommand;
    private readonly IUpdateOrganizationLicenseCommand _updateOrganizationLicenseCommand;
    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+    private readonly IFeatureService _featureService;

    private readonly OrganizationsController _sut;

@ -60,12 +62,13 @@ public class OrganizationsControllerTests : IDisposable
				@@ -60,12 +62,13 @@ public class OrganizationsControllerTests : IDisposable
        _cloudGetOrganizationLicenseQuery = Substitute.For<ICloudGetOrganizationLicenseQuery>();
        _createOrganizationApiKeyCommand = Substitute.For<ICreateOrganizationApiKeyCommand>();
        _updateOrganizationLicenseCommand = Substitute.For<IUpdateOrganizationLicenseCommand>();
+        _featureService = Substitute.For<IFeatureService>();

        _sut = new OrganizationsController(_organizationRepository, _organizationUserRepository,
            _policyRepository, _providerRepository, _organizationService, _userService, _paymentService, _currentContext,
            _ssoConfigRepository, _ssoConfigService, _getOrganizationApiKeyQuery, _rotateOrganizationApiKeyCommand,
            _createOrganizationApiKeyCommand, _organizationApiKeyRepository, _updateOrganizationLicenseCommand,
-            _cloudGetOrganizationLicenseQuery, _globalSettings);
+            _cloudGetOrganizationLicenseQuery, _featureService, _globalSettings);
    }

    public void Dispose()
@ -82,7 +85,7 @@ public class OrganizationsControllerTests : IDisposable
				@@ -82,7 +85,7 @@ public class OrganizationsControllerTests : IDisposable
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector
            }.Serialize(),
            Enabled = true,
            OrganizationId = orgId,
@ -115,7 +118,9 @@ public class OrganizationsControllerTests : IDisposable
				@@ -115,7 +118,9 @@ public class OrganizationsControllerTests : IDisposable
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = keyConnectorEnabled,
+                MemberDecryptionType = keyConnectorEnabled
+                    ? MemberDecryptionType.KeyConnector
+                    : MemberDecryptionType.MasterPassword
            }.Serialize(),
            Enabled = true,
            OrganizationId = orgId,
--- a/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs
+++ b/test/Core.Test/Auth/Services/SsoConfigServiceTests.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Auth.Services;
@ -83,7 +84,7 @@ public class SsoConfigServiceTests
				@@ -83,7 +84,7 @@ public class SsoConfigServiceTests
            Id = 1,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
@ -127,7 +128,7 @@ public class SsoConfigServiceTests
				@@ -127,7 +128,7 @@ public class SsoConfigServiceTests
            Id = 1,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
@ -165,7 +166,7 @@ public class SsoConfigServiceTests
				@@ -165,7 +166,7 @@ public class SsoConfigServiceTests
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
@ -193,7 +194,7 @@ public class SsoConfigServiceTests
				@@ -193,7 +194,7 @@ public class SsoConfigServiceTests
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
@ -227,7 +228,7 @@ public class SsoConfigServiceTests
				@@ -227,7 +228,7 @@ public class SsoConfigServiceTests
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = false,
            OrganizationId = organization.Id,
@ -262,7 +263,7 @@ public class SsoConfigServiceTests
				@@ -262,7 +263,7 @@ public class SsoConfigServiceTests
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
@ -297,7 +298,7 @@ public class SsoConfigServiceTests
				@@ -297,7 +298,7 @@ public class SsoConfigServiceTests
            Id = default,
            Data = new SsoConfigurationData
            {
-                KeyConnectorEnabled = true,
+                MemberDecryptionType = MemberDecryptionType.KeyConnector,
            }.Serialize(),
            Enabled = true,
            OrganizationId = organization.Id,
--- a/test/Core.Test/Models/Data/SelfHostedOrganizationDetailsTests.cs
+++ b/test/Core.Test/Models/Data/SelfHostedOrganizationDetailsTests.cs
@ -1,5 +1,6 @@
				@@ -1,5 +1,6 @@
 using Bit.Core.AdminConsole.Models.OrganizationConnectionConfigs;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@ -173,7 +174,7 @@ public class SelfHostedOrganizationDetailsTests
				@@ -173,7 +174,7 @@ public class SelfHostedOrganizationDetailsTests
    {
        var (orgDetails, orgLicense) = GetOrganizationAndLicense(orgUsers, policies, ssoConfig, scimConnections, license);
        orgLicense.UseKeyConnector = false;
-        orgDetails.SsoConfig.SetData(new SsoConfigurationData() { KeyConnectorEnabled = false });
+        orgDetails.SsoConfig.SetData(new SsoConfigurationData() { MemberDecryptionType = MemberDecryptionType.MasterPassword });

        var result = orgDetails.CanUseLicense(license, out var exception);

@ -318,7 +319,7 @@ public class SelfHostedOrganizationDetailsTests
				@@ -318,7 +319,7 @@ public class SelfHostedOrganizationDetailsTests
        ssoConfig.Enabled = true;
        ssoConfig.SetData(new SsoConfigurationData()
        {
-            KeyConnectorEnabled = true
+            MemberDecryptionType = MemberDecryptionType.KeyConnector,
        });

        var enabledScimConfig = new ScimConfig() { Enabled = true };
--- a/test/Core.Test/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/Services/OrganizationServiceTests.cs
@ -1,5 +1,6 @@
				@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Business;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
@ -1192,7 +1193,7 @@ public class OrganizationServiceTests
				@@ -1192,7 +1193,7 @@ public class OrganizationServiceTests
        SsoConfig ssoConfig)
    {
        ssoConfig.Enabled = true;
-        ssoConfig.SetData(new SsoConfigurationData { KeyConnectorEnabled = true });
+        ssoConfig.SetData(new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector });
        var ssoConfigRepository = sutProvider.GetDependency<ISsoConfigRepository>();
        var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
        var applicationCacheService = sutProvider.GetDependency<IApplicationCacheService>();
--- a/test/Core.Test/Services/PolicyServiceTests.cs
+++ b/test/Core.Test/Services/PolicyServiceTests.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Entities;
@ -147,7 +148,7 @@ public class PolicyServiceTests
				@@ -147,7 +148,7 @@ public class PolicyServiceTests
        });

        var ssoConfig = new SsoConfig { Enabled = true };
-        var data = new SsoConfigurationData { KeyConnectorEnabled = true };
+        var data = new SsoConfigurationData { MemberDecryptionType = MemberDecryptionType.KeyConnector };
        ssoConfig.SetData(data);

        sutProvider.GetDependency<ISsoConfigRepository>()