integer-underflow
diff --git a/‎cli/server.go
+2 b/‎cli/server.go
+2
diff --git a/‎cli/testdata/coder_server_--help.golden
+13 b/‎cli/testdata/coder_server_--help.golden
+13
diff --git a/‎cli/testdata/server-config.yaml.golden
+13 b/‎cli/testdata/server-config.yaml.golden
+13
diff --git a/‎coderd/apidoc/docs.go
+9 b/‎coderd/apidoc/docs.go
+9
diff --git a/‎coderd/apidoc/swagger.json
+9 b/‎coderd/apidoc/swagger.json
+9
diff --git a/‎coderd/coderd.go
+11 b/‎coderd/coderd.go
+11
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+1-1 b/‎coderd/database/dbauthz/dbauthz.go
+1-1
diff --git a/‎coderd/idpsync/idpsync.go
+172 b/‎coderd/idpsync/idpsync.go
+172
diff --git a/‎coderd/userauth_internal_test.go renamed to ‎coderd/idpsync/idpsync_test.go
+14-2 b/‎coderd/userauth_internal_test.go renamed to ‎coderd/idpsync/idpsync_test.go
+14-2
@@ -55,6 +55,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/pretty"
 	"github.com/coder/quartz"
 	"github.com/coder/retry"
@@ -605,6 +606,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					SSHConfigOptions: configSSHOptions,
 				},
 				AllowWorkspaceRenames: vals.AllowWorkspaceRenames.Value(),
+				Entitlements:          entitlements.New(),
 				NotificationsEnqueuer: notifications.NewNoopEnqueuer(), // Changed further down if notifications enabled.
 			}
 			if httpServers.TLSConfig != nil {
 
@@ -433,6 +433,11 @@ OIDC OPTIONS:
           groups. This filter is applied after the group mapping and before the
           regex filter.
 
+      --oidc-organization-assign-default bool, $CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT (default: true)
+          If set to true, users will always be added to the default
+          organization. If organization sync is enabled, then the default org is
+          always added to the user's set of expectedorganizations.
+
       --oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
           OIDC auth URL parameters to pass to the upstream provider.
 
@@ -479,6 +484,14 @@ OIDC OPTIONS:
       --oidc-name-field string, $CODER_OIDC_NAME_FIELD (default: name)
           OIDC claim field to use as the name.
 
+      --oidc-organization-field string, $CODER_OIDC_ORGANIZATION_FIELD
+          This field must be set if using the organization sync feature. Set to
+          the claim to be used for organizations.
+
+      --oidc-organization-mapping struct[map[string][]uuid.UUID], $CODER_OIDC_ORGANIZATION_MAPPING (default: {})
+          A map of OIDC claims and the organizations in Coder it should map to.
+          This is required because organization IDs must be used within Coder.
+
       --oidc-group-regex-filter regexp, $CODER_OIDC_GROUP_REGEX_FILTER (default: .*)
           If provided any group name not matching the regex is ignored. This
           allows for filtering out groups that are not needed. This filter is
 
@@ -319,6 +319,19 @@ oidc:
   # Ignore the userinfo endpoint and only use the ID token for user information.
   # (default: false, type: bool)
   ignoreUserInfo: false
+  # This field must be set if using the organization sync feature. Set to the claim
+  # to be used for organizations.
+  # (default: <unset>, type: string)
+  organizationField: ""
+  # If set to true, users will always be added to the default organization. If
+  # organization sync is enabled, then the default org is always added to the user's
+  # set of expectedorganizations.
+  # (default: true, type: bool)
+  organizationAssignDefault: true
+  # A map of OIDC claims and the organizations in Coder it should map to. This is
+  # required because organization IDs must be used within Coder.
+  # (default: {}, type: struct[map[string][]uuid.UUID])
+  organizationMapping: {}
   # This field must be set if using the group sync feature and the scope name is not
   # 'groups'. Set to the claim to be used for groups.
   # (default: <unset>, type: string)
 
@@ -38,6 +38,7 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/idpsync"
 	"github.com/coder/quartz"
 	"github.com/coder/serpent"
 
@@ -243,6 +244,9 @@ type Options struct {
 	WorkspaceUsageTracker *workspacestats.UsageTracker
 	// NotificationsEnqueuer handles enqueueing notifications for delivery by SMTP, webhook, etc.
 	NotificationsEnqueuer notifications.Enqueuer
+
+	// IDPSync holds all configured values for syncing external IDP users into Coder.
+	IDPSync idpsync.IDPSync
 }
 
 // @title Coder API
@@ -270,6 +274,13 @@ func New(options *Options) *API {
 	if options.Entitlements == nil {
 		options.Entitlements = entitlements.New()
 	}
+	if options.IDPSync == nil {
+		options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
+			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
+			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
+			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
+		})
+	}
 	if options.NewTicker == nil {
 		options.NewTicker = func(duration time.Duration) (tick <-chan time.Time, done func()) {
 			ticker := time.NewTicker(duration)
 
@@ -243,7 +243,7 @@ var (
 					rbac.ResourceAssignOrgRole.Type:          rbac.ResourceAssignOrgRole.AvailableActions(),
 					rbac.ResourceSystem.Type:                 {policy.WildcardSymbol},
 					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
-					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate},
+					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceProvisionerKeys.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
 
@@ -0,0 +1,172 @@
+package idpsync
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
+)
+
+// IDPSync is an interface, so we can implement this as AGPL and as enterprise,
+// and just swap the underlying implementation.
+// IDPSync exists to contain all the logic for mapping a user's external IDP
+// claims to the internal representation of a user in Coder.
+// TODO: Move group + role sync into this interface.
+type IDPSync interface {
+	OrganizationSyncEnabled() bool
+	// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
+	// organization sync params for assigning users into organizations.
+	ParseOrganizationClaims(ctx context.Context, _ jwt.MapClaims) (OrganizationParams, *HTTPError)
+	// SyncOrganizations assigns and removed users from organizations based on the
+	// provided params.
+	SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error
+}
+
+// AGPLIDPSync is the configuration for syncing user information from an external
+// IDP. All related code to syncing user information should be in this package.
+type AGPLIDPSync struct {
+	Logger slog.Logger
+
+	SyncSettings
+}
+
+type SyncSettings struct {
+	// OrganizationField selects the claim field to be used as the created user's
+	// organizations. If the field is the empty string, then no organization updates
+	// will ever come from the OIDC provider.
+	OrganizationField string
+	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
+	OrganizationMapping map[string][]uuid.UUID
+	// OrganizationAssignDefault will ensure all users that authenticate will be
+	// placed into the default organization. This is mostly a hack to support
+	// legacy deployments.
+	OrganizationAssignDefault bool
+}
+
+type OrganizationParams struct {
+	// SyncEnabled if false will skip syncing the user's organizations.
+	SyncEnabled bool
+	// IncludeDefault is primarily for single org deployments. It will ensure
+	// a user is always inserted into the default org.
+	IncludeDefault bool
+	// Organizations is the list of organizations the user should be a member of
+	// assuming syncing is turned on.
+	Organizations []uuid.UUID
+}
+
+func NewAGPLSync(logger slog.Logger, settings SyncSettings) *AGPLIDPSync {
+	return &AGPLIDPSync{
+		Logger:       logger.Named("idp-sync"),
+		SyncSettings: settings,
+	}
+}
+
+// ParseStringSliceClaim parses the claim for groups and roles, expected []string.
+//
+// Some providers like ADFS return a single string instead of an array if there
+// is only 1 element. So this function handles the edge cases.
+func ParseStringSliceClaim(claim interface{}) ([]string, error) {
+	groups := make([]string, 0)
+	if claim == nil {
+		return groups, nil
+	}
+
+	// The simple case is the type is exactly what we expected
+	asStringArray, ok := claim.([]string)
+	if ok {
+		return asStringArray, nil
+	}
+
+	asArray, ok := claim.([]interface{})
+	if ok {
+		for i, item := range asArray {
+			asString, ok := item.(string)
+			if !ok {
+				return nil, xerrors.Errorf("invalid claim type. Element %d expected a string, got: %T", i, item)
+			}
+			groups = append(groups, asString)
+		}
+		return groups, nil
+	}
+
+	asString, ok := claim.(string)
+	if ok {
+		if asString == "" {
+			// Empty string should be 0 groups.
+			return []string{}, nil
+		}
+		// If it is a single string, first check if it is a csv.
+		// If a user hits this, it is likely a misconfiguration and they need
+		// to reconfigure their IDP to send an array instead.
+		if strings.Contains(asString, ",") {
+			return nil, xerrors.Errorf("invalid claim type. Got a csv string (%q), change this claim to return an array of strings instead.", asString)
+		}
+		return []string{asString}, nil
+	}
+
+	// Not sure what the user gave us.
+	return nil, xerrors.Errorf("invalid claim type. Expected an array of strings, got: %T", claim)
+}
+
+// IsHTTPError handles us being inconsistent with returning errors as values or
+// pointers.
+func IsHTTPError(err error) *HTTPError {
+	var httpErr HTTPError
+	if xerrors.As(err, &httpErr) {
+		return &httpErr
+	}
+
+	var httpErrPtr *HTTPError
+	if xerrors.As(err, &httpErrPtr) {
+		return httpErrPtr
+	}
+	return nil
+}
+
+// HTTPError is a helper struct for returning errors from the IDP sync process.
+// A regular error is not sufficient because many of these errors are surfaced
+// to a user logging in, and the errors should be descriptive.
+type HTTPError struct {
+	Code                 int
+	Msg                  string
+	Detail               string
+	RenderStaticPage     bool
+	RenderDetailMarkdown bool
+}
+
+func (e HTTPError) Write(rw http.ResponseWriter, r *http.Request) {
+	if e.RenderStaticPage {
+		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+			Status:       e.Code,
+			HideStatus:   true,
+			Title:        e.Msg,
+			Description:  e.Detail,
+			RetryEnabled: false,
+			DashboardURL: "/login",
+
+			RenderDescriptionMarkdown: e.RenderDetailMarkdown,
+		})
+		return
+	}
+	httpapi.Write(r.Context(), rw, e.Code, codersdk.Response{
+		Message: e.Msg,
+		Detail:  e.Detail,
+	})
+}
+
+func (e HTTPError) Error() string {
+	if e.Detail != "" {
+		return e.Detail
+	}
+
+	return e.Msg
+}
@@ -1,10 +1,12 @@
-package coderd
+package idpsync_test
 
 import (
 	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/idpsync"
 )
 
 func TestParseStringSliceClaim(t *testing.T) {
@@ -123,7 +125,7 @@ func TestParseStringSliceClaim(t *testing.T) {
 				require.NoError(t, err, "unmarshal json claim")
 			}
 
-			found, err := parseStringSliceClaim(c.GoClaim)
+			found, err := idpsync.ParseStringSliceClaim(c.GoClaim)
 			if c.ErrorExpected {
 				require.Error(t, err)
 			} else {
@@ -133,3 +135,13 @@ func TestParseStringSliceClaim(t *testing.T) {
 		})
 	}
 }
+
+func TestIsHTTPError(t *testing.T) {
+	t.Parallel()
+
+	herr := idpsync.HTTPError{}
+	require.NotNil(t, idpsync.IsHTTPError(herr))
+	require.NotNil(t, idpsync.IsHTTPError(&herr))
+
+	require.Nil(t, error(nil))
+}