feat(sso-configuration): change roles selector to allow custom roles

frontend/src/components/RolesSelect/RolesSelect.tsx

@@ -32,10 +32,13 @@ export function useRoles(): {
 	};
 }
 
-export function getRoleOptions(roles: AuthtypesRoleDTO[]): RoleOption[] {
+export function getRoleOptions(
+	roles: AuthtypesRoleDTO[],
+	valueField: 'id' | 'name',
+): RoleOption[] {
 	return roles.map((role) => ({
 		label: role.name ?? '',
-		value: role.id ?? '',
+		value: role[valueField] ?? '',
 	}));
 }
 
@@ -82,6 +85,7 @@ interface BaseProps {
 	error?: APIError;
 	onRefetch?: () => void;
 	disabled?: boolean;
+	valueField?: 'id' | 'name';
 }
 
 interface SingleProps extends BaseProps {
@@ -113,7 +117,7 @@ function RolesSelect(props: RolesSelectProps): JSX.Element {
 	});
 
 	const roles = externalRoles ?? data?.data ?? [];
-	const options = getRoleOptions(roles);
+	const options = getRoleOptions(roles, props.valueField || 'id');
 
 	const {
 		mode,

frontend/src/container/OrganizationSettings/AuthDomain/CreateEdit/Providers/Providers.styles.scss

@@ -79,7 +79,7 @@
 		margin-bottom: 12px;
 	}
 
-	input,
+	input:not(.ant-select-selection-search-input),
 	textarea {
 		height: 32px;
 		background: var(--l2-background) !important;

frontend/src/container/OrganizationSettings/AuthDomain/CreateEdit/Providers/components/RoleMappingSection.styles.scss

@@ -111,31 +111,9 @@
 	&__select {
 		width: 100%;
 
-		&.ant-select {
-			.ant-select-selector {
-				height: 32px;
-				background: var(--l2-background) !important;
-				border: 1px solid var(--l2-border) !important;
-				border-radius: 2px;
-				color: var(--l2-foreground) !important;
-
-				.ant-select-selection-item {
-					color: var(--l2-foreground) !important;
-				}
-			}
-
-			&:hover .ant-select-selector {
-				border-color: var(--l2-border) !important;
-			}
-
-			&.ant-select-focused .ant-select-selector {
-				border-color: var(--primary) !important;
-				box-shadow: none !important;
-			}
-
-			.ant-select-arrow {
-				color: var(--l2-foreground);
-			}
+		.ant-select-selection-search {
+			inset-inline-start: var(--padding-2) !important;
+			inset-inline-end: var(--padding-2) !important;
 		}
 	}
 
@@ -185,7 +163,7 @@
 
 		&--role {
 			flex: 1;
-			min-width: 120px;
+			min-width: 180px;
 		}
 	}
 
@@ -272,7 +250,7 @@
 	}
 
 	// todo: https://github.com/SigNoz/components/issues/116
-	input {
+	input:not(.ant-select-selection-search-input) {
 		height: 32px;
 		background: var(--l2-background) !important;
 		border: 1px solid var(--l2-border) !important;

frontend/src/container/OrganizationSettings/AuthDomain/CreateEdit/Providers/components/RoleMappingSection.tsx

@@ -11,23 +11,20 @@ import {
 import { Button } from '@signozhq/ui/button';
 import { Checkbox } from '@signozhq/ui/checkbox';
 import { Input } from '@signozhq/ui/input';
-import { Collapse, Form, Select, Tooltip } from 'antd';
+import { Collapse, Form, Tooltip } from 'antd';
+import RolesSelect, { useRoles } from 'components/RolesSelect';
 import { useCollapseSectionErrors } from 'hooks/useCollapseSectionErrors';
 
 import './RoleMappingSection.styles.scss';
 
-const ROLE_OPTIONS = [
-	{ value: 'VIEWER', label: 'VIEWER' },
-	{ value: 'EDITOR', label: 'EDITOR' },
-	{ value: 'ADMIN', label: 'ADMIN' },
-];
-
 interface RoleMappingSectionProps {
 	fieldNamePrefix: string[];
 	isExpanded?: boolean;
 	onExpandChange?: (expanded: boolean) => void;
 }
 
+const SIGNOZ_VIEWER_ROLE = 'signoz-viewer';
+
 function RoleMappingSection({
 	fieldNamePrefix,
 	isExpanded,
@@ -38,6 +35,7 @@ function RoleMappingSection({
 		[...fieldNamePrefix, 'useRoleAttribute'],
 		form,
 	);
+	const { roles, isLoading, isError, error, refetch } = useRoles();
 
 	// Support both controlled and uncontrolled modes
 	const [internalExpanded, setInternalExpanded] = useState(false);
@@ -108,19 +106,26 @@ function RoleMappingSection({
 						<div className="role-mapping-section__field-group">
 							<label className="role-mapping-section__label" htmlFor="default-role">
 								Default Role
-								<Tooltip title='The default role assigned to new SSO users if no other role mapping applies. Default: "VIEWER"'>
+								<Tooltip title='The default role assigned to new SSO users if no other role mapping applies. Default: "signoz-viewer"'>
 									<CircleHelp size={14} color={Style.L3_FOREGROUND} cursor="help" />
 								</Tooltip>
 							</label>
 							<Form.Item
 								name={[...fieldNamePrefix, 'defaultRole']}
 								className="role-mapping-section__form-item"
-								initialValue="VIEWER"
+								initialValue={SIGNOZ_VIEWER_ROLE}
 							>
-								<Select
+								<RolesSelect
 									id="default-role"
-									options={ROLE_OPTIONS}
+									valueField="name"
+									roles={roles}
+									loading={isLoading}
+									isError={isError}
+									error={error}
+									onRefetch={refetch}
 									className="role-mapping-section__select"
+									allowClear={false}
+									getPopupContainer={(): HTMLElement => document.body}
 								/>
 							</Form.Item>
 						</div>
@@ -140,7 +145,7 @@ function RoleMappingSection({
 									Use Role Attribute Directly
 								</Checkbox>
 							</Form.Item>
-							<Tooltip title="If enabled, the role claim/attribute from the IDP will be used directly instead of group mappings. The role value must match a SigNoz role (VIEWER, EDITOR, or ADMIN).">
+							<Tooltip title="If enabled, the role claim/attribute from the IDP will be used directly instead of group mappings. The role value must match a SigNoz role name (e.g. signoz-viewer, signoz-editor, signoz-admin, or a custom role).">
 								<CircleHelp size={14} color={Style.L3_FOREGROUND} cursor="help" />
 							</Tooltip>
 						</div>
@@ -174,11 +179,17 @@ function RoleMappingSection({
 														name={[field.name, 'role']}
 														className="role-mapping-section__field role-mapping-section__field--role"
 														rules={[{ required: true, message: 'Role is required' }]}
-														initialValue="VIEWER"
+														initialValue={SIGNOZ_VIEWER_ROLE}
 													>
-														<Select
-															options={ROLE_OPTIONS}
-															className="role-mapping-section__select"
+														<RolesSelect
+															valueField="name"
+															roles={roles}
+															loading={isLoading}
+															isError={isError}
+															error={error}
+															onRefetch={refetch}
+															allowClear={false}
+															getPopupContainer={(): HTMLElement => document.body}
 														/>
 													</Form.Item>
 
@@ -197,7 +208,9 @@ function RoleMappingSection({
 											<Button
 												variant="outlined"
 												color="secondary"
-												onClick={(): void => add({ groupName: '', role: 'VIEWER' })}
+												onClick={(): void =>
+													add({ groupName: '', role: SIGNOZ_VIEWER_ROLE })
+												}
 												prefix={<Plus size={14} />}
 											>
 												Add Group Mapping

frontend/src/container/OrganizationSettings/AuthDomain/__tests__/CreateEdit.payload.test.tsx

@@ -9,6 +9,7 @@ import {
 	mockUpdateSuccessResponse,
 } from './mocks';
 
+// TODO: https://github.com/SigNoz/platform-pod/issues/2602
 // The real @signozhq/ui/button has internal effects that prevent form.validateFields()
 // from resolving inside act(). Mirror the pattern from SSOEnforcementToggle.test.tsx
 // which mocks @signozhq/ui/switch for the same reason.

frontend/src/container/OrganizationSettings/AuthDomain/__tests__/CreateEdit.roleMapping.test.tsx

@@ -0,0 +1,316 @@
+import { render, screen, userEvent, waitFor } from 'tests/test-utils';
+import { rest, server } from 'mocks-server/server';
+import {
+	allRoles,
+	listRolesSuccessResponse,
+	managedRoles,
+} from 'mocks-server/__mockdata__/roles';
+
+import CreateEdit from '../CreateEdit/CreateEdit';
+import {
+	AUTH_DOMAINS_UPDATE_ENDPOINT,
+	mockDomainWithDirectRoleAttribute,
+	mockDomainWithRoleMapping,
+	mockSamlAuthDomain,
+	mockUpdateSuccessResponse,
+} from './mocks';
+
+// TODO: https://github.com/SigNoz/platform-pod/issues/2602
+// The @signozhq/ui Button uses Radix Slot and has CSS infinite animations that
+// prevent form.validateFields() from resolving inside act(). Replacing with a
+// simple native button avoids the issue.
+jest.mock('@signozhq/ui/button', () => ({
+	...jest.requireActual('@signozhq/ui/button'),
+	Button: ({
+		children,
+		onClick,
+		loading,
+		disabled,
+		'aria-label': ariaLabel,
+		prefix,
+		suffix,
+	}: {
+		children?: React.ReactNode;
+		onClick?: React.MouseEventHandler<HTMLButtonElement>;
+		loading?: boolean;
+		disabled?: boolean;
+		'aria-label'?: string;
+		prefix?: React.ReactNode;
+		suffix?: React.ReactNode;
+	}) => (
+		<button
+			type="button"
+			onClick={onClick}
+			disabled={disabled || loading}
+			aria-label={ariaLabel}
+		>
+			{prefix}
+			{children}
+			{suffix}
+		</button>
+	),
+}));
+
+// These are heavy real-timer integration tests (antd Select dropdown render +
+// form.validateFields() + a react-query mutation, all driven through userEvent).
+// Under a CPU-saturated parallel `jest` run the wall-clock roughly triples, which
+// pushes the longest tests past the 5000ms default and makes them flaky. Give the
+// whole file a wider budget (matches LogsPanelComponent.test.tsx).
+jest.setTimeout(20000);
+
+const ROLES_ENDPOINT = '*/api/v1/roles';
+
+type User = ReturnType<typeof userEvent.setup>;
+
+// antd renders pointer-events:none on parts of its Select, so disable the
+// userEvent pointer-events guard (mirrors CreateEdit.test.tsx).
+const setupUser = (): User => userEvent.setup({ pointerEventsCheck: 0 });
+
+function getRole(name: string): (typeof managedRoles)[number] {
+	const role = managedRoles.find((r) => r.name === name);
+	if (!role) {
+		throw new Error(`missing mock role: ${name}`);
+	}
+	return role;
+}
+
+const viewerRole = getRole('signoz-viewer');
+const editorRole = getRole('signoz-editor');
+
+function mockRoles(
+	response: Record<string, unknown> = listRolesSuccessResponse,
+	status = 200,
+): { count: () => number } {
+	let requested = 0;
+	server.use(
+		rest.get(ROLES_ENDPOINT, (_req, res, ctx) => {
+			requested += 1;
+			return res(ctx.status(status), ctx.json(response));
+		}),
+	);
+	return { count: (): number => requested };
+}
+
+function captureUpdatePayload(): { get: () => any } {
+	let payload: unknown = null;
+	server.use(
+		rest.put(AUTH_DOMAINS_UPDATE_ENDPOINT, async (req, res, ctx) => {
+			payload = await req.json();
+			return res(ctx.status(200), ctx.json(mockUpdateSuccessResponse));
+		}),
+	);
+	return { get: (): any => payload };
+}
+
+const expandRoleMapping = (user: User): Promise<void> =>
+	user.click(screen.getByText(/role mapping \(advanced\)/i));
+
+const openDefaultRoleSelect = (user: User): Promise<void> =>
+	user.click(screen.getByLabelText(/default role/i));
+
+const saveChanges = (user: User): Promise<void> =>
+	user.click(screen.getByRole('button', { name: /save changes/i }));
+
+describe('CreateEdit — role mapping uses API roles', () => {
+	afterEach(() => {
+		server.resetHandlers();
+	});
+
+	it('fetches the roles list from the API when the form mounts', async () => {
+		const roles = mockRoles();
+
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockDomainWithDirectRoleAttribute}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await waitFor(() => expect(roles.count()).toBeGreaterThan(0));
+	});
+
+	it('renders the default-role options from the API (managed + custom), not the old hardcoded VIEWER/EDITOR/ADMIN', async () => {
+		const user = setupUser();
+		mockRoles();
+
+		// mockSamlAuthDomain has no stored defaultRole, so nothing stale (e.g.
+		// "VIEWER") is rendered as a selected tag to pollute the title lookups.
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockSamlAuthDomain}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await expandRoleMapping(user);
+
+		// Open the Select and wait for the async roles fetch to populate it.
+		await openDefaultRoleSelect(user);
+		await screen.findByTitle(allRoles[0].name);
+
+		// Every role returned by the API is offered as an option, including the
+		// custom (non-managed) roles — the whole point of the refactor. Use
+		// getAllByTitle: the preselected default role also renders its name on
+		// the selection item, so a role may legitimately appear more than once.
+		allRoles.forEach((role) => {
+			expect(screen.getAllByTitle(role.name).length).toBeGreaterThan(0);
+		});
+
+		// The old hardcoded uppercase role values must NOT appear as options.
+		expect(screen.queryByTitle('VIEWER')).not.toBeInTheDocument();
+		expect(screen.queryByTitle('EDITOR')).not.toBeInTheDocument();
+		expect(screen.queryByTitle('ADMIN')).not.toBeInTheDocument();
+	});
+
+	it('submits the selected role name (not the role id) as defaultRole', async () => {
+		const user = setupUser();
+		mockRoles();
+		const payload = captureUpdatePayload();
+
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockDomainWithDirectRoleAttribute}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await expandRoleMapping(user);
+
+		await openDefaultRoleSelect(user);
+		await user.click(await screen.findByTitle(editorRole.name));
+
+		await saveChanges(user);
+
+		await waitFor(() => expect(payload.get()).not.toBeNull());
+
+		// SSO role mapping matches roles by name, so the payload carries the
+		// role *name*, not the opaque id.
+		expect(payload.get().config.roleMapping.defaultRole).toBe(editorRole.name);
+		expect(payload.get().config.roleMapping.defaultRole).not.toBe(editorRole.id);
+	});
+
+	it('defaults a fresh role mapping to the signoz-viewer role name', async () => {
+		const user = setupUser();
+		const roles = mockRoles();
+		const payload = captureUpdatePayload();
+
+		// mockSamlAuthDomain has no roleMapping, so the defaultRole field falls
+		// back to the Form.Item initialValue (viewerRole.name). That initialValue
+		// is only applied when the field mounts, so the roles fetch MUST resolve
+		// before the panel is expanded — otherwise viewerRole is still undefined.
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockSamlAuthDomain}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await waitFor(() => expect(roles.count()).toBeGreaterThan(0));
+		// Flush the react-query commit so `useRoles` exposes the loaded roles
+		// before the collapse panel (and thus the default-role field) mounts.
+		await screen.findByText(/edit saml authentication/i);
+
+		await expandRoleMapping(user);
+		await screen.findByText(/default role/i);
+
+		await saveChanges(user);
+
+		await waitFor(() => expect(payload.get()).not.toBeNull());
+
+		expect(payload.get().config.roleMapping.defaultRole).toBe(viewerRole.name);
+		expect(payload.get().config.roleMapping.defaultRole).not.toBe(viewerRole.id);
+	});
+
+	it('still defaults to signoz-viewer when the roles fetch returns empty', async () => {
+		const user = setupUser();
+		// signoz-viewer is a managed role that always exists server-side, so even
+		// a degenerate/empty roles response must not strip the hardcoded default.
+		mockRoles({ status: 'success', data: [] });
+		const payload = captureUpdatePayload();
+
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockSamlAuthDomain}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		// Section still renders without crashing even though the fetch was empty.
+		await expandRoleMapping(user);
+		await expect(screen.findByText(/default role/i)).resolves.toBeInTheDocument();
+
+		await saveChanges(user);
+
+		await waitFor(() => expect(payload.get()).not.toBeNull());
+
+		// The Form.Item initialValue (signoz-viewer) survives an empty roles list.
+		expect(payload.get().config.roleMapping.defaultRole).toBe(viewerRole.name);
+	});
+
+	it('loads a stored role mapping by role name and round-trips it on save', async () => {
+		const user = setupUser();
+		mockRoles();
+		const payload = captureUpdatePayload();
+
+		// mockDomainWithRoleMapping stores defaultRole "signoz-editor" plus three
+		// group mappings, all keyed by role *name*. Editing must surface each
+		// stored value as the matching option and submit it unchanged — the
+		// backward-compatible read path for already-saved SSO domains.
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockDomainWithRoleMapping}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await expandRoleMapping(user);
+
+		// The stored default role renders as a real selection, not a raw token.
+		await waitFor(() =>
+			expect(screen.getAllByTitle(editorRole.name).length).toBeGreaterThan(0),
+		);
+
+		await saveChanges(user);
+
+		await waitFor(() => expect(payload.get()).not.toBeNull());
+
+		expect(payload.get().config.roleMapping.defaultRole).toBe(editorRole.name);
+		expect(payload.get().config.roleMapping.groupMappings).toStrictEqual({
+			'admin-group': 'signoz-admin',
+			'dev-team': 'signoz-editor',
+			viewers: 'signoz-viewer',
+		});
+	});
+
+	it('shows an error state in the default-role select when the roles request fails', async () => {
+		const user = setupUser();
+		mockRoles(
+			{ error: { code: 'internal_error', message: 'boom', url: '' } },
+			500,
+		);
+
+		render(
+			<CreateEdit
+				isCreate={false}
+				record={mockSamlAuthDomain}
+				onClose={jest.fn()}
+			/>,
+		);
+
+		await expandRoleMapping(user);
+
+		// Open the select and confirm the error UI (with retry) is surfaced
+		// instead of crashing the form. The error message comes straight from
+		// the failed request; the Retry affordance is always present.
+		await openDefaultRoleSelect(user);
+
+		await expect(screen.findByTitle('Retry')).resolves.toBeInTheDocument();
+		expect(screen.getByText('boom')).toBeInTheDocument();
+	});
+});

frontend/src/container/OrganizationSettings/AuthDomain/__tests__/CreateEdit.sanitization.test.tsx

@@ -186,9 +186,9 @@ describe('CreateEdit — payload sanitization', () => {
 
 			expect(payload.config.roleMapping?.useRoleAttribute).toBe(false);
 			expect(payload.config.roleMapping?.groupMappings).toStrictEqual({
-				'admin-group': 'ADMIN',
-				'dev-team': 'EDITOR',
-				viewers: 'VIEWER',
+				'admin-group': 'signoz-admin',
+				'dev-team': 'signoz-editor',
+				viewers: 'signoz-viewer',
 			});
 		});
 	});

frontend/src/container/OrganizationSettings/AuthDomain/__tests__/mocks.ts

@@ -75,12 +75,12 @@ export const mockDomainWithRoleMapping: AuthtypesGettableAuthDomainDTO = {
 			samlCert: 'MOCK_CERTIFICATE',
 		},
 		roleMapping: {
-			defaultRole: 'EDITOR',
+			defaultRole: 'signoz-editor',
 			useRoleAttribute: false,
 			groupMappings: {
-				'admin-group': 'ADMIN',
-				'dev-team': 'EDITOR',
-				viewers: 'VIEWER',
+				'admin-group': 'signoz-admin',
+				'dev-team': 'signoz-editor',
+				viewers: 'signoz-viewer',
 			},
 		},
 	},
@@ -103,7 +103,7 @@ export const mockDomainWithDirectRoleAttribute: AuthtypesGettableAuthDomainDTO =
 				clientSecret: 'direct-role-client-secret',
 			},
 			roleMapping: {
-				defaultRole: 'VIEWER',
+				defaultRole: 'signoz-viewer',
 				useRoleAttribute: true,
 			},
 		},