From 224f38bf1fa9747ecb6d7218f1539d8045192e63 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Wed, 11 Feb 2026 17:18:13 +0200
Subject: [PATCH 01/43] allow angular url to be in next_url

---
 framework/auth/views.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 0338654fac3..973ebded1ab 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,6 +39,9 @@
 from osf import features
 
 
+ANGULAR_URL = 'localhost:4200'
+
+
 @block_bing_preview
 @collect_auth
 def reset_password_get(auth, uid=None, token=None):
@@ -1209,6 +1212,9 @@ def validate_next_url(next_url):
 
     # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
     # like http:// or https:// depending on the use of SSL on the page already.
+    if ANGULAR_URL in next_url:
+        return True
+
     if next_url.startswith('//'):
         return False
 

From 7b67b1271bb1a1d25f3f99e8b1874a3b474c69b7 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Thu, 12 Feb 2026 13:13:26 +0200
Subject: [PATCH 02/43] renamed constant

---
 framework/auth/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 973ebded1ab..3965ac6adcf 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,7 +39,7 @@
 from osf import features
 
 
-ANGULAR_URL = 'localhost:4200'
+LOCAL_ANGULAR_URL = 'localhost:4200'
 
 
 @block_bing_preview
@@ -1212,7 +1212,7 @@ def validate_next_url(next_url):
 
     # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
     # like http:// or https:// depending on the use of SSL on the page already.
-    if ANGULAR_URL in next_url:
+    if LOCAL_ANGULAR_URL in next_url:
         return True
 
     if next_url.startswith('//'):

From 235dac643e976d690c5709b6410c4b237a90e9f1 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Fri, 13 Feb 2026 14:45:44 +0200
Subject: [PATCH 03/43] added tests and debug mode

---
 framework/auth/views.py      |  5 +----
 tests/test_auth_views.py     | 11 +++++++++++
 website/settings/defaults.py |  1 +
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 3965ac6adcf..ecf6540e5e6 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,9 +39,6 @@
 from osf import features
 
 
-LOCAL_ANGULAR_URL = 'localhost:4200'
-
-
 @block_bing_preview
 @collect_auth
 def reset_password_get(auth, uid=None, token=None):
@@ -1212,7 +1209,7 @@ def validate_next_url(next_url):
 
     # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
     # like http:// or https:// depending on the use of SSL on the page already.
-    if LOCAL_ANGULAR_URL in next_url:
+    if settings.LOCAL_ANGULAR_URL in next_url and settings.DEBUG_MODE:
         return True
 
     if next_url.startswith('//'):
diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index 8e8cc5fafb1..aa248ccdaaf 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -584,6 +584,17 @@ def test_next_url_login_with_auth(self):
         assert data.get('status_code') == http_status.HTTP_302_FOUND
         assert data.get('next_url') == self.next_url
 
+    def test_next_url_angular_login_with_auth(self):
+        data = login_and_register_handler(self.auth, next_url=settings.LOCAL_ANGULAR_URL)
+        assert data.get('status_code') == http_status.HTTP_302_FOUND
+        assert data.get('next_url') == settings.LOCAL_ANGULAR_URL
+
+    def test_next_url_angular_login_without_auth(self):
+        request.url = web_url_for('auth_login', next=settings.LOCAL_ANGULAR_URL, _absolute=True)
+        data = login_and_register_handler(self.no_auth, next_url=settings.LOCAL_ANGULAR_URL)
+        assert data.get('status_code') == http_status.HTTP_302_FOUND
+        assert data.get('next_url') == cas.get_login_url(request.url)
+
     def test_next_url_login_without_auth(self):
         # login: user without auth
         request.url = web_url_for('auth_login', next=self.next_url, _absolute=True)
diff --git a/website/settings/defaults.py b/website/settings/defaults.py
index d09e583c181..40ecad5f0c2 100644
--- a/website/settings/defaults.py
+++ b/website/settings/defaults.py
@@ -90,6 +90,7 @@ def parent_dir(path):
 INTERNAL_DOMAIN = DOMAIN
 API_DOMAIN = PROTOCOL + 'localhost:8000/'
 RESET_PASSWORD_URL = PROTOCOL + 'localhost:5000/resetpassword/' # TODO set angular reset password url
+LOCAL_ANGULAR_URL = 'localhost:4200'
 
 PREPRINT_PROVIDER_DOMAINS = {
     'enabled': False,

From 23dd9268f625b3f42d30e86efc97081c0ad9d4a9 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Wed, 11 Feb 2026 17:18:13 +0200
Subject: [PATCH 04/43] angular url

---
 framework/auth/views.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index ecf6540e5e6..6ffc327f8bc 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,6 +39,9 @@
 from osf import features
 
 
+ANGULAR_URL = 'localhost:4200'
+
+
 @block_bing_preview
 @collect_auth
 def reset_password_get(auth, uid=None, token=None):

From cb141e15afa5c3287566d9b5a477de0fd650e986 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Thu, 12 Feb 2026 13:13:26 +0200
Subject: [PATCH 05/43] angular url

---
 framework/auth/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 6ffc327f8bc..afadbe44346 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,7 +39,7 @@
 from osf import features
 
 
-ANGULAR_URL = 'localhost:4200'
+LOCAL_ANGULAR_URL = 'localhost:4200'
 
 
 @block_bing_preview

From b16005c3b4e63c5bbe43edb86d18ad3874f1c0d4 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Fri, 13 Feb 2026 14:45:44 +0200
Subject: [PATCH 06/43] added tests and debug mode

---
 framework/auth/views.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index afadbe44346..ecf6540e5e6 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -39,9 +39,6 @@
 from osf import features
 
 
-LOCAL_ANGULAR_URL = 'localhost:4200'
-
-
 @block_bing_preview
 @collect_auth
 def reset_password_get(auth, uid=None, token=None):

From d48f9ae9cbcc74b22b71c0675d3b35f243c72988 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Mon, 16 Feb 2026 17:50:19 +0200
Subject: [PATCH 07/43] edited comments

---
 framework/auth/views.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index ecf6540e5e6..90904fa0c16 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -1207,11 +1207,12 @@ def validate_next_url(next_url):
     :return: True if valid, False otherwise
     """
 
-    # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
-    # like http:// or https:// depending on the use of SSL on the page already.
+    # allow redirection to angular locally
     if settings.LOCAL_ANGULAR_URL in next_url and settings.DEBUG_MODE:
         return True
 
+    # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
+    # like http:// or https:// depending on the use of SSL on the page already.
     if next_url.startswith('//'):
         return False
 

From 261a680855e5b8b398243c6b34bdbef26fff4b92 Mon Sep 17 00:00:00 2001
From: Ihor Sokhan <isokhan@exoft.net>
Date: Mon, 16 Feb 2026 16:43:15 +0200
Subject: [PATCH 08/43] added sso_in_progress field to Institution model

---
 .../0036_institution_sso_in_progress.py        | 18 ++++++++++++++++++
 osf/models/institution.py                      |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 osf/migrations/0036_institution_sso_in_progress.py

diff --git a/osf/migrations/0036_institution_sso_in_progress.py b/osf/migrations/0036_institution_sso_in_progress.py
new file mode 100644
index 00000000000..784188c4806
--- /dev/null
+++ b/osf/migrations/0036_institution_sso_in_progress.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.17 on 2026-02-16 14:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('osf', '0035_merge_20251215_1451'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='institution',
+            name='sso_in_progress',
+            field=models.BooleanField(default=False),
+        ),
+    ]
diff --git a/osf/models/institution.py b/osf/models/institution.py
index 39d57637da5..fa2c42aa552 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -125,6 +125,7 @@ class Institution(DirtyFieldsMixin, Loggable, ObjectIDMixin, BaseModel, Guardian
         default='',
         help_text='Full URL where institutional admins can access archived metrics reports.',
     )
+    sso_in_progress = models.BooleanField(default=False)
 
     class Meta:
         # custom permissions for use in the OSF Admin App

From 5d474ef48d19d7020c742a4521cde68628dc23f9 Mon Sep 17 00:00:00 2001
From: Vlad0n20 <vlad.onischuk1234@gmail.com>
Date: Fri, 13 Feb 2026 17:30:01 +0200
Subject: [PATCH 09/43] Add tests

---
 tests/test_auth_views.py | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index aa248ccdaaf..a30a43a5299 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -838,6 +838,22 @@ def test_logout_with_no_parameter(self):
         assert resp.status_code == http_status.HTTP_302_FOUND
         assert cas.get_logout_url(self.goodbye_url) == resp.headers['Location']
 
+    @mock.patch('framework.auth.views.settings.LOCAL_ANGULAR_URL', 'http://localhost:4200')
+    def test_logout_with_angular_next_url_logged_in(self):
+        angular_url = 'http://localhost:4200/'
+        logout_url = web_url_for('auth_logout', _absolute=True, next=angular_url)
+        resp = self.app.get(logout_url, auth=self.auth_user.auth)
+        assert resp.status_code == http_status.HTTP_302_FOUND
+        assert cas.get_logout_url(logout_url) == resp.headers['Location']
+
+    @mock.patch('framework.auth.views.settings.LOCAL_ANGULAR_URL', 'http://localhost:4200')
+    def test_logout_with_angular_next_url_logged_out(self):
+        angular_url = 'http://localhost:4200/'
+        logout_url = web_url_for('auth_logout', _absolute=True, next=angular_url)
+        resp = self.app.get(logout_url, auth=None)
+        assert resp.status_code == http_status.HTTP_302_FOUND
+        assert angular_url == resp.headers['Location']
+
 
 class TestResetPassword(OsfTestCase):
 

From 179bed01446b76b7e6ec351fa37d4fd300802786 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Thu, 19 Mar 2026 17:28:29 +0200
Subject: [PATCH 10/43] Add SSO availability field and update institution
 reactivation logic

---
 admin_tests/institutions/test_views.py        |  6 +++--
 .../0036_institution_sso_in_progress.py       | 18 --------------
 .../0038_institution_sso_availability.py      | 18 ++++++++++++++
 osf/models/institution.py                     | 24 ++++++++++++++++++-
 osf_tests/test_institution.py                 | 10 ++++++++
 5 files changed, 55 insertions(+), 21 deletions(-)
 delete mode 100644 osf/migrations/0036_institution_sso_in_progress.py
 create mode 100644 osf/migrations/0038_institution_sso_availability.py

diff --git a/admin_tests/institutions/test_views.py b/admin_tests/institutions/test_views.py
index 13cb1456ab9..c3c8a3c3fab 100644
--- a/admin_tests/institutions/test_views.py
+++ b/admin_tests/institutions/test_views.py
@@ -139,7 +139,8 @@ def test_institution_form(self):
             'name': 'New Name',
             'logo_name': 'awesome_logo.png',
             'domains': 'http://kris.biz/, http://www.little.biz/',
-            '_id': 'newawesomeprov'
+            '_id': 'newawesomeprov',
+            'sso_availability': 'Public',
         }
         form = InstitutionForm(data=new_data)
         assert form.is_valid()
@@ -214,7 +215,8 @@ def test_monthly_reporter_called_on_create(self, mock_monthly_reporter_do):
             'email_domains': FakeList('domain_name', n=1),
             'orcid_record_verified_source': '',
             'delegation_protocol': '',
-            'institutional_request_access_enabled': False
+            'institutional_request_access_enabled': False,
+            'sso_availability': 'Public',
         }
         form = InstitutionForm(data=data)
         assert form.is_valid()
diff --git a/osf/migrations/0036_institution_sso_in_progress.py b/osf/migrations/0036_institution_sso_in_progress.py
deleted file mode 100644
index 784188c4806..00000000000
--- a/osf/migrations/0036_institution_sso_in_progress.py
+++ /dev/null
@@ -1,18 +0,0 @@
-# Generated by Django 4.2.17 on 2026-02-16 14:34
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('osf', '0035_merge_20251215_1451'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='institution',
-            name='sso_in_progress',
-            field=models.BooleanField(default=False),
-        ),
-    ]
diff --git a/osf/migrations/0038_institution_sso_availability.py b/osf/migrations/0038_institution_sso_availability.py
new file mode 100644
index 00000000000..c4be5de4001
--- /dev/null
+++ b/osf/migrations/0038_institution_sso_availability.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.15 on 2026-03-13 11:11
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('osf', '0037_notification_refactor_post_release'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='institution',
+            name='sso_availability',
+            field=models.CharField(choices=[('Public', 'PUBLIC'), ('Unavailable', 'UNAVAILABLE'), ('Hidden', 'HIDDEN')], default='Hidden', max_length=15),
+        ),
+    ]
diff --git a/osf/models/institution.py b/osf/models/institution.py
index 8dccdf6919a..bae41a8a177 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -46,6 +46,13 @@ class SsoFilterCriteriaAction(Enum):
     CONTAINS = 'contains'  # Type 2: SSO releases a multi-value attribute, of which one value matches
     IN = 'in'  # Type 3: SSO releases a single-value attribute that have multiple valid values
 
+class SSOAvailability(Enum):
+    """Defines 3 SSO availability states for institutions.
+    """
+    PUBLIC = 'Public'
+    UNAVAILABLE = 'Unavailable'
+    HIDDEN = 'Hidden'
+
 
 class InstitutionManager(models.Manager):
 
@@ -79,6 +86,13 @@ class Institution(DirtyFieldsMixin, Loggable, ObjectIDMixin, BaseModel, Guardian
         default=''
     )
 
+    # Institution SSO availability
+    sso_availability = models.CharField(
+        choices=[(el.value, el.name) for el in SSOAvailability],
+        max_length=15,
+        default='Hidden'
+    )
+
     # Default Storage Region
     storage_regions = models.ManyToManyField(
         'addons_osfstorage.Region',
@@ -125,7 +139,6 @@ class Institution(DirtyFieldsMixin, Loggable, ObjectIDMixin, BaseModel, Guardian
         default='',
         help_text='Full URL where institutional admins can access archived metrics reports.',
     )
-    sso_in_progress = models.BooleanField(default=False)
 
     class Meta:
         # custom permissions for use in the OSF Admin App
@@ -238,6 +251,11 @@ def deactivate(self):
         """
         if not self.deactivated:
             self.deactivated = timezone.now()
+            if not self.delegation_protocol:
+                self.sso_availability = SSOAvailability.UNAVAILABLE.value
+            else:
+                self.sso_availability = SSOAvailability.HIDDEN.value
+
             self.save()
             # Django mangers aren't used when querying on related models. Thus, we can query
             # affiliated users and send notification emails after the institution has been deactivated.
@@ -252,6 +270,10 @@ def reactivate(self):
         """
         if self.deactivated:
             self.deactivated = None
+            if not self.delegation_protocol:
+                self.sso_availability = SSOAvailability.UNAVAILABLE.value
+            else:
+                self.sso_availability = SSOAvailability.HIDDEN.value
             self.save()
         else:
             message = f'Action rejected - reactivating an active institution [{self._id}].'
diff --git a/osf_tests/test_institution.py b/osf_tests/test_institution.py
index 039b0ce04dd..9006769ebbe 100644
--- a/osf_tests/test_institution.py
+++ b/osf_tests/test_institution.py
@@ -139,12 +139,22 @@ def test_deactivate_institution(self):
             assert institution.deactivated is not None
             assert mock__send_deactivation_email.called
 
+    def test_reactivate_sso_institution(self):
+        institution = InstitutionFactory()
+        institution.delegation_protocol = 'saml-shib'
+        institution.deactivated = timezone.now()
+        institution.save()
+        institution.reactivate()
+        assert institution.deactivated is None
+        assert institution.sso_availability == 'Hidden'
+
     def test_reactivate_institution(self):
         institution = InstitutionFactory()
         institution.deactivated = timezone.now()
         institution.save()
         institution.reactivate()
         assert institution.deactivated is None
+        assert institution.sso_availability == 'Unavailable'
 
     def test_send_deactivation_email_call_count(self):
         institution = InstitutionFactory()

From 1d74ad3a2fcb6c07ca7bcd18f101689eead02651 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Thu, 19 Mar 2026 17:34:01 +0200
Subject: [PATCH 11/43] Update SSO availability logic and add tests for
 institution deactivation

---
 osf/models/institution.py     | 10 +++++-----
 osf_tests/test_institution.py | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/osf/models/institution.py b/osf/models/institution.py
index bae41a8a177..c1679892f69 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -49,9 +49,9 @@ class SsoFilterCriteriaAction(Enum):
 class SSOAvailability(Enum):
     """Defines 3 SSO availability states for institutions.
     """
-    PUBLIC = 'Public'
-    UNAVAILABLE = 'Unavailable'
-    HIDDEN = 'Hidden'
+    PUBLIC = 'Public'  # Active and has a delegation protocol
+    UNAVAILABLE = 'Unavailable'  # Does not have a delegation protocol
+    HIDDEN = 'Hidden'  # Inactive and has a delegation protocol
 
 
 class InstitutionManager(models.Manager):
@@ -88,9 +88,9 @@ class Institution(DirtyFieldsMixin, Loggable, ObjectIDMixin, BaseModel, Guardian
 
     # Institution SSO availability
     sso_availability = models.CharField(
-        choices=[(el.value, el.name) for el in SSOAvailability],
+        choices=[(choice.value, choice.name) for choice in SSOAvailability],
         max_length=15,
-        default='Hidden'
+        default=SSOAvailability.HIDDEN.value
     )
 
     # Default Storage Region
diff --git a/osf_tests/test_institution.py b/osf_tests/test_institution.py
index 9006769ebbe..867723cf291 100644
--- a/osf_tests/test_institution.py
+++ b/osf_tests/test_institution.py
@@ -128,6 +128,20 @@ def test_deactivated_institution_in_all_institutions(self):
         institution.save()
         assert institution in Institution.objects.get_all_institutions()
 
+    def test_deactivate_sso_institution(self):
+        institution = InstitutionFactory()
+        institution.delegation_protocol = 'saml-shib'
+        institution.save()
+        with mock.patch.object(
+                institution,
+                '_send_deactivation_email',
+                return_value=None
+        ) as mock__send_deactivation_email:
+            institution.deactivate()
+            assert institution.deactivated is not None
+            assert mock__send_deactivation_email.called
+            assert institution.sso_availability == 'Hidden'
+
     def test_deactivate_institution(self):
         institution = InstitutionFactory()
         with mock.patch.object(
@@ -138,6 +152,7 @@ def test_deactivate_institution(self):
             institution.deactivate()
             assert institution.deactivated is not None
             assert mock__send_deactivation_email.called
+            assert institution.sso_availability == 'Unavailable'
 
     def test_reactivate_sso_institution(self):
         institution = InstitutionFactory()

From 26efc85c0cd9656df1156226e2d1b55c7e84b661 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Thu, 19 Mar 2026 11:43:39 -0400
Subject: [PATCH 12/43] Apply suggestions from @cslzchen

Co-authored-by: Longze Chen <cslzchen@gmail.com>
---
 osf/models/institution.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/osf/models/institution.py b/osf/models/institution.py
index c1679892f69..edf553b6d0f 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -49,9 +49,9 @@ class SsoFilterCriteriaAction(Enum):
 class SSOAvailability(Enum):
     """Defines 3 SSO availability states for institutions.
     """
-    PUBLIC = 'Public'  # Active and has a delegation protocol
+    PUBLIC = 'Public'  # Active, has a delegation protocol and SSO setup has been verified
     UNAVAILABLE = 'Unavailable'  # Does not have a delegation protocol
-    HIDDEN = 'Hidden'  # Inactive and has a delegation protocol
+    HIDDEN = 'Hidden'  # 1) Inactive and has a delegation protocol, or 2) active, has a delegation protocol and SSO setup is in-progress
 
 
 class InstitutionManager(models.Manager):

From 73dfa281a65c60e049f9fc301551eef3699889a8 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 20 Mar 2026 16:32:39 +0200
Subject: [PATCH 13/43] Add CAS login URL property and implement copy modal in
 institution detail view

---
 admin/institutions/views.py              |  1 +
 admin/templates/institutions/detail.html | 70 +++++++++++++++++++++++-
 osf/models/institution.py                | 13 +++++
 3 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/admin/institutions/views.py b/admin/institutions/views.py
index 46e6a0a7745..7ab8994e41f 100644
--- a/admin/institutions/views.py
+++ b/admin/institutions/views.py
@@ -56,6 +56,7 @@ def get_context_data(self, *args, **kwargs):
         institution_dict = model_to_dict(institution)
         kwargs.setdefault('page_number', self.request.GET.get('page', '1'))
         kwargs['institution'] = institution_dict
+        kwargs['cas_login_url'] = institution.cas_login_url
         kwargs['logo_path'] = institution.logo_path
         kwargs['banner_path'] = institution.banner_path
         fields = institution_dict
diff --git a/admin/templates/institutions/detail.html b/admin/templates/institutions/detail.html
index 2ce1ad20a03..b2170aafaa5 100644
--- a/admin/templates/institutions/detail.html
+++ b/admin/templates/institutions/detail.html
@@ -1,7 +1,35 @@
 {% extends "base.html" %}
 {% load static %}
 {% block top_includes %}
-  <link rel="stylesheet" type="text/css" href="/static/css/institutions.css" />
+    <link rel="stylesheet" type="text/css" href="/static/css/institutions.css" />
+    <style>
+        #copy-modal {
+            display: none; /* hidden by default */
+
+            position: fixed;
+            z-index: 2000;
+            inset: 0;
+        }
+        #copy-modal.show_modal {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            padding: 16px;
+        }
+        #copy-modal .modal-content {
+            background: white;
+            width: 100%;
+            max-width: 600px;
+            max-height: 80vh;
+            padding: 20px;
+            border-radius: 10px;
+
+            display: flex;
+            flex-direction: column;
+            gap: 10px;
+            overflow: hidden;
+        }
+    </style>
 {% endblock %}
 {% load comment_extras %}
 {% block title %}
@@ -33,6 +61,20 @@
                 {% if perms.osf.change_institution %}
                 <a class="btn btn-primary" href={% url 'institutions:list_and_add_admin' institution.id %}>Manage Admins</a>
                 {% endif %}
+
+                {% if cas_login_url %}
+                    <button class="btn btn-primary" onclick="openCopyPopup('{{ cas_login_url|escapejs }}')">
+                        Copy SSO URL
+                    </button>
+
+                    <div id="copy-modal" class="modal">
+                        <div class="modal-content">
+                            <span class="close" onclick="closeCopyPopup()">&times;</span>
+                            <p>Value copied. You can also copy manually:</p>
+                            <textarea id="copy-input" readonly></textarea>
+                        </div>
+                    </div>
+                {% endif %}
             </div>
         </div>
 
@@ -168,5 +210,31 @@ <h3>Are you sure you want to run monthly report for this institution?</h3>
                 });
             });
         });
+
+        window.openCopyPopup = function(text) {
+            const modal = document.getElementById("copy-modal");
+            const input = document.getElementById("copy-input");
+
+            input.value = text;
+
+            modal.classList.add("show_modal");
+
+            navigator.clipboard.writeText(text).catch(() => {});
+
+            input.focus();
+            input.select();
+        };
+
+        window.closeCopyPopup = function() {
+            document.getElementById("copy-modal").classList.remove("show_modal");
+        };
+
+        // Close on outside click
+        window.onclick = function(event) {
+            const modal = document.getElementById("copy-modal");
+            if (event.target === modal) {
+                modal.classList.remove("show_modal");
+            }
+        };
     </script>
 {% endblock %}
diff --git a/osf/models/institution.py b/osf/models/institution.py
index c1679892f69..c5752cb7d43 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -24,6 +24,7 @@
 from .validators import validate_email
 from osf.utils.fields import NonNaiveDateTimeField, LowercaseEmailField
 from website import settings as website_settings
+from urllib.parse import quote
 
 logger = logging.getLogger(__name__)
 
@@ -208,6 +209,18 @@ def banner_path(self):
         except InstitutionAssetFile.DoesNotExist:
             return '/static/img/institutions/banners/placeholder-banner.png'
 
+    @property
+    def cas_login_url(self):
+        if self.delegation_protocol == IntegrationType.NONE.value:
+            return None
+        if 'localhost' in website_settings.DOMAIN:
+            next_param = quote(website_settings.PROTOCOL + website_settings.LOCAL_ANGULAR_URL, safe='')
+        else:
+            next_param = quote(website_settings.DOMAIN, safe='')
+        service_url = quote(f'{website_settings.DOMAIN}login?next={next_param}', safe='')
+
+        return f'{website_settings.CAS_SERVER_URL}/login?campaign=institution&institutionId={self._id}&service={service_url}'
+
     def update_search(self):
         from website.search.search import update_institution
         from website.search.exceptions import SearchUnavailableError

From ff32e01c1962ac6dd3e276408e3ef6a505e2dbac Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 23 Mar 2026 16:39:22 +0200
Subject: [PATCH 14/43] Refactor SSO URL generation and clean up unused code in
 institution model

---
 admin/templates/institutions/detail.html | 8 --------
 osf/models/institution.py                | 1 -
 2 files changed, 9 deletions(-)

diff --git a/admin/templates/institutions/detail.html b/admin/templates/institutions/detail.html
index b2170aafaa5..c28ca7e7703 100644
--- a/admin/templates/institutions/detail.html
+++ b/admin/templates/institutions/detail.html
@@ -5,7 +5,6 @@
     <style>
         #copy-modal {
             display: none; /* hidden by default */
-
             position: fixed;
             z-index: 2000;
             inset: 0;
@@ -23,7 +22,6 @@
             max-height: 80vh;
             padding: 20px;
             border-radius: 10px;
-
             display: flex;
             flex-direction: column;
             gap: 10px;
@@ -61,12 +59,10 @@
                 {% if perms.osf.change_institution %}
                 <a class="btn btn-primary" href={% url 'institutions:list_and_add_admin' institution.id %}>Manage Admins</a>
                 {% endif %}
-
                 {% if cas_login_url %}
                     <button class="btn btn-primary" onclick="openCopyPopup('{{ cas_login_url|escapejs }}')">
                         Copy SSO URL
                     </button>
-
                     <div id="copy-modal" class="modal">
                         <div class="modal-content">
                             <span class="close" onclick="closeCopyPopup()">&times;</span>
@@ -214,13 +210,9 @@ <h3>Are you sure you want to run monthly report for this institution?</h3>
         window.openCopyPopup = function(text) {
             const modal = document.getElementById("copy-modal");
             const input = document.getElementById("copy-input");
-
             input.value = text;
-
             modal.classList.add("show_modal");
-
             navigator.clipboard.writeText(text).catch(() => {});
-
             input.focus();
             input.select();
         };
diff --git a/osf/models/institution.py b/osf/models/institution.py
index c5752cb7d43..4c17f6d74e0 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -218,7 +218,6 @@ def cas_login_url(self):
         else:
             next_param = quote(website_settings.DOMAIN, safe='')
         service_url = quote(f'{website_settings.DOMAIN}login?next={next_param}', safe='')
-
         return f'{website_settings.CAS_SERVER_URL}/login?campaign=institution&institutionId={self._id}&service={service_url}'
 
     def update_search(self):

From 7d6a4a3b8ee80fc3fa395e71808c1c8416ac88ec Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Tue, 24 Mar 2026 13:11:09 +0200
Subject: [PATCH 15/43] Add management command to backfill SSO availability

---
 .../commands/backfill_sso_availability.py     |  79 ++++++++
 scripts/populate_institutions.py              | 183 ++++++++++++++++++
 2 files changed, 262 insertions(+)
 create mode 100644 osf/management/commands/backfill_sso_availability.py

diff --git a/osf/management/commands/backfill_sso_availability.py b/osf/management/commands/backfill_sso_availability.py
new file mode 100644
index 00000000000..d86e9362ff6
--- /dev/null
+++ b/osf/management/commands/backfill_sso_availability.py
@@ -0,0 +1,79 @@
+from django.core.management.base import BaseCommand
+from django.db import transaction
+from django.db.models import Q
+
+from osf.models.institution import Institution, SSOAvailability, IntegrationType
+
+
+class Command(BaseCommand):
+    help = 'Backfill sso_availability using fast DB-level updates'
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '--dry-run',
+            action='store_true',
+            help='Show how many rows would be updated without applying changes',
+        )
+
+    def handle(self, *args, **options):
+        dry_run = options['dry_run']
+
+        # Build querysets
+        qs_no_protocol = Institution.objects.filter(
+            delegation_protocol=IntegrationType.NONE.value
+        ).exclude(
+            sso_availability=SSOAvailability.UNAVAILABLE.value
+        )
+
+        qs_inactive_with_protocol = Institution.objects.filter(
+            ~Q(delegation_protocol=IntegrationType.NONE.value),
+            deactivated__isnull=False
+        ).exclude(
+            sso_availability=SSOAvailability.HIDDEN.value
+        )
+
+        qs_active_with_protocol = Institution.objects.filter(
+            ~Q(delegation_protocol=IntegrationType.NONE.value),
+            deactivated__isnull=True
+        ).exclude(
+            sso_availability=SSOAvailability.PUBLIC.value
+        )
+
+        count_no_protocol = qs_no_protocol.count()
+        count_inactive = qs_inactive_with_protocol.count()
+        count_active = qs_active_with_protocol.count()
+
+        total = count_no_protocol + count_inactive + count_active
+
+        self.stdout.write('Planned updates:')
+        self.stdout.write(f"  No protocol → UNAVAILABLE: {count_no_protocol}")
+        self.stdout.write(f"  Inactive + protocol → HIDDEN: {count_inactive}")
+        self.stdout.write(f"  Active + protocol → PUBLIC: {count_active}")
+        self.stdout.write(f"  TOTAL: {total}")
+
+        if dry_run:
+            self.stdout.write(self.style.WARNING('Dry run, no changes applied.'))
+            return
+
+        with transaction.atomic():
+            updated_no_protocol = qs_no_protocol.update(
+                sso_availability=SSOAvailability.UNAVAILABLE.value
+            )
+
+            updated_inactive = qs_inactive_with_protocol.update(
+                sso_availability=SSOAvailability.HIDDEN.value
+            )
+
+            updated_active = qs_active_with_protocol.update(
+                sso_availability=SSOAvailability.PUBLIC.value
+            )
+
+        self.stdout.write(
+            self.style.SUCCESS(
+                'Done:\n'
+                f"  UNAVAILABLE: {updated_no_protocol}\n"
+                f"  HIDDEN: {updated_inactive}\n"
+                f"  PUBLIC: {updated_active}\n"
+                f"  TOTAL: {updated_no_protocol + updated_inactive + updated_active}"
+            )
+        )
diff --git a/scripts/populate_institutions.py b/scripts/populate_institutions.py
index f46f7c67113..3d0b832099a 100644
--- a/scripts/populate_institutions.py
+++ b/scripts/populate_institutions.py
@@ -101,6 +101,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['a2jlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'albion',
@@ -113,6 +114,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'asu',
@@ -125,6 +127,7 @@ def main(default_args=False):
                 'domains': ['osf.asu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'brown',
@@ -135,6 +138,7 @@ def main(default_args=False):
                 'domains': ['osf.brown.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'bt',
@@ -145,6 +149,7 @@ def main(default_args=False):
                 'domains': ['osf.boystownhospital.org'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'bu',
@@ -155,6 +160,7 @@ def main(default_args=False):
                 'domains': ['osf.bu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'busara',
@@ -165,6 +171,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['busaracenter.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'callutheran',
@@ -175,6 +182,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'capolicylab',
@@ -185,6 +193,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['capolicylab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'cfa',
@@ -195,6 +204,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['cfa.harvard.edu'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'clrn',
@@ -205,6 +215,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['characterlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'cmu',
@@ -219,6 +230,7 @@ def main(default_args=False):
                 'domains': ['osf.library.cmu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'colorado',
@@ -229,6 +241,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cord',
@@ -239,6 +252,7 @@ def main(default_args=False):
                 'domains': ['osf.cord.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'cas-pac4j',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cornell',
@@ -249,6 +263,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cos',
@@ -259,6 +274,7 @@ def main(default_args=False):
                 'domains': ['osf.cos.io'],
                 'email_domains': ['cos.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'csic',
@@ -269,6 +285,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cwru',
@@ -279,6 +296,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'duke',
@@ -289,6 +307,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ecu',
@@ -299,6 +318,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'esip',
@@ -309,6 +329,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['esipfed.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'eur',
@@ -324,6 +345,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ferris',
@@ -334,6 +356,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'fsu',
@@ -344,6 +367,7 @@ def main(default_args=False):
                 'domains': ['osf.fsu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gatech',
@@ -354,6 +378,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gmu',
@@ -364,6 +389,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gwu',
@@ -374,6 +400,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'harvard',
@@ -384,6 +411,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ibhri',
@@ -394,6 +422,7 @@ def main(default_args=False):
                 'domains': ['osf.ibhri.org'],
                 'email_domains': ['ibhri.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'icarehb',
@@ -404,6 +433,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['icarehb.com'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'icer',
@@ -414,6 +444,7 @@ def main(default_args=False):
                 'domains': ['osf.icer-review.org'],
                 'email_domains': ['icer-review.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'igdore',
@@ -427,6 +458,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['igdore.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'iit',
@@ -437,6 +469,7 @@ def main(default_args=False):
                 'domains': ['osf.iit.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'itb',
@@ -447,6 +480,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jhu',
@@ -457,6 +491,7 @@ def main(default_args=False):
                 'domains': ['osf.data.jhu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jmu',
@@ -467,6 +502,7 @@ def main(default_args=False):
                 'domains': ['osf.jmu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jpal',
@@ -477,6 +513,7 @@ def main(default_args=False):
                 'domains': ['osf.povertyactionlab.org'],
                 'email_domains': ['povertyactionlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'kuleuven',
@@ -487,6 +524,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ljaf',
@@ -497,6 +535,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['arnoldfoundation.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'mit',
@@ -507,6 +546,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'mq',
@@ -517,6 +557,7 @@ def main(default_args=False):
                 'domains': ['osf.mq.edu.au'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nationalmaglab',
@@ -527,6 +568,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nesta',
@@ -537,6 +579,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nd',
@@ -547,6 +590,7 @@ def main(default_args=False):
                 'domains': ['osf.nd.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nyu',
@@ -557,6 +601,7 @@ def main(default_args=False):
                 'domains': ['osf.nyu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'okstate',
@@ -567,6 +612,7 @@ def main(default_args=False):
                 'domains': ['osf.library.okstate.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ou',
@@ -577,6 +623,7 @@ def main(default_args=False):
                 'domains': ['osf.ou.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'oxford',
@@ -587,6 +634,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'via-orcid',
+                'sso_availability': 'Public',
                 'orcid_record_verified_source': 'ORCID Integration at the University of Oxford',
             },
             {
@@ -598,6 +646,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'purdue',
@@ -608,6 +657,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'sc',
@@ -620,6 +670,7 @@ def main(default_args=False):
                 'domains': ['osf.sc.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'temple',
@@ -630,6 +681,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'thepolicylab',
@@ -640,6 +692,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'thelabatdc',
@@ -650,6 +703,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['dc.gov'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'theworks',
@@ -660,6 +714,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['theworks.info'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'tufts',
@@ -670,6 +725,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ua',
@@ -680,6 +736,7 @@ def main(default_args=False):
                 'domains': ['osf.arizona.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ubc',
@@ -690,6 +747,7 @@ def main(default_args=False):
                 'domains': ['osf.openscience.ubc.ca'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uc',
@@ -700,6 +758,7 @@ def main(default_args=False):
                 'domains': ['osf.uc.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucla',
@@ -710,6 +769,7 @@ def main(default_args=False):
                 'domains': ['osf.ucla.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucsd',
@@ -720,6 +780,7 @@ def main(default_args=False):
                 'domains': ['osf.ucsd.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucr',
@@ -730,6 +791,7 @@ def main(default_args=False):
                 'domains': ['osf.ucr.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uct',
@@ -740,6 +802,7 @@ def main(default_args=False):
                 'domains': ['osf.uct.ac.za'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ugent',
@@ -750,6 +813,7 @@ def main(default_args=False):
                 'domains': ['osf.ugent.be'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ugoe',
@@ -760,6 +824,7 @@ def main(default_args=False):
                 'domains': ['osf.uni-goettingen.de'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'umb',
@@ -770,6 +835,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'umd',
@@ -780,6 +846,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'unc',
@@ -790,6 +857,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'universityofkent',
@@ -800,6 +868,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uol',
@@ -810,6 +879,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uom',
@@ -820,6 +890,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'usc',
@@ -830,6 +901,7 @@ def main(default_args=False):
                 'domains': ['osf.usc.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ush',
@@ -840,6 +912,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['uvers.ac.id'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'utdallas',
@@ -850,6 +923,7 @@ def main(default_args=False):
                 'domains': ['osf.utdallas.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uva',
@@ -860,6 +934,7 @@ def main(default_args=False):
                 'domains': ['osf.virginia.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uw',
@@ -870,6 +945,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uwstout',
@@ -880,6 +956,7 @@ def main(default_args=False):
                 'domains': ['open.uwstout.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vcu',
@@ -890,6 +967,7 @@ def main(default_args=False):
                 'domains': ['osf.research.vcu.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vt',
@@ -900,6 +978,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vua',
@@ -910,6 +989,7 @@ def main(default_args=False):
                 'domains': ['osf.vu.nl'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'wustl',
@@ -920,6 +1000,7 @@ def main(default_args=False):
                 'domains': ['osf.wustl.edu'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
         ],
     'stage': [
@@ -932,6 +1013,7 @@ def main(default_args=False):
                 'domains': ['staging-osf.cos.io'],
                 'email_domains': ['cos.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'nd',
@@ -942,6 +1024,7 @@ def main(default_args=False):
                 'domains': ['staging-osf-nd.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'google',
@@ -952,6 +1035,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['gmail.com'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'yahoo',
@@ -961,6 +1045,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['yahoo.com'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'oxford',
@@ -971,6 +1056,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'via-orcid',
+                'sso_availability': 'Public',
                 'orcid_record_verified_source': 'ORCID Integration at the University of Oxford',
             },
             {
@@ -983,6 +1069,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'via-orcid',
+                'sso_availability': 'Public',
                 'orcid_record_verified_source': 'OSF Integration',
             },
         ],
@@ -996,6 +1083,7 @@ def main(default_args=False):
                 'domains': ['staging2-osf.cos.io'],
                 'email_domains': ['cos.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
         ],
     'stage3': [
@@ -1008,6 +1096,7 @@ def main(default_args=False):
                 'domains': ['staging3-osf.cos.io'],
                 'email_domains': ['cos.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
         ],
     'test': [
@@ -1020,6 +1109,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'a2jlab',
@@ -1030,6 +1120,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['a2jlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'albion',
@@ -1042,6 +1133,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ablbion.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'asu',
@@ -1054,6 +1146,7 @@ def main(default_args=False):
                 'domains': ['test-osf-asu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'brown',
@@ -1064,6 +1157,7 @@ def main(default_args=False):
                 'domains': ['test-osf-brown.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'bt',
@@ -1074,6 +1168,7 @@ def main(default_args=False):
                 'domains': ['test-osf-bt.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'bu',
@@ -1084,6 +1179,7 @@ def main(default_args=False):
                 'domains': ['test-osf-bu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'busara',
@@ -1094,6 +1190,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['busaracenter.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'callutheran',
@@ -1104,6 +1201,7 @@ def main(default_args=False):
                 'domains': ['test-osf-callutheran.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'callutheran2',
@@ -1114,6 +1212,7 @@ def main(default_args=False):
                 'domains': ['test-osf-callutheran2.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'cas-pac4j',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'capolicylab',
@@ -1124,6 +1223,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['capolicylab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'cfa',
@@ -1134,6 +1234,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['cfa.harvard.edu'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'clrn',
@@ -1144,6 +1245,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['characterlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'cmu',
@@ -1158,6 +1260,7 @@ def main(default_args=False):
                 'domains': ['test-osf-cmu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'colorado',
@@ -1168,6 +1271,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cornell',
@@ -1178,6 +1282,7 @@ def main(default_args=False):
                 'domains': ['test-osf-cornell.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cord',
@@ -1188,6 +1293,7 @@ def main(default_args=False):
                 'domains': ['test-osf-cord.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'cas-pac4j',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cos',
@@ -1198,6 +1304,7 @@ def main(default_args=False):
                 'domains': ['test-osf.cos.io'],
                 'email_domains': ['cos.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'csic',
@@ -1208,6 +1315,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'cwru',
@@ -1218,6 +1326,7 @@ def main(default_args=False):
                 'domains': ['test-osf-cwru.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'duke',
@@ -1228,6 +1337,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ecu',
@@ -1238,6 +1348,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'esip',
@@ -1248,6 +1359,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['esipfed.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'eur',
@@ -1263,6 +1375,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ferris',
@@ -1273,6 +1386,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'fsu',
@@ -1283,6 +1397,7 @@ def main(default_args=False):
                 'domains': ['test-osf-fsu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gatech',
@@ -1293,6 +1408,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gmu',
@@ -1303,6 +1419,7 @@ def main(default_args=False):
                 'domains': ['test-osf-gmu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'gwu',
@@ -1313,6 +1430,7 @@ def main(default_args=False):
                 'domains': ['test-osf-gwu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'harvard',
@@ -1323,6 +1441,7 @@ def main(default_args=False):
                 'domains': ['test-osf-harvard.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ibhri',
@@ -1333,6 +1452,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ibhri.cos.io'],
                 'email_domains': ['ibhri.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'icarehb',
@@ -1343,6 +1463,7 @@ def main(default_args=False):
                 'domains': ['test-osf-icarehb.cos.io'],
                 'email_domains': ['icarehb.com'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'icer',
@@ -1353,6 +1474,7 @@ def main(default_args=False):
                 'domains': ['test-osf-icer.cos.io'],
                 'email_domains': ['icer-review.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'igdore',
@@ -1366,6 +1488,7 @@ def main(default_args=False):
                 'domains': ['test-osf-icer.igdore.io'],
                 'email_domains': ['igdore.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'iit',
@@ -1376,6 +1499,7 @@ def main(default_args=False):
                 'domains': ['test-osf-iit.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'itb',
@@ -1386,6 +1510,7 @@ def main(default_args=False):
                 'domains': ['test-osf-itb.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jhu',
@@ -1396,6 +1521,7 @@ def main(default_args=False):
                 'domains': ['test-osf-jhu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jmu',
@@ -1406,6 +1532,7 @@ def main(default_args=False):
                 'domains': ['test-osf-jmu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'jpal',
@@ -1416,6 +1543,7 @@ def main(default_args=False):
                 'domains': ['test-osf-jpal.cos.io'],
                 'email_domains': ['povertyactionlab.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'kuleuven',
@@ -1426,6 +1554,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ljaf',
@@ -1436,6 +1565,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['arnoldfoundation.org'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'mit',
@@ -1446,6 +1576,7 @@ def main(default_args=False):
                 'domains': ['test-osf-mit.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'mq',
@@ -1456,6 +1587,7 @@ def main(default_args=False):
                 'domains': ['test-osf-mq.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nationalmaglab',
@@ -1466,6 +1598,7 @@ def main(default_args=False):
                 'domains': ['test-osf-nationalmaglab.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nesta',
@@ -1476,6 +1609,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nd',
@@ -1486,6 +1620,7 @@ def main(default_args=False):
                 'domains': ['test-osf-nd.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'nyu',
@@ -1496,6 +1631,7 @@ def main(default_args=False):
                 'domains': ['test-osf-nyu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'okstate',
@@ -1506,6 +1642,7 @@ def main(default_args=False):
                 'domains': ['test-osf-library-okstate.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ou',
@@ -1516,6 +1653,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ou.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'oxford',
@@ -1526,6 +1664,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'via-orcid',
+                'sso_availability': 'Public',
                 'orcid_record_verified_source': 'ORCID Integration at the University of Oxford',
             },
             {
@@ -1537,6 +1676,7 @@ def main(default_args=False):
                 'domains': ['test-osf-pu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'purdue',
@@ -1547,6 +1687,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'sc',
@@ -1559,6 +1700,7 @@ def main(default_args=False):
                 'domains': ['test-osf-sc.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'temple',
@@ -1569,6 +1711,7 @@ def main(default_args=False):
                 'domains': ['test-osf-temple.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'thepolicylab',
@@ -1579,6 +1722,7 @@ def main(default_args=False):
                 'domains': ['test-osf-thepolicylab.cos.io'],
                 'email_domains': ['policylab.io'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'thelabatdc',
@@ -1589,6 +1733,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['dc.gov'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'theworks',
@@ -1599,6 +1744,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': ['theworks.info'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'tufts',
@@ -1609,6 +1755,7 @@ def main(default_args=False):
                 'domains': ['test-osf-tufts.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ua',
@@ -1619,6 +1766,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ua.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ubc',
@@ -1629,6 +1777,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ubc.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uc',
@@ -1639,6 +1788,7 @@ def main(default_args=False):
                 'domains': ['test-osf-uc.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucla',
@@ -1649,6 +1799,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ucla.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucsd',
@@ -1659,6 +1810,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ucsd.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ucr',
@@ -1669,6 +1821,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ucr.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uct',
@@ -1679,6 +1832,7 @@ def main(default_args=False):
                 'domains': ['test-osf-uct.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'umb',
@@ -1689,6 +1843,7 @@ def main(default_args=False):
                 'domains': ['test-osf-umb.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'umd',
@@ -1699,6 +1854,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ugent',
@@ -1709,6 +1865,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ugent.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ugoe',
@@ -1719,6 +1876,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ugoe.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uit',
@@ -1731,6 +1889,7 @@ def main(default_args=False):
                 'domains': ['test-osf-uit.cos.io'],
                 'email_domains': ['uit.no'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'unc',
@@ -1741,6 +1900,7 @@ def main(default_args=False):
                 'domains': ['test-osf-unc.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'universityofkent',
@@ -1751,6 +1911,7 @@ def main(default_args=False):
                 'domains': ['test-osf-universityofkent.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uol',
@@ -1761,6 +1922,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uom',
@@ -1771,6 +1933,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'usc',
@@ -1781,6 +1944,7 @@ def main(default_args=False):
                 'domains': ['test-osf-usc.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'ush',
@@ -1791,6 +1955,7 @@ def main(default_args=False):
                 'domains': ['test-osf-ush.cos.io'],
                 'email_domains': ['uvers.ac.id'],
                 'delegation_protocol': '',
+                'sso_availability': 'Unavailable',
             },
             {
                 '_id': 'utdallas',
@@ -1801,6 +1966,7 @@ def main(default_args=False):
                 'domains': ['test-osf-utdallas.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uva',
@@ -1811,6 +1977,7 @@ def main(default_args=False):
                 'domains': ['test-osf-virginia.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uw',
@@ -1821,6 +1988,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'uwstout',
@@ -1831,6 +1999,7 @@ def main(default_args=False):
                 'domains': ['test-osf-uwstout.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vcu',
@@ -1841,6 +2010,7 @@ def main(default_args=False):
                 'domains': ['test-osf-research-vcu.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vt',
@@ -1851,6 +2021,7 @@ def main(default_args=False):
                 'domains': [],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'vua',
@@ -1861,6 +2032,7 @@ def main(default_args=False):
                 'domains': ['test-osf-vua.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
             {
                 '_id': 'wustl',
@@ -1871,6 +2043,7 @@ def main(default_args=False):
                 'domains': ['test-osf-wustl.cos.io'],
                 'email_domains': [],
                 'delegation_protocol': 'saml-shib',
+                'sso_availability': 'Public',
             },
         ],
     'local': [
@@ -1884,6 +2057,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'cas-pac4j',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype1',
@@ -1895,6 +2069,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'via-orcid',
+            'sso_availability': 'Public',
             'orcid_record_verified_source': 'OSF Integration',
         },
         {
@@ -1907,6 +2082,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
             'orcid_record_verified_source': '',
         },
         {
@@ -1920,6 +2096,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype4',
@@ -1932,6 +2109,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype5',
@@ -1944,6 +2122,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
             'orcid_record_verified_source': '',
         },
         {
@@ -1957,6 +2136,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype7',
@@ -1969,6 +2149,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype8',
@@ -1981,6 +2162,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
         {
             '_id': 'osftype9',
@@ -1993,6 +2175,7 @@ def main(default_args=False):
             'domains': [],
             'email_domains': [],
             'delegation_protocol': 'saml-shib',
+            'sso_availability': 'Public',
         },
     ],
 }

From 50ad1029e9c2f6c14b47d297c48fb7419705c3c2 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Wed, 25 Mar 2026 14:35:15 +0200
Subject: [PATCH 16/43] Add sso_availability field to InstitutionSerializer and
 enable filtering by sso_availability in InstitutionList view

---
 api/institutions/serializers.py               |  2 ++
 api/institutions/views.py                     |  3 ++
 .../views/test_institution_list.py            | 33 +++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/api/institutions/serializers.py b/api/institutions/serializers.py
index 5beffe60348..3f60cfc65ac 100644
--- a/api/institutions/serializers.py
+++ b/api/institutions/serializers.py
@@ -29,10 +29,12 @@ class InstitutionSerializer(JSONAPISerializer):
         'id',
         'name',
         'auth_url',
+        'sso_availability',
     ])
 
     name = ser.CharField(read_only=True)
     id = ser.CharField(read_only=True, source='_id')
+    sso_availability = ser.CharField(read_only=True)
     description = ser.CharField(read_only=True)
     auth_url = ser.CharField(read_only=True)
     iri = ser.CharField(read_only=True, source='identifier_domain')
diff --git a/api/institutions/views.py b/api/institutions/views.py
index a3c0f93d0c8..b63b5efaa8d 100644
--- a/api/institutions/views.py
+++ b/api/institutions/views.py
@@ -73,6 +73,9 @@ class InstitutionList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin):
         base_permissions.TokenHasScope,
     )
 
+    # Adding sso_availability to MULTIPLE_VALUES_FIELDS to allow filtering institutions by multiple sso_availability values, e.g. ?filter[sso_availability]=[Unavailable,Hidden]
+    MULTIPLE_VALUES_FIELDS = ListFilterMixin.MULTIPLE_VALUES_FIELDS + ['sso_availability']
+
     required_read_scopes = [CoreScopes.INSTITUTION_READ]
     required_write_scopes = [CoreScopes.NULL]
     model_class = Institution
diff --git a/api_tests/institutions/views/test_institution_list.py b/api_tests/institutions/views/test_institution_list.py
index 74cb0b6bc8f..d203b2b9313 100644
--- a/api_tests/institutions/views/test_institution_list.py
+++ b/api_tests/institutions/views/test_institution_list.py
@@ -15,6 +15,10 @@ def institution_one(self):
     def institution_two(self):
         return InstitutionFactory()
 
+    @pytest.fixture()
+    def institution_three(self):
+        return InstitutionFactory()
+
     @pytest.fixture()
     def url_institution(self):
         return f'/{API_BASE}institutions/'
@@ -47,3 +51,32 @@ def test_does_not_return_deleted_institution(
         assert len(res.json['data']) == 1
         assert institution_one._id not in ids
         assert institution_two._id in ids
+
+    def test_sso_availability_filter(
+            self, app, institution_one, institution_two, institution_three, url_institution
+    ):
+        institution_one.sso_availability = 'Unavailable'
+        institution_one.save()
+
+        institution_two.sso_availability = 'Public'
+        institution_two.save()
+
+        institution_three.sso_availability = 'Hidden'
+        institution_three.save()
+
+        res = app.get(f'{url_institution}?filter[sso_availability]=[Unavailable]')
+        assert res.status_code == 200
+
+        ids = [each['id'] for each in res.json['data']]
+        assert len(res.json['data']) == 1
+        assert institution_one._id in ids
+        assert institution_two._id not in ids
+
+        res = app.get(f'{url_institution}?filter[sso_availability]=[Unavailable,Hidden]')
+        assert res.status_code == 200
+
+        ids = [each['id'] for each in res.json['data']]
+        assert len(res.json['data']) == 2
+        assert institution_one._id in ids
+        assert institution_three._id in ids
+        assert institution_two._id not in ids

From 40da7b3c1574ad707a8ab60f500dd64eb11d714f Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Thu, 26 Mar 2026 15:56:40 +0200
Subject: [PATCH 17/43] Add SSO Availability column to institutions list view

---
 admin/templates/institutions/list.html | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/admin/templates/institutions/list.html b/admin/templates/institutions/list.html
index f990c778d25..47e6d09233f 100644
--- a/admin/templates/institutions/list.html
+++ b/admin/templates/institutions/list.html
@@ -20,6 +20,7 @@ <h2>List of Institutions</h2>
             <th>Name</th>
             <th>Description</th>
 			<th>Status</th>
+			<th>SSO Availability</th>
         </tr>
     </thead>
     <tbody>
@@ -37,6 +38,7 @@ <h2>List of Institutions</h2>
 		{% else %}
 		<td>DEACTIVATED</td>
 		{% endif %}
+		<td>{{ institution.sso_availability }}</td>
     </tr>
     {% endfor %}
     </tbody>

From dc02e517db65d0bada2b24825c62069a2cc81630 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 27 Mar 2026 10:56:31 +0200
Subject: [PATCH 18/43] Add get_sso_institutions method to InstitutionManager
 and update InstitutionList queryset filtering

---
 api/institutions/views.py | 4 +++-
 osf/models/institution.py | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/institutions/views.py b/api/institutions/views.py
index b63b5efaa8d..6272cfbe59c 100644
--- a/api/institutions/views.py
+++ b/api/institutions/views.py
@@ -88,7 +88,9 @@ class InstitutionList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin):
     ordering = ('name',)
 
     def get_default_queryset(self):
-        return Institution.objects.filter(_id__isnull=False, is_deleted=False)
+        if 'filter[sso_availability]' in self.request.query_params:
+            return Institution.objects.filter(_id__isnull=False, is_deleted=False)
+        return Institution.objects.get_sso_institutions().filter(_id__isnull=False, is_deleted=False)
 
     # overrides ListAPIView
     def get_queryset(self):
diff --git a/osf/models/institution.py b/osf/models/institution.py
index 4ebb8752217..c60563bac63 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -63,6 +63,9 @@ def get_queryset(self):
     def get_all_institutions(self):
         return super().get_queryset()
 
+    def get_sso_institutions(self):
+        return super().get_queryset().filter(deactivated__isnull=True, sso_availability__in=[SSOAvailability.PUBLIC.value, SSOAvailability.UNAVAILABLE.value])
+
 
 class Institution(DirtyFieldsMixin, Loggable, ObjectIDMixin, BaseModel, GuardianMixin):
     objects = InstitutionManager()

From 51ed7711179b9d3dfe750d23ec3cf1a9791d8081 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 27 Mar 2026 11:24:19 +0200
Subject: [PATCH 19/43] Add test for default filter excluding institutions with
 hidden SSO availability

---
 .../views/test_institution_list.py            | 21 +++++++++++++++++++
 osf_tests/factories.py                        |  2 ++
 2 files changed, 23 insertions(+)

diff --git a/api_tests/institutions/views/test_institution_list.py b/api_tests/institutions/views/test_institution_list.py
index d203b2b9313..60e63056b7a 100644
--- a/api_tests/institutions/views/test_institution_list.py
+++ b/api_tests/institutions/views/test_institution_list.py
@@ -80,3 +80,24 @@ def test_sso_availability_filter(
         assert institution_one._id in ids
         assert institution_three._id in ids
         assert institution_two._id not in ids
+
+    def test_default_filter_excludes_institutions_with_sso_availability_hidden(
+            self, app, institution_one, institution_two, institution_three, url_institution
+    ):
+        institution_one.sso_availability = 'Unavailable'
+        institution_one.save()
+
+        institution_two.sso_availability = 'Public'
+        institution_two.save()
+
+        institution_three.sso_availability = 'Hidden'
+        institution_three.save()
+
+        res = app.get(url_institution)
+        assert res.status_code == 200
+
+        ids = [each['id'] for each in res.json['data']]
+        assert len(res.json['data']) == 2
+        assert institution_one._id in ids
+        assert institution_two._id in ids
+        assert institution_three._id not in ids
diff --git a/osf_tests/factories.py b/osf_tests/factories.py
index 0b357aed1aa..0d5e5ad0c32 100644
--- a/osf_tests/factories.py
+++ b/osf_tests/factories.py
@@ -28,6 +28,7 @@
 from osf import models
 from osf.models.sanctions import Sanction
 from osf.models.storage import PROVIDER_ASSET_NAME_CHOICES
+from osf.models.institution import SSOAvailability
 from osf.utils.names import impute_names_model
 from osf.utils.workflows import (
     DefaultStates,
@@ -258,6 +259,7 @@ class InstitutionFactory(DjangoModelFactory):
     orcid_record_verified_source = ''
     delegation_protocol = ''
     institutional_request_access_enabled = False
+    sso_availability = SSOAvailability.PUBLIC.value
 
     class Meta:
         model = models.Institution

From 417473d457e471ec89b9073c4e1f2b38127ea89d Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 30 Mar 2026 16:43:09 +0300
Subject: [PATCH 20/43] Rename get_sso_institutions to
 get_non_hidden_institutions

---
 api/institutions/views.py | 2 +-
 osf/models/institution.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/institutions/views.py b/api/institutions/views.py
index 6272cfbe59c..d653f5b4e77 100644
--- a/api/institutions/views.py
+++ b/api/institutions/views.py
@@ -90,7 +90,7 @@ class InstitutionList(JSONAPIBaseView, generics.ListAPIView, ListFilterMixin):
     def get_default_queryset(self):
         if 'filter[sso_availability]' in self.request.query_params:
             return Institution.objects.filter(_id__isnull=False, is_deleted=False)
-        return Institution.objects.get_sso_institutions().filter(_id__isnull=False, is_deleted=False)
+        return Institution.objects.get_non_hidden_institutions().filter(_id__isnull=False, is_deleted=False)
 
     # overrides ListAPIView
     def get_queryset(self):
diff --git a/osf/models/institution.py b/osf/models/institution.py
index c60563bac63..379f301a966 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -63,7 +63,7 @@ def get_queryset(self):
     def get_all_institutions(self):
         return super().get_queryset()
 
-    def get_sso_institutions(self):
+    def get_non_hidden_institutions(self):
         return super().get_queryset().filter(deactivated__isnull=True, sso_availability__in=[SSOAvailability.PUBLIC.value, SSOAvailability.UNAVAILABLE.value])
 
 

From 3ae6a473bddadbb38b50f8c346b04772f2161af1 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Tue, 31 Mar 2026 18:36:04 +0300
Subject: [PATCH 21/43] Enhance institution population script with test
 institution generation and SSO state handling

---
 scripts/populate_institutions.py | 63 +++++++++++++++++++++++++++++---
 1 file changed, 58 insertions(+), 5 deletions(-)

diff --git a/scripts/populate_institutions.py b/scripts/populate_institutions.py
index 3d0b832099a..61f1271b899 100644
--- a/scripts/populate_institutions.py
+++ b/scripts/populate_institutions.py
@@ -12,13 +12,13 @@
 
 from website import settings
 from website.app import init_app
-from osf.models import Institution
+from osf.models.institution import Institution, SSOAvailability, IntegrationType
 from website.search.search import update_institution
 
 logger = logging.getLogger(__name__)
 logging.basicConfig(level=logging.INFO)
 
-ENVS = ['prod', 'stage', 'stage2', 'stage3', 'test', 'local']
+ENVS = ['prod', 'stage', 'stage2', 'stage3', 'test', 'local', 'auto_generated']
 
 # TODO: Store only the Entity IDs in OSF DB and move the URL building process to CAS
 SHIBBOLETH_SP_LOGIN = f'{settings.CAS_SERVER_URL}/Shibboleth.sso/Login?entityID={{}}'
@@ -37,8 +37,9 @@ def encode_uri_component(val):
 
 
 def update_or_create(inst_data):
-    inst = Institution.load(inst_data['_id'])
-    if inst:
+    inst = Institution.objects.get_all_institutions().filter(_id=inst_data['_id'])
+    if inst.exists():
+        inst = inst.first()
         for key, val in inst_data.items():
             setattr(inst, key, val)
         inst.save()
@@ -53,6 +54,53 @@ def update_or_create(inst_data):
         return inst, True
 
 
+PROTOCOL_MAP = {
+    IntegrationType.SAML_SHIBBOLETH.value: 'SAML',
+    IntegrationType.CAS_PAC4J.value: 'CAS',
+    IntegrationType.OAUTH_PAC4J.value: 'OAuth',
+    IntegrationType.AFFILIATION_VIA_ORCID.value: 'ORCiD',
+    IntegrationType.NONE.value: 'None',
+}
+
+
+DEACTIVATED_STATES = [
+    None,
+    '2026-01-01T00:00:00+00:00',
+]
+
+
+def get_valid_sso_states(protocol, deactivated):
+    is_active = deactivated is None
+    if not protocol:
+        return [SSOAvailability.UNAVAILABLE.value]
+    if not is_active:
+        return [SSOAvailability.HIDDEN.value]
+    return [SSOAvailability.PUBLIC.value, SSOAvailability.HIDDEN.value]
+
+
+def generate_test_institutions():
+    institutions = []
+
+    for protocol in PROTOCOL_MAP.keys():
+        for deactivated in DEACTIVATED_STATES:
+            for availability in get_valid_sso_states(protocol, deactivated):
+                _id = f"{PROTOCOL_MAP[protocol]}_{availability}_{'a' if deactivated is None else 'i'}".lower()
+                institutions.append({
+                    '_id': _id,
+                    'name': f'Test Institution [{PROTOCOL_MAP[protocol] if protocol else "None"} {availability} {"Inactive" if deactivated else "Active"}]',
+                    'description': f'Description for {PROTOCOL_MAP[protocol] if protocol else "None"} {availability} {"Inactive" if deactivated else "Active"}',
+                    'login_url': SHIBBOLETH_SP_LOGIN.format(encode_uri_component(f'{_id}-entity-id')) if protocol == IntegrationType.SAML_SHIBBOLETH.value else None,
+                    'logout_url': SHIBBOLETH_SP_LOGOUT.format(encode_uri_component(f'https://osf.io/{_id}')) if protocol == IntegrationType.SAML_SHIBBOLETH.value else None,
+                    'domains': [],
+                    'email_domains': [f'{_id}.osf.io'] if not protocol else [],
+                    'delegation_protocol': protocol,
+                    'sso_availability': availability,
+                    'deactivated': deactivated,
+                })
+
+    return institutions
+
+
 def main(default_args=False):
 
     if default_args:
@@ -67,7 +115,12 @@ def main(default_args=False):
     if not server_env or server_env not in ENVS:
         logger.error(f'A valid environment must be specified: {ENVS}')
         sys.exit(1)
-    institutions = INSTITUTIONS[server_env]
+
+    if server_env == 'auto_generated':
+        logger.info('Generating institutions with all combinations of protocol, availability, and deactivated states for testing purposes.')
+        institutions = generate_test_institutions()
+    else:
+        institutions = INSTITUTIONS[server_env]
 
     if not update_all and not update_ids:
         logger.error('Nothing to update or create. Please either specify a list of institutions '

From 001345d986425d3ee0679c3749d18f34881dde66 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Tue, 31 Mar 2026 20:25:02 +0300
Subject: [PATCH 22/43] Refactor institution update logic to handle
 non-existent institutions and improve logout URL generation

---
 scripts/populate_institutions.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/populate_institutions.py b/scripts/populate_institutions.py
index 61f1271b899..64bf59bd2b9 100644
--- a/scripts/populate_institutions.py
+++ b/scripts/populate_institutions.py
@@ -37,9 +37,11 @@ def encode_uri_component(val):
 
 
 def update_or_create(inst_data):
-    inst = Institution.objects.get_all_institutions().filter(_id=inst_data['_id'])
-    if inst.exists():
-        inst = inst.first()
+    try:
+        inst = Institution.objects.get_all_institutions().get(_id=inst_data['_id'])
+    except Institution.DoesNotExist:
+        inst = None
+    if inst:
         for key, val in inst_data.items():
             setattr(inst, key, val)
         inst.save()
@@ -90,7 +92,7 @@ def generate_test_institutions():
                     'name': f'Test Institution [{PROTOCOL_MAP[protocol] if protocol else "None"} {availability} {"Inactive" if deactivated else "Active"}]',
                     'description': f'Description for {PROTOCOL_MAP[protocol] if protocol else "None"} {availability} {"Inactive" if deactivated else "Active"}',
                     'login_url': SHIBBOLETH_SP_LOGIN.format(encode_uri_component(f'{_id}-entity-id')) if protocol == IntegrationType.SAML_SHIBBOLETH.value else None,
-                    'logout_url': SHIBBOLETH_SP_LOGOUT.format(encode_uri_component(f'https://osf.io/{_id}')) if protocol == IntegrationType.SAML_SHIBBOLETH.value else None,
+                    'logout_url': SHIBBOLETH_SP_LOGOUT.format(encode_uri_component(f'{settings.DOMAIN}{_id}')) if protocol == IntegrationType.SAML_SHIBBOLETH.value else None,
                     'domains': [],
                     'email_domains': [f'{_id}.osf.io'] if not protocol else [],
                     'delegation_protocol': protocol,

From d367f10449ea5949c918c882778c9a804b3d6d9c Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 6 Apr 2026 15:26:25 +0300
Subject: [PATCH 23/43] Implement validation for SSO availability in
 InstitutionForm

---
 admin/institutions/forms.py | 21 ++++++++++++++++++++-
 admin/institutions/views.py |  9 +++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/admin/institutions/forms.py b/admin/institutions/forms.py
index ccb7e9c4e77..ebcb5829e3f 100644
--- a/admin/institutions/forms.py
+++ b/admin/institutions/forms.py
@@ -1,5 +1,5 @@
 from django import forms
-from osf.models import Institution
+from osf.models.institution import Institution, SSOAvailability
 
 
 class InstitutionForm(forms.ModelForm):
@@ -10,6 +10,25 @@ class Meta:
             'is_deleted', 'contributors', 'storage_regions',
         ]
 
+    def clean(self):
+        super().clean()
+
+        if hasattr(self, 'cleaned_data') and self.changed_data:
+            if not self.cleaned_data['delegation_protocol']:
+                if self.cleaned_data['sso_availability'] != SSOAvailability.UNAVAILABLE.value:
+                    self.add_error('sso_availability', 'Must be UNAVAILABLE when no protocol')
+
+            elif self.cleaned_data['deactivated']:
+                if self.cleaned_data['sso_availability'] != SSOAvailability.HIDDEN.value:
+                    self.add_error('sso_availability', 'Inactive must be HIDDEN')
+
+            else:
+                if self.cleaned_data['sso_availability'] not in [
+                    SSOAvailability.PUBLIC.value,
+                    SSOAvailability.HIDDEN.value
+                ]:
+                    self.add_error('sso_availability', 'Active must be PUBLIC or HIDDEN')
+
 
 class InstitutionalMetricsAdminRegisterForm(forms.Form):
     """ A form that finds an existing OSF User, and grants permissions to that
diff --git a/admin/institutions/views.py b/admin/institutions/views.py
index 7ab8994e41f..a6ef9741f89 100644
--- a/admin/institutions/views.py
+++ b/admin/institutions/views.py
@@ -118,6 +118,15 @@ def get_context_data(self, *args, **kwargs):
     def get_success_url(self, *args, **kwargs):
         return reverse_lazy('institutions:detail', kwargs={'institution_id': self.kwargs.get('institution_id')})
 
+    def post(self, request, *args, **kwargs):
+        self.object = self.get_object()
+        form = self.get_form()
+        if form.is_valid():
+            return self.form_valid(form)
+        else:
+            messages.error(request, form.errors)
+            return redirect('institutions:detail', institution_id=self.kwargs.get('institution_id'))
+
 
 class InstitutionExport(PermissionRequiredMixin, View):
     permission_required = 'osf.view_institution'

From 2e5719a7efa33bc14a458f231ff40b18fda69abd Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 6 Apr 2026 16:42:16 +0300
Subject: [PATCH 24/43] fix institution form unit tests

---
 admin_tests/institutions/test_views.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/admin_tests/institutions/test_views.py b/admin_tests/institutions/test_views.py
index c3c8a3c3fab..1a8029ed088 100644
--- a/admin_tests/institutions/test_views.py
+++ b/admin_tests/institutions/test_views.py
@@ -140,11 +140,23 @@ def test_institution_form(self):
             'logo_name': 'awesome_logo.png',
             'domains': 'http://kris.biz/, http://www.little.biz/',
             '_id': 'newawesomeprov',
-            'sso_availability': 'Public',
+            'sso_availability': 'Unavailable',
         }
         form = InstitutionForm(data=new_data)
         assert form.is_valid()
 
+    def test_institution_form_invalid(self):
+        new_data = {
+            'name': 'New Name',
+            'logo_name': 'awesome_logo.png',
+            'domains': 'http://kris.biz/, http://www.little.biz/',
+            '_id': 'newawesomeprov',
+            'sso_availability': 'Public',
+        }
+        form = InstitutionForm(data=new_data)
+        assert not form.is_valid()
+        assert 'sso_availability' in form.errors
+
 
 class TestInstitutionExport(AdminTestCase):
     def setUp(self):
@@ -216,7 +228,7 @@ def test_monthly_reporter_called_on_create(self, mock_monthly_reporter_do):
             'orcid_record_verified_source': '',
             'delegation_protocol': '',
             'institutional_request_access_enabled': False,
-            'sso_availability': 'Public',
+            'sso_availability': 'Unavailable',
         }
         form = InstitutionForm(data=data)
         assert form.is_valid()

From cb9fc6b0e825e24dc02be474ce7e4d153dfbf10c Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 6 Apr 2026 18:25:45 +0300
Subject: [PATCH 25/43] Refactor SSO availability validation in InstitutionForm
 and override post method in InstitutionChangeForm for custom behavior

---
 admin/institutions/forms.py | 7 -------
 admin/institutions/views.py | 1 +
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/admin/institutions/forms.py b/admin/institutions/forms.py
index ebcb5829e3f..1ccd3dc514f 100644
--- a/admin/institutions/forms.py
+++ b/admin/institutions/forms.py
@@ -22,13 +22,6 @@ def clean(self):
                 if self.cleaned_data['sso_availability'] != SSOAvailability.HIDDEN.value:
                     self.add_error('sso_availability', 'Inactive must be HIDDEN')
 
-            else:
-                if self.cleaned_data['sso_availability'] not in [
-                    SSOAvailability.PUBLIC.value,
-                    SSOAvailability.HIDDEN.value
-                ]:
-                    self.add_error('sso_availability', 'Active must be PUBLIC or HIDDEN')
-
 
 class InstitutionalMetricsAdminRegisterForm(forms.Form):
     """ A form that finds an existing OSF User, and grants permissions to that
diff --git a/admin/institutions/views.py b/admin/institutions/views.py
index a6ef9741f89..2ec2776695f 100644
--- a/admin/institutions/views.py
+++ b/admin/institutions/views.py
@@ -119,6 +119,7 @@ def get_success_url(self, *args, **kwargs):
         return reverse_lazy('institutions:detail', kwargs={'institution_id': self.kwargs.get('institution_id')})
 
     def post(self, request, *args, **kwargs):
+        # Override post method from ProcessFormView due to custom  behavior
         self.object = self.get_object()
         form = self.get_form()
         if form.is_valid():

From 4c4f55999f153c917da8ab91c22806a343d8d4d3 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 6 Apr 2026 12:16:16 -0400
Subject: [PATCH 26/43] Apply suggestion from @cslzchen

---
 admin/institutions/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/institutions/views.py b/admin/institutions/views.py
index 2ec2776695f..be65f35a031 100644
--- a/admin/institutions/views.py
+++ b/admin/institutions/views.py
@@ -119,7 +119,7 @@ def get_success_url(self, *args, **kwargs):
         return reverse_lazy('institutions:detail', kwargs={'institution_id': self.kwargs.get('institution_id')})
 
     def post(self, request, *args, **kwargs):
-        # Override post method from ProcessFormView due to custom  behavior
+        # Override `post` method in `django.views.generic.edit.ProcessFormView` due to custom behavior
         self.object = self.get_object()
         form = self.get_form()
         if form.is_valid():

From bd04f62cc137cab5bd2cb159a9b4510019f950f0 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Thu, 23 Apr 2026 17:20:24 +0300
Subject: [PATCH 27/43] Enable/disable "Copy SSO URL" button based on CAS login
 URL availability

---
 admin/templates/institutions/detail.html | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/admin/templates/institutions/detail.html b/admin/templates/institutions/detail.html
index 38b3ba2813d..a03e0bf470a 100644
--- a/admin/templates/institutions/detail.html
+++ b/admin/templates/institutions/detail.html
@@ -60,18 +60,18 @@
                 {% if perms.osf.change_institution %}
                 <a class="btn btn-primary" href={% url 'institutions:list_and_add_admin' institution.id %}>Manage Admins</a>
                 {% endif %}
-                {% if cas_login_url %}
-                    <button class="btn btn-primary" onclick="openCopyPopup('{{ cas_login_url|escapejs }}')">
-                        Copy SSO URL
-                    </button>
-                    <div id="copy-modal" class="modal">
-                        <div class="modal-content">
-                            <span class="close" onclick="closeCopyPopup()">&times;</span>
-                            <p>Value copied. You can also copy manually:</p>
-                            <textarea id="copy-input" readonly></textarea>
-                        </div>
+                <button
+                    {% if not cas_login_url %}disabled{% endif %}
+                    class="btn btn-primary" onclick="openCopyPopup('{{ cas_login_url|escapejs }}')">
+                    Copy SSO URL
+                </button>
+                <div id="copy-modal" class="modal">
+                    <div class="modal-content">
+                        <span class="close" onclick="closeCopyPopup()">&times;</span>
+                        <p>Value copied. You can also copy manually:</p>
+                        <textarea id="copy-input" readonly></textarea>
                     </div>
-                {% endif %}
+                </div>
             </div>
         </div>
 

From 7ed4c184c7bbb0e4e24b86b684fbf734b9030c26 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 24 Apr 2026 12:28:03 +0300
Subject: [PATCH 28/43] Improve SSO availability validation messages in
 InstitutionForm and enhance error handling in InstitutionChangeForm

Co-authored-by: Copilot <copilot@github.com>
---
 admin/institutions/forms.py | 4 ++--
 admin/institutions/views.py | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/admin/institutions/forms.py b/admin/institutions/forms.py
index 1ccd3dc514f..40214756a06 100644
--- a/admin/institutions/forms.py
+++ b/admin/institutions/forms.py
@@ -16,11 +16,11 @@ def clean(self):
         if hasattr(self, 'cleaned_data') and self.changed_data:
             if not self.cleaned_data['delegation_protocol']:
                 if self.cleaned_data['sso_availability'] != SSOAvailability.UNAVAILABLE.value:
-                    self.add_error('sso_availability', 'Must be UNAVAILABLE when no protocol')
+                    self.add_error(None, 'SSO availability must be set to "Unavailable" when no delegation protocol is configured.')
 
             elif self.cleaned_data['deactivated']:
                 if self.cleaned_data['sso_availability'] != SSOAvailability.HIDDEN.value:
-                    self.add_error('sso_availability', 'Inactive must be HIDDEN')
+                    self.add_error(None, 'SSO availability must be set to "Hidden" when the institution is deactivated.')
 
 
 class InstitutionalMetricsAdminRegisterForm(forms.Form):
diff --git a/admin/institutions/views.py b/admin/institutions/views.py
index bd690747b48..50b1bcf9d4c 100644
--- a/admin/institutions/views.py
+++ b/admin/institutions/views.py
@@ -125,7 +125,8 @@ def post(self, request, *args, **kwargs):
         if form.is_valid():
             return self.form_valid(form)
         else:
-            messages.error(request, form.errors)
+            for error in form.non_field_errors():
+                messages.error(request, error)
             return redirect('institutions:detail', institution_id=self.kwargs.get('institution_id'))
 
 

From 038ddcdb0eeb8426929305f2e6f69a4f173f7163 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 24 Apr 2026 12:52:51 +0300
Subject: [PATCH 29/43] Update SSO availability validation error message in
 InstitutionForm test

---
 admin_tests/institutions/test_views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin_tests/institutions/test_views.py b/admin_tests/institutions/test_views.py
index 1a8029ed088..6326d3f608e 100644
--- a/admin_tests/institutions/test_views.py
+++ b/admin_tests/institutions/test_views.py
@@ -155,7 +155,7 @@ def test_institution_form_invalid(self):
         }
         form = InstitutionForm(data=new_data)
         assert not form.is_valid()
-        assert 'sso_availability' in form.errors
+        assert {'__all__': ['SSO availability must be set to "Unavailable" when no delegation protocol is configured.']} == form.errors
 
 
 class TestInstitutionExport(AdminTestCase):

From 0093a067443d1dc7aeea424d8a61de6b14237e22 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 24 Apr 2026 17:34:58 +0300
Subject: [PATCH 30/43] Disable "Copy SSO URL" button if institution is
 deactivated

---
 admin/templates/institutions/detail.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/templates/institutions/detail.html b/admin/templates/institutions/detail.html
index a03e0bf470a..ef2c9d5ff94 100644
--- a/admin/templates/institutions/detail.html
+++ b/admin/templates/institutions/detail.html
@@ -61,7 +61,7 @@
                 <a class="btn btn-primary" href={% url 'institutions:list_and_add_admin' institution.id %}>Manage Admins</a>
                 {% endif %}
                 <button
-                    {% if not cas_login_url %}disabled{% endif %}
+                    {% if not cas_login_url or institution.deactivated is not None %}disabled{% endif %}
                     class="btn btn-primary" onclick="openCopyPopup('{{ cas_login_url|escapejs }}')">
                     Copy SSO URL
                 </button>

From 959cbc03a1fbc4451504674366a7853f38499c90 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 27 Apr 2026 11:55:11 +0300
Subject: [PATCH 31/43] Refactor SSO availability validation in InstitutionForm
 to ensure correct settings based on delegation protocol and institution
 status

---
 admin/institutions/forms.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/admin/institutions/forms.py b/admin/institutions/forms.py
index 40214756a06..f482700a8c1 100644
--- a/admin/institutions/forms.py
+++ b/admin/institutions/forms.py
@@ -22,6 +22,13 @@ def clean(self):
                 if self.cleaned_data['sso_availability'] != SSOAvailability.HIDDEN.value:
                     self.add_error(None, 'SSO availability must be set to "Hidden" when the institution is deactivated.')
 
+            else:
+                if self.cleaned_data['sso_availability'] not in [
+                    SSOAvailability.PUBLIC.value,
+                    SSOAvailability.HIDDEN.value
+                ]:
+                    self.add_error(None, 'SSO availability must be set to "Public" or "Hidden" when delegation protocol is configured.')
+
 
 class InstitutionalMetricsAdminRegisterForm(forms.Form):
     """ A form that finds an existing OSF User, and grants permissions to that

From 271e1cb52417ab20e2b14ba65f58ec26f3d51cde Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 27 Apr 2026 17:00:10 +0300
Subject: [PATCH 32/43] Add merge migration

---
 osf/migrations/0039_merge_20260427_1359.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 osf/migrations/0039_merge_20260427_1359.py

diff --git a/osf/migrations/0039_merge_20260427_1359.py b/osf/migrations/0039_merge_20260427_1359.py
new file mode 100644
index 00000000000..51979d93ca9
--- /dev/null
+++ b/osf/migrations/0039_merge_20260427_1359.py
@@ -0,0 +1,14 @@
+# Generated by Django 4.2.15 on 2026-04-27 13:59
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('osf', '0038_abstractnode_date_last_indexed_and_more'),
+        ('osf', '0038_institution_sso_availability'),
+    ]
+
+    operations = [
+    ]

From cb6301e88c5cf61dcb28b4affae1ae095a730a8f Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Thu, 23 Apr 2026 15:36:18 -0400
Subject: [PATCH 33/43] Rework auth views/routes/redirects

---
 framework/auth/utils.py |  7 +++++++
 framework/auth/views.py |  6 +++---
 website/routes.py       | 19 ++++--------------
 website/views.py        | 43 +++++++++++++++++++++++------------------
 4 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/framework/auth/utils.py b/framework/auth/utils.py
index 520c9489e1b..8f5bbca97b9 100644
--- a/framework/auth/utils.py
+++ b/framework/auth/utils.py
@@ -11,6 +11,7 @@
 
 from framework import sentry
 from website import settings
+from website.util import web_url_for
 
 logger = logging.getLogger(__name__)
 
@@ -169,3 +170,9 @@ def generate_csl_given_name(given_name, middle_names='', suffix=''):
     if suffix:
         given = f'{given}, {suffix}'
     return given
+
+def get_default_osf_logout_url():
+    """Return the default OSF logout URL.
+    """
+    next_url = web_url_for(view_name='index', _absolute=True)
+    return web_url_for(view_name='auth_logout', _absolute=True, next=next_url)
diff --git a/framework/auth/views.py b/framework/auth/views.py
index 59b2a207af4..02fef28ab24 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -84,7 +84,7 @@ def _reset_password_get(auth, uid=None, token=None, institutional=False):
         raise HTTPError(http_status.HTTP_400_BAD_REQUEST, data=error_data)
 
     # override routes.py login_url to redirect to my-projects
-    service_url = web_url_for('my_projects', _absolute=True)
+    service_url = web_url_for('dashboard', _absolute=True)
 
     return {
         'uid': user_obj._id,
@@ -176,7 +176,7 @@ def forgot_password_get(auth):
 
     #overriding the routes.py sign in url to redirect to the my-projects after login
     context = {}
-    context['login_url'] = web_url_for('my_projects', _absolute=True)
+    context['login_url'] = web_url_for('dashboard', _absolute=True)
 
     return context
 
@@ -391,7 +391,7 @@ def login_and_register_handler(auth, login=True, campaign=None, next_url=None, l
         # `/login/` or `/register/` without any parameter
         if auth.logged_in:
             data['status_code'] = http_status.HTTP_302_FOUND
-        data['next_url'] = web_url_for('my_projects', _absolute=True)
+        data['next_url'] = web_url_for('index', _absolute=True)
 
     return data
 
diff --git a/website/routes.py b/website/routes.py
index 226f03fb1f1..ec7245fd00d 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -230,11 +230,10 @@ def sitemap_file(path):
 
 def goodbye():
     # Redirect to dashboard if logged in
-    redirect_url = util.web_url_for('auth_login')
     if _get_current_user():
-        return redirect(redirect_url)
+        return redirect(util.web_url_for('dashboard'))
     else:
-        return redirect(redirect_url + '?goodbye=true')
+        return redirect(util.web_url_for('index'))
 
 def make_url_map(app):
     """Set up all the routes for the OSF app.
@@ -294,12 +293,8 @@ def make_url_map(app):
 
     process_rules(app, [
         Rule('/', 'get', website_views.index, notemplate),
-        Rule(
-            '/dashboard/',
-            'get',
-            website_views.dashboard,
-            notemplate
-        ),
+        Rule('/dashboard/', 'get', website_views.dashboard, notemplate),
+        Rule('/my-projects/', 'get', website_views.my_projects, notemplate),
 
         Rule(
             '/metadata/<guid>/',
@@ -307,12 +302,6 @@ def make_url_map(app):
             website_views.metadata_download,
             notemplate
         ),
-        Rule(
-            '/my-projects/',
-            'get',
-            website_views.my_projects,
-            OsfWebRenderer('my_projects.mako', trust=False)
-        ),
 
         Rule(
             '/reproducibility/',
diff --git a/website/views.py b/website/views.py
index 1a4bf4942da..f9601fb0441 100644
--- a/website/views.py
+++ b/website/views.py
@@ -8,8 +8,10 @@
 from django.apps import apps
 from flask import request, Response
 
+from framework import sentry
 from framework.auth import Auth
-from framework.auth.decorators import must_be_logged_in, is_contributor_or_public_resource
+from framework.auth.utils import get_default_osf_logout_url
+from framework.auth.decorators import is_contributor_or_public_resource
 from framework.auth.forms import SignInForm, ForgotPasswordForm
 from framework.exceptions import HTTPError
 from framework.flask import redirect  # VOL-aware redirect
@@ -28,7 +30,6 @@
 from osf.utils import permissions
 from osf.metadata.tools import pls_gather_metadata_file
 
-from api.waffle.utils import storage_i18n_flag_active
 
 logger = logging.getLogger(__name__)
 
@@ -132,21 +133,6 @@ def find_bookmark_collection(user):
     return Collection.objects.get(creator=user, deleted__isnull=True, is_bookmark_collection=True)
 
 
-@must_be_logged_in
-def my_projects(auth):
-    user = auth.user
-
-    region_list = get_storage_region_list(user)
-
-    bookmark_collection = find_bookmark_collection(user)
-    my_projects_id = bookmark_collection._id
-    return {'addons_enabled': user.get_addon_names(),
-            'dashboard_id': my_projects_id,
-            'storage_regions': region_list,
-            'storage_flag_is_active': storage_i18n_flag_active(),
-            }
-
-
 def validate_page_num(page, pages):
     if page < 0 or (pages and page >= pages):
         raise HTTPError(http_status.HTTP_400_BAD_REQUEST, data=dict(
@@ -165,11 +151,30 @@ def paginate(items, total, page, size):
 
 
 def index():
-    return redirect('/my-projects/')
+    """This route is handled by Angular now and web flow should not reach it at all.
+    There is alo no direct call of this view other than via `website/routes`. However,
+    we kept this view to use `web_url_for()` to build correct URL to go to Angular.
+    """
+    sentry.log_message('View "index" should not have been directly called or reached')
+    return redirect(get_default_osf_logout_url())
 
 
 def dashboard():
-    return redirect('/my-projects/')
+    """ This route is handled by Angular now and web flow should not reach it at all.
+    There is alo no direct call of this view other than via `website/routes`. However,
+    we kept this view to use `web_url_for()` to build correct URL to go to Angular.
+    """
+    sentry.log_message('View "dashboard" should not have been directly called or reached')
+    return redirect(get_default_osf_logout_url())
+
+
+def my_projects():
+    """ This route is handled by Angular now and web flow should not reach it at all.
+    There is alo no direct call of this view other than via `website/routes`. However,
+    we kept this view to use `web_url_for()` to build correct URL to go to Angular.
+    """
+    sentry.log_message('View "my_projects" should not have been directly called or reached')
+    return redirect(get_default_osf_logout_url())
 
 
 def reproducibility():

From 208fbf5e867b0fc05c13e867fef57c9c7f55b24b Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Thu, 23 Apr 2026 15:40:55 -0400
Subject: [PATCH 34/43] Fix incorrect handling of invalid session/cookie

---
 framework/sessions/__init__.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/framework/sessions/__init__.py b/framework/sessions/__init__.py
index 5891cb6d69f..bc11b690b12 100644
--- a/framework/sessions/__init__.py
+++ b/framework/sessions/__init__.py
@@ -15,7 +15,6 @@
 from osf.utils.fields import ensure_str
 from osf.exceptions import InvalidCookieOrSessionError
 from website import settings
-from website.util import web_url_for
 
 SessionStore = import_module(django_conf_settings.SESSION_ENGINE).SessionStore
 
@@ -165,7 +164,7 @@ def create_session(response, data=None):
 def before_request():
     # TODO: Fix circular import
     from framework.auth.core import get_user
-    from framework.auth import cas
+    from framework.auth import cas, utils
     UserSessionMap = apps.get_model('osf.UserSessionMap')
 
     # Request Type 1: Service ticket validation during CAS login.
@@ -216,7 +215,8 @@ def before_request():
         try:
             user_session = flask_get_session_from_cookie(cookie)
         except InvalidCookieOrSessionError:
-            response = redirect(web_url_for('auth_login'))
+            # If invalid session/cookie happens, perform a full logout to clear both CAS and OSF Sessions
+            response = redirect(utils.get_default_osf_logout_url())
             response.delete_cookie(settings.COOKIE_NAME, domain=settings.OSF_COOKIE_DOMAIN)
             return response
         # Case 1: anonymous session that is used for first time external (e.g. ORCiD) login only

From 6c8ca7aa9cd77d83a41dbcef6b75900bfbf52218 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Fri, 24 Apr 2026 14:30:30 -0400
Subject: [PATCH 35/43] Add local mode and update web_url_for to support
 angular domain

---
 website/settings/defaults.py   | 3 ++-
 website/settings/local-ci.py   | 2 ++
 website/settings/local-dist.py | 3 ++-
 website/util/__init__.py       | 7 ++++++-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/website/settings/defaults.py b/website/settings/defaults.py
index 75edc0bd5a6..c2ad5bff701 100644
--- a/website/settings/defaults.py
+++ b/website/settings/defaults.py
@@ -84,13 +84,14 @@ def parent_dir(path):
 DEV_MODE = False
 DEBUG_MODE = False
 SECURE_MODE = not DEBUG_MODE  # Set secure cookie
+LOCAL_MODE = False  # handles angular and web with different domains in local env
 
 PROTOCOL = 'https://' if SECURE_MODE else 'http://'
 DOMAIN = PROTOCOL + 'localhost:5000/'
 INTERNAL_DOMAIN = DOMAIN
 API_DOMAIN = PROTOCOL + 'localhost:8000/'
 RESET_PASSWORD_URL = PROTOCOL + 'localhost:5000/resetpassword/' # TODO set angular reset password url
-LOCAL_ANGULAR_URL = 'localhost:4200'
+LOCAL_ANGULAR_DOMAIN = PROTOCOL + 'localhost:4200/'  # Only used when LOCAL_MODE is True
 
 PREPRINT_PROVIDER_DOMAINS = {
     'enabled': False,
diff --git a/website/settings/local-ci.py b/website/settings/local-ci.py
index a4d250a9792..eec0e7070e2 100644
--- a/website/settings/local-ci.py
+++ b/website/settings/local-ci.py
@@ -12,10 +12,12 @@
 DEV_MODE = True
 DEBUG_MODE = True  # Sets app to debug mode, turns off template caching, etc.
 SECURE_MODE = not DEBUG_MODE  # Disable osf secure cookie
+LOCAL_MODE = True  # handles angular and web with different domains in local env
 
 PROTOCOL = 'https://' if SECURE_MODE else 'http://'
 DOMAIN = PROTOCOL + 'localhost:5000/'
 API_DOMAIN = PROTOCOL + 'localhost:8000/'
+LOCAL_ANGULAR_DOMAIN = PROTOCOL + 'localhost:4200/'  # Only used when LOCAL_MODE is True
 ENABLE_INSTITUTIONS = True
 
 PREPRINT_PROVIDER_DOMAINS = {
diff --git a/website/settings/local-dist.py b/website/settings/local-dist.py
index 01d26b420c2..fbd7f4a451e 100644
--- a/website/settings/local-dist.py
+++ b/website/settings/local-dist.py
@@ -11,6 +11,7 @@
 DEV_MODE = True
 DEBUG_MODE = True  # Sets app to debug mode, turns off template caching, etc.
 SECURE_MODE = not DEBUG_MODE  # Disable osf cookie secure
+LOCAL_MODE = True  # handles angular and web with different domains in local env
 
 # NOTE: Internal Domains/URLs have been added to facilitate docker development environments
 #       when localhost inside a container != localhost on the client machine/docker host.
@@ -19,7 +20,7 @@
 DOMAIN = PROTOCOL + 'localhost:5000/'
 INTERNAL_DOMAIN = DOMAIN
 API_DOMAIN = PROTOCOL + 'localhost:8000/'
-LOCAL_ANGULAR_DOMAIN = PROTOCOL + 'localhost:4200/'
+LOCAL_ANGULAR_DOMAIN = PROTOCOL + 'localhost:4200/'  # Only used when LOCAL_MODE is True
 
 #WATERBUTLER_URL = 'http://localhost:7777'
 #WATERBUTLER_INTERNAL_URL = WATERBUTLER_URL
diff --git a/website/util/__init__.py b/website/util/__init__.py
index f74182300cf..70ae6644e90 100644
--- a/website/util/__init__.py
+++ b/website/util/__init__.py
@@ -88,7 +88,7 @@ def api_v2_url(path_str,
     return x
 
 # Move to api utils?
-def web_url_for(view_name, _absolute=False, _internal=False, _guid=False, *args, **kwargs):
+def web_url_for(view_name, _absolute=False, _internal=False, _guid=False, _angular_route=False, *args, **kwargs):
     """Reverse URL lookup for web routes (those that use the OsfWebRenderer).
     Takes the same arguments as Flask's url_for, with the addition of
     `_absolute`, which will make an absolute URL with the correct HTTP scheme
@@ -102,6 +102,11 @@ def web_url_for(view_name, _absolute=False, _internal=False, _guid=False, *args,
         # We do NOT use the url_for's _external kwarg because app.config['SERVER_NAME'] alters
         # behavior in an unknown way (currently breaks tests). /sloria /jspies
         domain = website_settings.INTERNAL_DOMAIN if _internal else website_settings.DOMAIN
+        if website_settings.LOCAL_MODE and _angular_route:
+            # We use `web_url_for()` to build URLs that actually goes to the angular
+            # container. It is not a problem for servers since web and angular shares
+            # the same domain. However, we need to handle this differently locally.
+            domain = website_settings.LOCAL_ANGULAR_DOMAIN
         return urljoin(domain, url)
     return url
 

From d14ee17792601e77f2d8246ca3b92d5be3c64d07 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Fri, 24 Apr 2026 14:57:27 -0400
Subject: [PATCH 36/43] Update auth views to use updated web_url_for

---
 framework/auth/views.py | 21 ++++++++++-----------
 website/routes.py       |  4 ++--
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 02fef28ab24..1b95bc3d6e7 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -84,7 +84,7 @@ def _reset_password_get(auth, uid=None, token=None, institutional=False):
         raise HTTPError(http_status.HTTP_400_BAD_REQUEST, data=error_data)
 
     # override routes.py login_url to redirect to my-projects
-    service_url = web_url_for('dashboard', _absolute=True)
+    service_url = web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     return {
         'uid': user_obj._id,
@@ -142,7 +142,7 @@ def reset_password_post(uid=None, token=None):
             status.push_status_message('Password reset', kind='success', trust=False)
             # redirect to CAS and authenticate the user automatically with one-time verification key.
             return redirect(cas.get_login_url(
-                web_url_for('user_account', _absolute=True),
+                web_url_for('user_account', _absolute=True, _angular_route=True),
                 username=user_obj.username,
                 verification_key=user_obj.verification_key
             ))
@@ -176,7 +176,7 @@ def forgot_password_get(auth):
 
     #overriding the routes.py sign in url to redirect to the my-projects after login
     context = {}
-    context['login_url'] = web_url_for('dashboard', _absolute=True)
+    context['login_url'] = web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     return context
 
@@ -324,7 +324,7 @@ def login_and_register_handler(auth, login=True, campaign=None, next_url=None, l
             # unlike other campaigns, institution login serves as an alternative for authentication
             if campaign == 'institution':
                 if next_url is None:
-                    next_url = web_url_for('my_projects', _absolute=True)
+                    next_url = web_url_for('dashboard', _absolute=True, _angular_route=True)
                 data['status_code'] = http_status.HTTP_302_FOUND
                 if auth.logged_in:
                     data['next_url'] = next_url
@@ -391,7 +391,7 @@ def login_and_register_handler(auth, login=True, campaign=None, next_url=None, l
         # `/login/` or `/register/` without any parameter
         if auth.logged_in:
             data['status_code'] = http_status.HTTP_302_FOUND
-        data['next_url'] = web_url_for('index', _absolute=True)
+        data['next_url'] = web_url_for('index', _absolute=True, _angular_route=True)
 
     return data
 
@@ -614,7 +614,7 @@ def external_login_confirm_email_get(auth, uid, token):
             return redirect(campaign_url)
         if new:
             status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True, id='welcome_message')
-        return redirect(web_url_for('my_projects'))
+        return redirect(web_url_for('dashboard', _absolute=True, _angular_route=True))
 
     # token is invalid
     if token not in user.email_verifications:
@@ -712,10 +712,10 @@ def confirm_email_get(token, auth=None, **kwargs):
                 status.push_status_message(language.WELCOME_MESSAGE, kind='default', jumbotron=True, trust=True, id='welcome_message')
             if token in auth.user.email_verifications:
                 status.push_status_message(language.CONFIRM_ALTERNATE_EMAIL_ERROR, kind='danger', trust=True, id='alternate_email_error')
-            return redirect(web_url_for('my_projects'))
+            return redirect(web_url_for('dashboard', _absolute=True, _angular_route=True))
 
         status.push_status_message(language.MERGE_COMPLETE, kind='success', trust=False)
-        return redirect(web_url_for('user_account'))
+        return redirect(web_url_for('user_account', _absolute=True, _angular_route=True))
 
     try:
         user.confirm_email(token, merge=is_merge)
@@ -1053,8 +1053,7 @@ def external_login_email_post():
     fullname = session.get('auth_user_fullname', None) or form.name.data
     service_url = session.get('service_url', None)
 
-    # TODO: @cslzchen use user tags instead of destination
-    destination = 'my_projects'
+    destination = 'dashboard'
     for campaign in campaigns.get_campaigns():
         if campaign != 'institution':
             # Handle different url encoding schemes between `furl` and `urlparse/urllib`.
@@ -1203,7 +1202,7 @@ def validate_next_url(next_url):
     """
 
     # allow redirection to angular locally
-    if settings.LOCAL_ANGULAR_URL in next_url and settings.DEBUG_MODE:
+    if settings.LOCAL_MODE and next_url.startswith(settings.LOCAL_ANGULAR_DOMAIN):
         return True
 
     # disable external domain using `//`: the browser allows `//` as a shortcut for non-protocol specific requests
diff --git a/website/routes.py b/website/routes.py
index ec7245fd00d..7bc8d1cab19 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -231,9 +231,9 @@ def sitemap_file(path):
 def goodbye():
     # Redirect to dashboard if logged in
     if _get_current_user():
-        return redirect(util.web_url_for('dashboard'))
+        return redirect(util.web_url_for('dashboard', _absolute=True, _local_angular=True))
     else:
-        return redirect(util.web_url_for('index'))
+        return redirect(util.web_url_for('index', _absolute=True, _local_angular=True))
 
 def make_url_map(app):
     """Set up all the routes for the OSF app.

From bd582b3efa6fa770979b7f05cbf3676277da9c9e Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Fri, 24 Apr 2026 15:02:34 -0400
Subject: [PATCH 37/43] Update auth views tests

---
 tests/test_auth_views.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index 75ef5de497a..444f5788f80 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -585,13 +585,13 @@ def test_next_url_login_with_auth(self):
         assert data.get('next_url') == self.next_url
 
     def test_next_url_angular_login_with_auth(self):
-        data = login_and_register_handler(self.auth, next_url=settings.LOCAL_ANGULAR_URL)
+        data = login_and_register_handler(self.auth, next_url=settings.LOCAL_ANGULAR_DOMAIN)
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == settings.LOCAL_ANGULAR_URL
+        assert data.get('next_url') == settings.LOCAL_ANGULAR_DOMAIN
 
     def test_next_url_angular_login_without_auth(self):
-        request.url = web_url_for('auth_login', next=settings.LOCAL_ANGULAR_URL, _absolute=True)
-        data = login_and_register_handler(self.no_auth, next_url=settings.LOCAL_ANGULAR_URL)
+        request.url = web_url_for('auth_login', next=settings.LOCAL_ANGULAR_DOMAIN, _absolute=True)
+        data = login_and_register_handler(self.no_auth, next_url=settings.LOCAL_ANGULAR_DOMAIN)
         assert data.get('status_code') == http_status.HTTP_302_FOUND
         assert data.get('next_url') == cas.get_login_url(request.url)
 
@@ -838,7 +838,6 @@ def test_logout_with_no_parameter(self):
         assert resp.status_code == http_status.HTTP_302_FOUND
         assert cas.get_logout_url(self.goodbye_url) == resp.headers['Location']
 
-    @mock.patch('framework.auth.views.settings.LOCAL_ANGULAR_URL', 'http://localhost:4200')
     def test_logout_with_angular_next_url_logged_in(self):
         angular_url = 'http://localhost:4200/'
         logout_url = web_url_for('auth_logout', _absolute=True, next=angular_url)
@@ -846,9 +845,8 @@ def test_logout_with_angular_next_url_logged_in(self):
         assert resp.status_code == http_status.HTTP_302_FOUND
         assert cas.get_logout_url(logout_url) == resp.headers['Location']
 
-    @mock.patch('framework.auth.views.settings.LOCAL_ANGULAR_URL', 'http://localhost:4200')
     def test_logout_with_angular_next_url_logged_out(self):
-        angular_url = 'http://localhost:4200/'
+        angular_url = 'http://localhost:4200/'q
         logout_url = web_url_for('auth_logout', _absolute=True, next=angular_url)
         resp = self.app.get(logout_url, auth=None)
         assert resp.status_code == http_status.HTTP_302_FOUND

From 8635f0728f1db0bc7adaf03115c9a90330216789 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Fri, 24 Apr 2026 16:27:28 -0400
Subject: [PATCH 38/43] Add login url builder and update logout url builder

---
 framework/auth/utils.py | 9 ++++++++-
 framework/auth/views.py | 8 +++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/framework/auth/utils.py b/framework/auth/utils.py
index 8f5bbca97b9..53c7df21a70 100644
--- a/framework/auth/utils.py
+++ b/framework/auth/utils.py
@@ -171,8 +171,15 @@ def generate_csl_given_name(given_name, middle_names='', suffix=''):
         given = f'{given}, {suffix}'
     return given
 
+def get_default_osf_login_url():
+    """Return the default OSF login URL.
+    """
+    next_url = web_url_for(view_name='index', _absolute=True, _angular_route=True)
+    return web_url_for(view_name='auth_login', _absolute=True, next=next_url)
+
+
 def get_default_osf_logout_url():
     """Return the default OSF logout URL.
     """
-    next_url = web_url_for(view_name='index', _absolute=True)
+    next_url = web_url_for(view_name='index', _absolute=True, _angular_route=True)
     return web_url_for(view_name='auth_logout', _absolute=True, next=next_url)
diff --git a/framework/auth/views.py b/framework/auth/views.py
index 1b95bc3d6e7..0a345fe2bf5 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -18,7 +18,7 @@
 from framework.auth.core import generate_verification_key
 from framework.auth.decorators import block_bing_preview, collect_auth, must_be_logged_in
 from framework.auth.forms import ResendConfirmationForm, ForgotPasswordForm, ResetPasswordForm
-from framework.auth.utils import ensure_external_identity_uniqueness, validate_recaptcha
+from framework.auth.utils import ensure_external_identity_uniqueness, validate_recaptcha, get_default_osf_login_url
 from framework.celery_tasks.handlers import enqueue_task
 from framework.exceptions import HTTPError
 from framework.flask import redirect  # VOL-aware redirect
@@ -389,9 +389,11 @@ def login_and_register_handler(auth, login=True, campaign=None, next_url=None, l
             data['next_url'] = request.url
     else:
         # `/login/` or `/register/` without any parameter
+        data['status_code'] = http_status.HTTP_302_FOUND
         if auth.logged_in:
-            data['status_code'] = http_status.HTTP_302_FOUND
-        data['next_url'] = web_url_for('index', _absolute=True, _angular_route=True)
+            data['next_url'] = web_url_for('dashboard', _absolute=True, _angular_route=True)
+        else:
+            data['next_url'] = cas.get_login_url(get_default_osf_login_url())
 
     return data
 

From 7ff81c878b057690694fd3e01e8f011315249e9b Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Fri, 24 Apr 2026 16:31:05 -0400
Subject: [PATCH 39/43] Fix some tests

---
 tests/test_auth.py            |  2 +-
 tests/test_auth_basic_auth.py |  2 +-
 tests/test_auth_views.py      |  2 +-
 tests/test_campaigns.py       |  2 +-
 tests/test_webtests.py        | 22 ++++++++--------------
 5 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/tests/test_auth.py b/tests/test_auth.py
index 487759603c1..240a0cb317a 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -96,7 +96,7 @@ def test_confirm_email(self):
             res = self.app.resolve_redirect(res)
 
             assert res.status_code == 302
-            assert '/my-projects/' == urlparse(res.location).path
+            assert '/dashboard/' == urlparse(res.location).path
         # assert len(get_session()['status']) == 1
 
     def test_get_user_by_id(self):
diff --git a/tests/test_auth_basic_auth.py b/tests/test_auth_basic_auth.py
index e1b9d6e5b8d..86b1d5fbec1 100644
--- a/tests/test_auth_basic_auth.py
+++ b/tests/test_auth_basic_auth.py
@@ -99,4 +99,4 @@ def test_expired_cookie(self):
         self.app.set_cookie(settings.COOKIE_NAME, str(cookie))
         res = self.app.get(self.reachable_url)
         assert res.status_code == 302
-        assert '/login/' == res.location
+        assert 'http://localhost:5000/logout/?next=http://localhost:4200/' == res.location
diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index 444f5788f80..2e1c87164d1 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -846,7 +846,7 @@ def test_logout_with_angular_next_url_logged_in(self):
         assert cas.get_logout_url(logout_url) == resp.headers['Location']
 
     def test_logout_with_angular_next_url_logged_out(self):
-        angular_url = 'http://localhost:4200/'q
+        angular_url = 'http://localhost:4200/'
         logout_url = web_url_for('auth_logout', _absolute=True, next=angular_url)
         resp = self.app.get(logout_url, auth=None)
         assert resp.status_code == http_status.HTTP_302_FOUND
diff --git a/tests/test_campaigns.py b/tests/test_campaigns.py
index 221ce03f8cf..315e4b7acbd 100644
--- a/tests/test_campaigns.py
+++ b/tests/test_campaigns.py
@@ -238,7 +238,7 @@ def setUp(self):
         super().setUp()
         self.url_login = web_url_for('auth_login', campaign='institution')
         self.url_register = web_url_for('auth_register', campaign='institution')
-        self.service_url = web_url_for('my_projects', _absolute=True)
+        self.service_url = web_url_for('dashboard', _absolute=True, _anchor=True)
 
     # go to CAS institution login page if not logged in
     def test_institution_not_logged_in(self):
diff --git a/tests/test_webtests.py b/tests/test_webtests.py
index 64c5669f3e9..3524aeb03fa 100644
--- a/tests/test_webtests.py
+++ b/tests/test_webtests.py
@@ -87,27 +87,23 @@ def test_is_redirected_to_cas_if_not_logged_in_at_login_page(self):
         location = res.headers.get('Location')
         assert 'login?service=' in location
 
-    def test_is_redirected_to_myprojects_if_already_logged_in_at_login_page(self):
+    def test_is_redirected_to_dashboard_if_already_logged_in_at_login_page(self):
         res = self.app.get('/login/', auth=self.user.auth)
         assert res.status_code == 302
-        assert 'my-projects' in res.headers.get('Location')
+        assert 'dashboard' in res.headers.get('Location')
 
     def test_register_page(self):
         res = self.app.get('/register/')
         assert res.status_code == 200
 
-    def test_is_redirected_to_myprojects_if_already_logged_in_at_register_page(self):
+    def test_is_redirected_to_dashboard_if_already_logged_in_at_register_page(self):
         res = self.app.get('/register/', auth=self.user.auth)
         assert res.status_code == 302
-        assert 'my-projects' in res.headers.get('Location')
+        assert 'dashboard' in res.headers.get('Location')
 
     def test_sees_projects_in_her_dashboard(self):
-        # the user already has a project
-        project = ProjectFactory(creator=self.user)
-        project.add_contributor(self.user)
-        project.save()
-        res = self.app.get('/my-projects/', auth=self.user.auth)
-        assert 'Projects' in res.text  # Projects heading
+        # Deprecated test, dashboard and my-projects are angular pages
+        pass
 
     def test_does_not_see_osffiles_in_user_addon_settings(self):
         res = self.app.get('/settings/addons/', auth=self.auth, follow_redirects=True)
@@ -123,10 +119,8 @@ def test_sees_osffiles_in_project_addon_settings(self):
         assert 'OSF Storage' in res.text
 
     def test_sees_correct_title_on_dashboard(self):
-        # User goes to dashboard
-        res = self.app.get('/my-projects/', auth=self.auth, follow_redirects=True)
-        title = res.html.title.string
-        assert 'OSF | My Projects' == title
+        # Deprecated test, dashboard and my-projects are angular pages
+        pass
 
     def test_can_see_make_public_button_if_admin(self):
         # User is a contributor on a project

From e2647451fd08e109c330279109745af5ebbb1bc6 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 27 Apr 2026 13:30:13 -0400
Subject: [PATCH 40/43] Update institution's CAS login url in admin

---
 osf/models/institution.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/osf/models/institution.py b/osf/models/institution.py
index 379f301a966..87cb12eed05 100644
--- a/osf/models/institution.py
+++ b/osf/models/institution.py
@@ -216,12 +216,16 @@ def banner_path(self):
     def cas_login_url(self):
         if self.delegation_protocol == IntegrationType.NONE.value:
             return None
-        if 'localhost' in website_settings.DOMAIN:
-            next_param = quote(website_settings.PROTOCOL + website_settings.LOCAL_ANGULAR_URL, safe='')
-        else:
-            next_param = quote(website_settings.DOMAIN, safe='')
-        service_url = quote(f'{website_settings.DOMAIN}login?next={next_param}', safe='')
-        return f'{website_settings.CAS_SERVER_URL}/login?campaign=institution&institutionId={self._id}&service={service_url}'
+        # Note: admin app can't use `web_url_for()` due to out of context
+        next_url_param = quote(website_settings.DOMAIN, safe='')
+        service_url_param = quote(f'{website_settings.DOMAIN}login?next={next_url_param}', safe='')
+        institution_id_param = quote(self._id, safe='')
+        return (
+            f'{website_settings.CAS_SERVER_URL}/login'
+            f'?campaign=institution'
+            f'&institutionId={institution_id_param}'
+            f'&service={service_url_param}'
+        )
 
     def update_search(self):
         from website.search.search import update_institution

From 843d9a15498934ad9c664b27bb193c17970ad182 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 27 Apr 2026 20:55:33 -0400
Subject: [PATCH 41/43] More auth view update and more tests fix

---
 framework/auth/views.py  |  8 +++-----
 tests/test_auth_views.py | 25 +++++++++++++++----------
 tests/test_campaigns.py  |  2 +-
 tests/test_webtests.py   |  5 ++---
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/framework/auth/views.py b/framework/auth/views.py
index 0a345fe2bf5..debbedb0d55 100644
--- a/framework/auth/views.py
+++ b/framework/auth/views.py
@@ -18,7 +18,7 @@
 from framework.auth.core import generate_verification_key
 from framework.auth.decorators import block_bing_preview, collect_auth, must_be_logged_in
 from framework.auth.forms import ResendConfirmationForm, ForgotPasswordForm, ResetPasswordForm
-from framework.auth.utils import ensure_external_identity_uniqueness, validate_recaptcha, get_default_osf_login_url
+from framework.auth.utils import ensure_external_identity_uniqueness, validate_recaptcha
 from framework.celery_tasks.handlers import enqueue_task
 from framework.exceptions import HTTPError
 from framework.flask import redirect  # VOL-aware redirect
@@ -389,11 +389,9 @@ def login_and_register_handler(auth, login=True, campaign=None, next_url=None, l
             data['next_url'] = request.url
     else:
         # `/login/` or `/register/` without any parameter
-        data['status_code'] = http_status.HTTP_302_FOUND
         if auth.logged_in:
-            data['next_url'] = web_url_for('dashboard', _absolute=True, _angular_route=True)
-        else:
-            data['next_url'] = cas.get_login_url(get_default_osf_login_url())
+            data['status_code'] = http_status.HTTP_302_FOUND
+        data['next_url'] = web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     return data
 
diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index 2e1c87164d1..23376e65995 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -551,32 +551,32 @@ def setUp(self):
         self.no_auth = Auth()
         self.user_auth = AuthUserFactory()
         self.auth = Auth(user=self.user_auth)
-        self.next_url = web_url_for('my_projects', _absolute=True)
+        self.next_url = web_url_for('dashboard', _absolute=True, _angular_route=True)
         self.invalid_campaign = 'invalid_campaign'
 
     def test_osf_login_with_auth(self):
         # login: user with auth
         data = login_and_register_handler(self.auth)
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_osf_login_without_auth(self):
         # login: user without auth
         data = login_and_register_handler(self.no_auth)
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_osf_register_with_auth(self):
         # register: user with auth
         data = login_and_register_handler(self.auth, login=False)
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_osf_register_without_auth(self):
         # register: user without auth
         data = login_and_register_handler(self.no_auth, login=False)
         assert data.get('status_code') == http_status.HTTP_200_OK
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_next_url_login_with_auth(self):
         # next_url login: user with auth
@@ -621,14 +621,16 @@ def test_institution_login_with_auth(self):
         # institution login: user with auth
         data = login_and_register_handler(self.auth, campaign='institution')
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_institution_login_without_auth(self):
         # institution login: user without auth
         data = login_and_register_handler(self.no_auth, campaign='institution')
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == cas.get_login_url(web_url_for('my_projects', _absolute=True),
-                                                         campaign='institution')
+        assert data.get('next_url') == cas.get_login_url(
+            web_url_for('my_projects', _absolute=True, _angular_route=True),
+            campaign='institution'
+        )
 
     def test_institution_login_next_url_with_auth(self):
         # institution login: user with auth and next url
@@ -646,13 +648,16 @@ def test_institution_register_with_auth(self):
         # institution register: user with auth
         data = login_and_register_handler(self.auth, login=False, campaign='institution')
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == web_url_for('my_projects', _absolute=True)
+        assert data.get('next_url') == web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     def test_institution_register_without_auth(self):
         # institution register: user without auth
         data = login_and_register_handler(self.no_auth, login=False, campaign='institution')
         assert data.get('status_code') == http_status.HTTP_302_FOUND
-        assert data.get('next_url') == cas.get_login_url(web_url_for('my_projects', _absolute=True), campaign='institution')
+        assert data.get('next_url') == cas.get_login_url(
+            web_url_for('dashboard', _absolute=True, _angular_route=True),
+            campaign='institution'
+        )
 
     def test_campaign_login_with_auth(self):
         for campaign in get_campaigns():
diff --git a/tests/test_campaigns.py b/tests/test_campaigns.py
index 315e4b7acbd..49838c6244e 100644
--- a/tests/test_campaigns.py
+++ b/tests/test_campaigns.py
@@ -238,7 +238,7 @@ def setUp(self):
         super().setUp()
         self.url_login = web_url_for('auth_login', campaign='institution')
         self.url_register = web_url_for('auth_register', campaign='institution')
-        self.service_url = web_url_for('dashboard', _absolute=True, _anchor=True)
+        self.service_url = web_url_for('dashboard', _absolute=True, _angular_route=True)
 
     # go to CAS institution login page if not logged in
     def test_institution_not_logged_in(self):
diff --git a/tests/test_webtests.py b/tests/test_webtests.py
index 3524aeb03fa..97efe3ca715 100644
--- a/tests/test_webtests.py
+++ b/tests/test_webtests.py
@@ -82,10 +82,9 @@ def test_can_see_profile_url(self):
     # `GET /login/` without parameters is redirected to `/my-projects/` page which has `@must_be_logged_in` decorator
     # if user is not logged in, she/he is further redirected to CAS login page
     def test_is_redirected_to_cas_if_not_logged_in_at_login_page(self):
-        res = self.app.resolve_redirect(self.app.get('/login/'))
+        res = self.app.get('/login/')
         assert res.status_code == 302
-        location = res.headers.get('Location')
-        assert 'login?service=' in location
+        assert 'login?service=' in res.headers.get('Location')
 
     def test_is_redirected_to_dashboard_if_already_logged_in_at_login_page(self):
         res = self.app.get('/login/', auth=self.user.auth)

From ef31d07318d86d141c75fc201c406e89db259a44 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Mon, 27 Apr 2026 21:31:04 -0400
Subject: [PATCH 42/43] Fix the last couple of failures

---
 tests/test_auth_views.py | 2 +-
 tests/test_webtests.py   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/test_auth_views.py b/tests/test_auth_views.py
index 23376e65995..965501d2e03 100644
--- a/tests/test_auth_views.py
+++ b/tests/test_auth_views.py
@@ -628,7 +628,7 @@ def test_institution_login_without_auth(self):
         data = login_and_register_handler(self.no_auth, campaign='institution')
         assert data.get('status_code') == http_status.HTTP_302_FOUND
         assert data.get('next_url') == cas.get_login_url(
-            web_url_for('my_projects', _absolute=True, _angular_route=True),
+            web_url_for('dashboard', _absolute=True, _angular_route=True),
             campaign='institution'
         )
 
diff --git a/tests/test_webtests.py b/tests/test_webtests.py
index 97efe3ca715..037aca0a137 100644
--- a/tests/test_webtests.py
+++ b/tests/test_webtests.py
@@ -79,12 +79,12 @@ def test_can_see_profile_url(self):
         res = self.app.get(self.user.url, follow_redirects=True)
         assert self.user.url in res.text
 
-    # `GET /login/` without parameters is redirected to `/my-projects/` page which has `@must_be_logged_in` decorator
-    # if user is not logged in, she/he is further redirected to CAS login page
+    # `GET /login/` (legacy BE endpoint) without parameters is redirected to `/dashboard/` (angular FE endpoint).
+    # It's impossible to test external redirects in tests, and it is angular's job to redirect correctly to CAS login.
     def test_is_redirected_to_cas_if_not_logged_in_at_login_page(self):
         res = self.app.get('/login/')
         assert res.status_code == 302
-        assert 'login?service=' in res.headers.get('Location')
+        assert 'dashboard' in res.headers.get('Location')
 
     def test_is_redirected_to_dashboard_if_already_logged_in_at_login_page(self):
         res = self.app.get('/login/', auth=self.user.auth)

From 88d452e7efc85a3005efc68e24b3c2a5aedf3618 Mon Sep 17 00:00:00 2001
From: Longze Chen <cslzchen@gmail.com>
Date: Tue, 28 Apr 2026 16:13:19 -0400
Subject: [PATCH 43/43] Fix goodbye route

---
 website/routes.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/website/routes.py b/website/routes.py
index 7bc8d1cab19..af14a916183 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -231,9 +231,9 @@ def sitemap_file(path):
 def goodbye():
     # Redirect to dashboard if logged in
     if _get_current_user():
-        return redirect(util.web_url_for('dashboard', _absolute=True, _local_angular=True))
+        return redirect(util.web_url_for('dashboard', _absolute=True, _angular_route=True))
     else:
-        return redirect(util.web_url_for('index', _absolute=True, _local_angular=True))
+        return redirect(util.web_url_for('index', _absolute=True, _angular_route=True))
 
 def make_url_map(app):
     """Set up all the routes for the OSF app.