[SG-147] Organization Domain Claiming Feature (#2704)

* [SG-696] Organization Domain Claiming DB Objects and Migrations (#2394)

* model organization domain claiming

* Added migration scripts and db objects for mssql

* create and implement sql repository abstraction

* Added ef migrations for mysql and postgres. Removed time without timezone in previous migration

* made update on sql migration to use create or alter statement

* removed active column from OrganizationDomain table and decided to go with the hard delete approach

* Ran dotnet restore evaluate

* created DNS service verification using DNSClient (#2401)

* [SG-678] Api Endpoints for Domain Claiming (#2430)

* Added stored procedure to read claimed domains

* Updated Organization Domain Repository to include method to get claimed domains

* Updated domain entity and added request model

* Implemented organization domain respository and regsitered it in the various extensions

* Added create endpoint, request, responses and command

* Added endpoint to get domain by domain entry id

* Ran lint fix

* Added new stored procedure to get domains by organizattion id

* Moved migration scripts to init migration and added new procedure

* Renamed from domainId to Id

* Added and implemented GetDomainByOrganizationId

* Completed GetDomainByOrgId endpoint and started work on verify domain endpoint

* Updated the OrganizationDomain update procedure

* Added delete command and include other endpoints in the controller

* Remove test item from controller

* Remove test item from controller

* Changed access to allow admin, owners and manage sso roles

* changed logic for setting the initial value for the NextRunCount

* Renamed NextRunCount to JobRunCount

* Renamed NextRunCount to JobRunCount on mysql

* Renamed NextRunCount to JobRunCount on postgres

* Removed chaining pattern and added logic to get next run date

* Lint fix

* Added stored procedure to get organization sso details by email address

* Added endpoint to get sso details of an organization with email

* Added organizationDomainRepository to OrganizationController test

* merged with master and fixed conflicts

* [SG-661] Background Domain Verification Service (#2455)

* Added stored procedure to read claimed domains

* Updated Organization Domain Repository to include method to get claimed domains

* Updated domain entity and added request model

* Implemented organization domain respository and regsitered it in the various extensions

* Added create endpoint, request, responses and command

* Added endpoint to get domain by domain entry id

* Ran lint fix

* Added new stored procedure to get domains by organizattion id

* Moved migration scripts to init migration and added new procedure

* Renamed from domainId to Id

* Added and implemented GetDomainByOrganizationId

* Completed GetDomainByOrgId endpoint and started work on verify domain endpoint

* Updated the OrganizationDomain update procedure

* Added delete command and include other endpoints in the controller

* Remove test item from controller

* Remove test item from controller

* Changed access to allow admin, owners and manage sso roles

* Added stored procedure to get unverified domains by nextrundate

* Renamed stored procedure name

* Added domain verification service interface

* Added GetManyByNextRunDate to repository

* Added verification domain service implementation

* changed logic for setting the initial value for the NextRunCount

* This commit should be signed using my SSH key

* Renamed NextRunCount to JobRunCount

* Renamed NextRunCount to JobRunCount on mysql

* Renamed NextRunCount to JobRunCount on postgres

* Removed chaining pattern and added logic to get next run date

* Lint fix

* Implemented EF core version on the repository

* Created background job implementation and logic

* popped stash

* Updated stored procedure and EF script

* Lint fix

* Added logic to set next job count and the next run date when a verification is false

* Added logic to set next job count and the next run date when a verification is false

* Updated stored procedure name on repository

* Removed test trigger

* Lint fix

* Added trigger for job

* Added job count update after successful domain verification

* Lint fix

* Lint fix

* [SG-682] Add Event Log Entries to Organization Domain (#2492)

* Added domain name property to Event related objects

* Added organization domain claiming event types

* Created migration script and updated related event scripts to include domanName

* Added EF Migrations

* Renamed postres script file extension

* Added DomainName property to response model

* Added abstraction to interface

* Added system name to enum

* dotnet formattinfg fix

* Added events to organization domain actions

* Added LastCheckedDate property to domain

* Migrations and stored procedure updates with new column

* Added new stored procedure to get domain by org id and domain name

* Log organization domain event abstract method

* Ef migrattion to add new LastCheckedDate column

* Added duplicate domain exception

* Modified create command to include domain verification and last checked date and renamed methods used

* removed variable

* changed service lifetime

* Renamed trigger

* Initialed property in constructor

* Ensured domain name is stored as lower case

* Fixed suggestions from review

* Fixed suggestions from review

* Return Conflict Status on Organization Domain APIs (#2498)

* Added conflict response to end point to help translate error message on the client better

* Added conflict response to end point to help translate error message on the client better

* Set message with exception message or generic message

* Added last check date to response model (#2499)

* Fix/Check to throw exception when domain is claimed by another organization (#2503)

* Added check to ensure domain claimed by another organization cannot be verified

* Made error message consistent

* [SG-660] Organization Domain Maintenance (#2502)

* Added email template

* Mail service abstraction and implementation

* Mail template model

* Initial delete job commit

* Added SPs to get all unverifed domains after 72 hours and another to delete unverified domains after 7 days

* Moved all organization domain scripts to single file

* Added new scripts implementation for sqlserver and EF core

* Renamed service

* Formatting fix

* Added background service to send warning email and delete expired domains

* Renamed variable

* Added implementation for email warning to organization admins and for deleting expired domains after 7 days

* Added formatting

* Modified read if expired script to limit result to 4 days

* Added send mail abstract method and implementation

* Model used in build mail body

* Completed maintenace service

* Added comment to make logic clear

* Fixed cron expression (#2505)

* Modified procedure and methods to handle flexible verification adn expiration period (#2517)

* Merged with master

* [SG-908] Unit Tests for Organization Domain Claiming Feature (#2522)

* added test controlleer class

* added unit test for create command

* Added query tests

* Added tests for delete and verify command

* Formated code and added some more unit tests

* Fixed lint

* Added log event assertion to create command tests

* Added log event assertion to delete command tests

* Added unit tests for organization domain controller

* Added unit tests for organization domain service

* Modified test after merge

* fixed comment

* fixed comment

* fixed lint

* Defect/SG-977 - Org domain event logs missing details (#2573)

* SG-977 - (1) Refactor EventSystemUser.SSO to be EventSystemUser.DomainVerification to better match SCIM property and for easier display and translation on web client (2) Add new DeviceType of Server to be used on SCIM and Domain Verification logs so event log will show Server as client.

* SG-977 - SCIM bugfix - Restoring / Revoking user access via Jumpcloud activation / suspension did not properly log the events as SCIM events so the client side showed Unknown for both Client and Member.

* Run autoformat to fix lint errors

* SG-977 - Fixed broken test due to new device type logic in event service

* SG-976 - Add admin log and clean up log verbiage for domain verification (#2574)

* SG-976 - Add admin log and clean up log verbiage for domain verification

* SG-976 - (1) Use logInformation extension without exception (2) Clarify verbiage of logs

* SG-955 - On domain verification error or failure, set last checked da… (#2541)

* SG-955 - On domain verification error or failure, set last checked date on the org domain.

* SG-955 - Refactoring VerifyOrganizationDomain event logging to avoid duplication and increase efficiency (based on Gbubemi's PR feedback)

* Org Domain Background Verification service - set last checked date (#2599)

* Refactored OrganizationDomain repository to work with latest changes on code base

* Fixed formatting

* [SG-957] Cannot Delete Organizations due to FK Constraint (#2602)

* Added stored procedure to fix FX contstraint issue when deleting an organization

* Update stored procedures related to organization delete with OrganizationDomain_OrganizationDelete SP

* Fixed formatting

* Updated SP

* SG-990 - Log expired domains that are going to be deleted.

* Fix lint errors with auto format

* /home/runner/work/server/server/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs(107,2): error FINALNEWLINE: Fix final newline. Insert '\n'.

* Added missing bracket to fix compile error.

* Added imports for Domain Claiming classes that were lost on merge.

* Fixing broken unit tests + adding proper behavior for newly added SCIM logic changing device type

* Fix lint errors again

* Included domain name set in constructor (#2618)

* [SG-1001] Error Thrown When Verifying Sub Domains (#2621)

* Renamed exception to a more generic name that receives error message from the dns client and also added updates to job count and next run date

* Improved error logs by adding dns client error message

* Fixed formatting

* [SG-1001] Added event logs when a domain is not verified due to thrown exception (#2623)

* Added eevent logs when a domain is not verified due to thrown exception

* Fixed formatting

* Org Domain Verification - Small refactor to improve method/model name… (#2641)

* Org Domain Verification - Small refactor to improve method/model names and method locations - required refactoring of controller routes (I confirmed all behavior still functional)

* Fixed organization test controller issue

* Fixed lint

* Autoformat org domain controller

* Removing whitespace for lint argh, why does Rider not do this.

---------

Co-authored-by: gbubemismith <gsmithwalter@gmail.com>

* Tweak name of Request model to match Response model for ClaimedOrgDomain call

* [SG-1009] Users with Custom Role and "Manage SSO" permission don't receive verification failed email (#2645)

* Modified condition to pick up unverified domains after said period

* Fix to get emails of custom users with manage sso rights

* Formatted code

* Removed return that made background job exit on successful validation (#2648)

* [SG-1014] Unit Tests for Get Organization Sso Details (#2655)

* Added unit tests for GetOrgDomainSsoDetails

* renamed variable

* Adjust OrganizationDomainSsoDetails_ReadByEmail to use outer join so … (#2657)

* Adjust OrganizationDomainSsoDetails_ReadByEmail to use outer join so that claimed domain results will come back if an org has not yet setup a policy

* Removed migration as not needed

* Updated OrganizationDomainSsoDetails_ReadByEmail from original creation migration to use outer join & handle null policy results (and still return results)

* Fixed lint formatting

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
Co-authored-by: Jared Snider <jsnider@bitwarden.com>
Co-authored-by: Todd Martin <tmartin@bitwarden.com>

bitwarden_license/src/Commercial.Core/packages.lock.json

@@ -126,6 +126,14 @@
           "System.Xml.XPath.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2553,6 +2561,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/src/Commercial.Infrastructure.EntityFramework/packages.lock.json

@@ -144,6 +144,14 @@
           "System.Xml.XPath.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2726,6 +2734,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/src/Scim/Controllers/v2/UsersController.cs

@@ -97,11 +97,11 @@ public class UsersController : Controller
 
         if (model.Active && orgUser.Status == OrganizationUserStatusType.Revoked)
         {
-            await _organizationService.RestoreUserAsync(orgUser, null, _userService);
+            await _organizationService.RestoreUserAsync(orgUser, EventSystemUser.SCIM, _userService);
         }
         else if (!model.Active && orgUser.Status != OrganizationUserStatusType.Revoked)
         {
-            await _organizationService.RevokeUserAsync(orgUser, null);
+            await _organizationService.RevokeUserAsync(orgUser, EventSystemUser.SCIM);
         }
 
         // Have to get full details object for response model

bitwarden_license/src/Scim/packages.lock.json

@@ -157,6 +157,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -3002,6 +3010,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/src/Sso/packages.lock.json

@@ -160,6 +160,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2872,6 +2880,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/test/Commercial.Core.Test/packages.lock.json

@@ -203,6 +203,14 @@
           "System.Xml.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fare": {
         "type": "Transitive",
         "resolved": "2.1.1",
@@ -2822,6 +2830,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/test/Scim.IntegrationTest/packages.lock.json

@@ -246,6 +246,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fare": {
         "type": "Transitive",
         "resolved": "2.1.1",
@@ -3406,6 +3414,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

bitwarden_license/test/Scim.Test/packages.lock.json

@@ -234,6 +234,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fare": {
         "type": "Transitive",
         "resolved": "2.1.1",
@@ -3251,6 +3259,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

perf/MicroBenchmarks/packages.lock.json

@@ -156,6 +156,14 @@
         "resolved": "2.4.3",
         "contentHash": "U2FC9Y8NyIxxU6MpFFdWWu1xwiqz/61v/Doou7kmVjpeIEMLWyiNNkzNlSE84kyJ0O1LKApuEj5z48Ow0Hi4OQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2660,6 +2668,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Admin/Jobs/DeleteUnverifiedOrganizationDomainsJob.cs

@@ -0,0 +1,31 @@
+using Bit.Core;
+using Bit.Core.Jobs;
+using Bit.Core.Services;
+using Quartz;
+
+namespace Bit.Admin.Jobs;
+
+public class DeleteUnverifiedOrganizationDomainsJob : BaseJob
+{
+    private readonly IServiceProvider _serviceProvider;
+
+    public DeleteUnverifiedOrganizationDomainsJob(
+        IServiceProvider serviceProvider,
+        ILogger<DeleteUnverifiedOrganizationDomainsJob> logger)
+        : base(logger)
+    {
+        _serviceProvider = serviceProvider;
+    }
+
+    protected override async Task ExecuteJobAsync(IJobExecutionContext context)
+    {
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: DeleteUnverifiedOrganizationDomainsJob: Start");
+        using (var serviceScope = _serviceProvider.CreateScope())
+        {
+            var organizationDomainService =
+                serviceScope.ServiceProvider.GetRequiredService<IOrganizationDomainService>();
+            await organizationDomainService.OrganizationDomainMaintenanceAsync();
+        }
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: DeleteUnverifiedOrganizationDomainsJob: End");
+    }
+}

src/Admin/Jobs/JobsHostedService.cs

@@ -64,6 +64,11 @@ public class JobsHostedService : BaseJobsHostedService
             .StartNow()
             .WithCronSchedule("0 */15 * ? * *")
             .Build();
+        var everyDayAtTwoAmUtcTrigger = TriggerBuilder.Create()
+            .WithIdentity("EveryDayAtTwoAmUtcTrigger")
+            .StartNow()
+            .WithCronSchedule("0 0 2 ? * * *")
+            .Build();
 
         var jobs = new List<Tuple<Type, ITrigger>>
         {
@@ -74,6 +79,7 @@ public class JobsHostedService : BaseJobsHostedService
             new Tuple<Type, ITrigger>(typeof(DeleteCiphersJob), everyDayAtMidnightUtc),
             new Tuple<Type, ITrigger>(typeof(DatabaseExpiredSponsorshipsJob), everyMondayAtMidnightTrigger),
             new Tuple<Type, ITrigger>(typeof(DeleteAuthRequestsJob), everyFifteenMinutesTrigger),
+            new Tuple<Type, ITrigger>(typeof(DeleteUnverifiedOrganizationDomainsJob), everyDayAtTwoAmUtcTrigger),
         };
 
         if (!_globalSettings.SelfHosted)
@@ -98,5 +104,6 @@ public class JobsHostedService : BaseJobsHostedService
         services.AddTransient<DeleteSendsJob>();
         services.AddTransient<DeleteCiphersJob>();
         services.AddTransient<DeleteAuthRequestsJob>();
+        services.AddTransient<DeleteUnverifiedOrganizationDomainsJob>();
     }
 }

src/Admin/packages.lock.json

@@ -199,6 +199,14 @@
           "dbup-core": "4.5.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -3314,6 +3322,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Api/Controllers/OrganizationDomainController.cs

@@ -0,0 +1,143 @@
+using Bit.Api.Models.Request;
+using Bit.Api.Models.Request.Organizations;
+using Bit.Api.Models.Response;
+using Bit.Api.Models.Response.Organizations;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[Route("organizations")]
+[Authorize("Application")]
+public class OrganizationDomainController : Controller
+{
+    private readonly ICreateOrganizationDomainCommand _createOrganizationDomainCommand;
+    private readonly IVerifyOrganizationDomainCommand _verifyOrganizationDomainCommand;
+    private readonly IDeleteOrganizationDomainCommand _deleteOrganizationDomainCommand;
+    private readonly IGetOrganizationDomainByIdQuery _getOrganizationDomainByIdQuery;
+    private readonly IGetOrganizationDomainByOrganizationIdQuery _getOrganizationDomainByOrganizationIdQuery;
+    private readonly ICurrentContext _currentContext;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+
+    public OrganizationDomainController(
+        ICreateOrganizationDomainCommand createOrganizationDomainCommand,
+        IVerifyOrganizationDomainCommand verifyOrganizationDomainCommand,
+        IDeleteOrganizationDomainCommand deleteOrganizationDomainCommand,
+        IGetOrganizationDomainByIdQuery getOrganizationDomainByIdQuery,
+        IGetOrganizationDomainByOrganizationIdQuery getOrganizationDomainByOrganizationIdQuery,
+        ICurrentContext currentContext,
+        IOrganizationRepository organizationRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        _createOrganizationDomainCommand = createOrganizationDomainCommand;
+        _verifyOrganizationDomainCommand = verifyOrganizationDomainCommand;
+        _deleteOrganizationDomainCommand = deleteOrganizationDomainCommand;
+        _getOrganizationDomainByIdQuery = getOrganizationDomainByIdQuery;
+        _getOrganizationDomainByOrganizationIdQuery = getOrganizationDomainByOrganizationIdQuery;
+        _currentContext = currentContext;
+        _organizationRepository = organizationRepository;
+        _organizationDomainRepository = organizationDomainRepository;
+    }
+
+    [HttpGet("{orgId}/domain")]
+    public async Task<ListResponseModel<OrganizationDomainResponseModel>> Get(string orgId)
+    {
+        var orgIdGuid = new Guid(orgId);
+        await ValidateOrganizationAccessAsync(orgIdGuid);
+
+        var domains = await _getOrganizationDomainByOrganizationIdQuery
+            .GetDomainsByOrganizationId(orgIdGuid);
+        var response = domains.Select(x => new OrganizationDomainResponseModel(x)).ToList();
+        return new ListResponseModel<OrganizationDomainResponseModel>(response);
+    }
+
+    [HttpGet("{orgId}/domain/{id}")]
+    public async Task<OrganizationDomainResponseModel> Get(string orgId, string id)
+    {
+        var orgIdGuid = new Guid(orgId);
+        var IdGuid = new Guid(id);
+        await ValidateOrganizationAccessAsync(orgIdGuid);
+
+        var domain = await _getOrganizationDomainByIdQuery.GetOrganizationDomainById(IdGuid);
+        if (domain is null)
+        {
+            throw new NotFoundException();
+        }
+
+        return new OrganizationDomainResponseModel(domain);
+    }
+
+    [HttpPost("{orgId}/domain")]
+    public async Task<OrganizationDomainResponseModel> Post(string orgId,
+        [FromBody] OrganizationDomainRequestModel model)
+    {
+        var orgIdGuid = new Guid(orgId);
+        await ValidateOrganizationAccessAsync(orgIdGuid);
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = orgIdGuid,
+            Txt = model.Txt,
+            DomainName = model.DomainName.ToLower()
+        };
+
+        var domain = await _createOrganizationDomainCommand.CreateAsync(organizationDomain);
+        return new OrganizationDomainResponseModel(domain);
+    }
+
+    [HttpPost("{orgId}/domain/{id}/verify")]
+    public async Task<OrganizationDomainResponseModel> Verify(string orgId, string id)
+    {
+        var orgIdGuid = new Guid(orgId);
+        var idGuid = new Guid(id);
+        await ValidateOrganizationAccessAsync(orgIdGuid);
+
+        var domain = await _verifyOrganizationDomainCommand.VerifyOrganizationDomain(idGuid);
+        return new OrganizationDomainResponseModel(domain);
+    }
+
+    [HttpDelete("{orgId}/domain/{id}")]
+    [HttpPost("{orgId}/domain/{id}/remove")]
+    public async Task RemoveDomain(string orgId, string id)
+    {
+        var orgIdGuid = new Guid(orgId);
+        var idGuid = new Guid(id);
+        await ValidateOrganizationAccessAsync(orgIdGuid);
+
+        await _deleteOrganizationDomainCommand.DeleteAsync(idGuid);
+    }
+
+    [AllowAnonymous]
+    [HttpPost("domain/sso/details")] // must be post to accept email cleanly
+    public async Task<OrganizationDomainSsoDetailsResponseModel> GetOrgDomainSsoDetails(
+        [FromBody] OrganizationDomainSsoDetailsRequestModel model)
+    {
+        var ssoResult = await _organizationDomainRepository.GetOrganizationDomainSsoDetailsAsync(model.Email);
+        if (ssoResult is null)
+        {
+            throw new NotFoundException("Claimed org domain not found");
+        }
+
+        return new OrganizationDomainSsoDetailsResponseModel(ssoResult);
+    }
+
+    private async Task ValidateOrganizationAccessAsync(Guid orgIdGuid)
+    {
+        if (!await _currentContext.ManageSso(orgIdGuid))
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+        if (organization == null)
+        {
+            throw new NotFoundException();
+        }
+    }
+}

src/Api/Controllers/OrganizationsController.cs

@@ -135,6 +135,7 @@ public class OrganizationsController : Controller
             {
                 throw new NotFoundException();
             }
+
             return new OrganizationSubscriptionResponseModel(organization, subscriptionInfo);
         }
         else
@@ -255,7 +256,7 @@ public class OrganizationsController : Controller
         }
 
         var updateBilling = !_globalSettings.SelfHosted && (model.BusinessName != organization.BusinessName ||
-            model.BillingEmail != organization.BillingEmail);
+                                                            model.BillingEmail != organization.BillingEmail);
 
         var hasRequiredPermissions = updateBilling
             ? await _currentContext.ManageBilling(orgIdGuid)
@@ -304,11 +305,7 @@ public class OrganizationsController : Controller
         }
 
         var result = await _organizationService.UpgradePlanAsync(orgIdGuid, model.ToOrganizationUpgrade());
-        return new PaymentResponseModel
-        {
-            Success = result.Item1,
-            PaymentIntentClientSecret = result.Item2
-        };
+        return new PaymentResponseModel { Success = result.Item1, PaymentIntentClientSecret = result.Item2 };
     }
 
     [HttpPost("{id}/subscription")]
@@ -335,11 +332,7 @@ public class OrganizationsController : Controller
         }
 
         var result = await _organizationService.AdjustSeatsAsync(orgIdGuid, model.SeatAdjustment.Value);
-        return new PaymentResponseModel
-        {
-            Success = true,
-            PaymentIntentClientSecret = result
-        };
+        return new PaymentResponseModel { Success = true, PaymentIntentClientSecret = result };
     }
 
     [HttpPost("{id}/storage")]
@@ -353,11 +346,7 @@ public class OrganizationsController : Controller
         }
 
         var result = await _organizationService.AdjustStorageAsync(orgIdGuid, model.StorageGbAdjustment.Value);
-        return new PaymentResponseModel
-        {
-            Success = true,
-            PaymentIntentClientSecret = result
-        };
+        return new PaymentResponseModel { Success = true, PaymentIntentClientSecret = result };
     }
 
     [HttpPost("{id}/verify-bank")]
@@ -548,7 +537,8 @@ public class OrganizationsController : Controller
     }
 
     [HttpGet("{id}/api-key-information/{type?}")]
-    public async Task<ListResponseModel<OrganizationApiKeyInformation>> ApiKeyInformation(Guid id, [FromRoute] OrganizationApiKeyType? type)
+    public async Task<ListResponseModel<OrganizationApiKeyInformation>> ApiKeyInformation(Guid id,
+        [FromRoute] OrganizationApiKeyType? type)
     {
         if (!await HasApiKeyAccessAsync(id, type))
         {
@@ -577,8 +567,8 @@ public class OrganizationsController : Controller
         }
 
         var organizationApiKey = await _getOrganizationApiKeyQuery
-                                    .GetOrganizationApiKeyAsync(organization.Id, model.Type) ??
-                                await _createOrganizationApiKeyCommand.CreateAsync(organization.Id, model.Type);
+                                     .GetOrganizationApiKeyAsync(organization.Id, model.Type) ??
+                                 await _createOrganizationApiKeyCommand.CreateAsync(organization.Id, model.Type);
 
         var user = await _userService.GetUserByPrincipalAsync(User);
         if (user == null)
@@ -679,7 +669,8 @@ public class OrganizationsController : Controller
             throw new UnauthorizedAccessException();
         }
 
-        var org = await _organizationService.UpdateOrganizationKeysAsync(new Guid(id), model.PublicKey, model.EncryptedPrivateKey);
+        var org = await _organizationService.UpdateOrganizationKeysAsync(new Guid(id), model.PublicKey,
+            model.EncryptedPrivateKey);
         return new OrganizationKeysResponseModel(org);
     }
 

src/Api/Jobs/JobsHostedService.cs

@@ -47,6 +47,12 @@ public class JobsHostedService : BaseJobsHostedService
                 .WithIntervalInHours(24)
                 .RepeatForever())
             .Build();
+        var validateOrganizationDomainTrigger = TriggerBuilder.Create()
+            .WithIdentity("ValidateOrganizationDomainTrigger")
+            .StartNow()
+            .WithCronSchedule("0 0 * * * ?")
+            .Build();
+
 
         var jobs = new List<Tuple<Type, ITrigger>>
         {
@@ -54,7 +60,8 @@ public class JobsHostedService : BaseJobsHostedService
             new Tuple<Type, ITrigger>(typeof(EmergencyAccessNotificationJob), emergencyAccessNotificationTrigger),
             new Tuple<Type, ITrigger>(typeof(EmergencyAccessTimeoutJob), emergencyAccessTimeoutTrigger),
             new Tuple<Type, ITrigger>(typeof(ValidateUsersJob), everyTopOfTheSixthHourTrigger),
-            new Tuple<Type, ITrigger>(typeof(ValidateOrganizationsJob), everyTwelfthHourAndThirtyMinutesTrigger)
+            new Tuple<Type, ITrigger>(typeof(ValidateOrganizationsJob), everyTwelfthHourAndThirtyMinutesTrigger),
+            new Tuple<Type, ITrigger>(typeof(ValidateOrganizationDomainJob), validateOrganizationDomainTrigger),
         };
 
         if (_globalSettings.SelfHosted && _globalSettings.EnableCloudCommunication)
@@ -78,5 +85,6 @@ public class JobsHostedService : BaseJobsHostedService
         services.AddTransient<EmergencyAccessTimeoutJob>();
         services.AddTransient<ValidateUsersJob>();
         services.AddTransient<ValidateOrganizationsJob>();
+        services.AddTransient<ValidateOrganizationDomainJob>();
     }
 }

src/Api/Jobs/ValidateOrganizationDomainJob.cs

@@ -0,0 +1,30 @@
+using Bit.Core;
+using Bit.Core.Jobs;
+using Bit.Core.Services;
+using Quartz;
+
+namespace Bit.Api.Jobs;
+
+public class ValidateOrganizationDomainJob : BaseJob
+{
+    private readonly IServiceProvider _serviceProvider;
+    public ValidateOrganizationDomainJob(
+        IServiceProvider serviceProvider,
+        ILogger<ValidateOrganizationDomainJob> logger)
+        : base(logger)
+    {
+        _serviceProvider = serviceProvider;
+    }
+
+    protected override async Task ExecuteJobAsync(IJobExecutionContext context)
+    {
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: ValidateOrganizationDomainJob: Start");
+        using (var serviceScope = _serviceProvider.CreateScope())
+        {
+            var organizationDomainService =
+                serviceScope.ServiceProvider.GetRequiredService<IOrganizationDomainService>();
+            await organizationDomainService.ValidateOrganizationsDomainAsync();
+        }
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Execute job task: ValidateOrganizationDomainJob: End");
+    }
+}

src/Api/Models/Request/OrganizationDomainRequestModel.cs

@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Models.Request;
+
+public class OrganizationDomainRequestModel
+{
+    [Required]
+    public string Txt { get; set; }
+
+    [Required]
+    public string DomainName { get; set; }
+}

src/Api/Models/Request/Organizations/OrganizationDomainSsoDetailsRequestModel.cs

@@ -0,0 +1,10 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.Models.Request.Organizations;
+
+public class OrganizationDomainSsoDetailsRequestModel
+{
+    [Required]
+    [EmailAddress]
+    public string Email { get; set; }
+}

src/Api/Models/Response/EventResponseModel.cs

@@ -31,6 +31,7 @@ public class EventResponseModel : ResponseModel
         IpAddress = ev.IpAddress;
         InstallationId = ev.InstallationId;
         SystemUser = ev.SystemUser;
+        DomainName = ev.DomainName;
     }
 
     public EventType Type { get; set; }
@@ -50,4 +51,5 @@ public class EventResponseModel : ResponseModel
     public DeviceType? DeviceType { get; set; }
     public string IpAddress { get; set; }
     public EventSystemUser? SystemUser { get; set; }
+    public string DomainName { get; set; }
 }

src/Api/Models/Response/Organizations/OrganizationDomainResponseModel.cs

@@ -0,0 +1,36 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.Models.Response.Organizations;
+
+public class OrganizationDomainResponseModel : ResponseModel
+{
+    public OrganizationDomainResponseModel(OrganizationDomain organizationDomain, string obj = "organizationDomain")
+        : base(obj)
+    {
+        if (organizationDomain == null)
+        {
+            throw new ArgumentNullException(nameof(organizationDomain));
+        }
+
+        Id = organizationDomain.Id.ToString();
+        OrganizationId = organizationDomain.OrganizationId.ToString();
+        Txt = organizationDomain.Txt;
+        DomainName = organizationDomain.DomainName;
+        CreationDate = organizationDomain.CreationDate;
+        NextRunDate = organizationDomain.NextRunDate;
+        JobRunCount = organizationDomain.JobRunCount;
+        VerifiedDate = organizationDomain.VerifiedDate;
+        LastCheckedDate = organizationDomain.LastCheckedDate;
+    }
+
+    public string Id { get; set; }
+    public string OrganizationId { get; set; }
+    public string Txt { get; set; }
+    public string DomainName { get; set; }
+    public DateTime CreationDate { get; set; }
+    public DateTime NextRunDate { get; set; }
+    public int JobRunCount { get; set; }
+    public DateTime? VerifiedDate { get; set; }
+    public DateTime? LastCheckedDate { get; set; }
+}

src/Api/Models/Response/Organizations/OrganizationDomainSsoDetailsResponseModel.cs

@@ -0,0 +1,28 @@
+using Bit.Core.Models.Api;
+using Bit.Core.Models.Data.Organizations;
+
+namespace Bit.Api.Models.Response.Organizations;
+
+public class OrganizationDomainSsoDetailsResponseModel : ResponseModel
+{
+    public OrganizationDomainSsoDetailsResponseModel(OrganizationDomainSsoDetailsData data, string obj = "organizationDomainSsoDetails")
+        : base(obj)
+    {
+        if (data == null)
+        {
+            throw new ArgumentNullException(nameof(data));
+        }
+
+        SsoAvailable = data.SsoAvailable;
+        DomainName = data.DomainName;
+        OrganizationIdentifier = data.OrganizationIdentifier;
+        SsoRequired = data.SsoRequired;
+        VerifiedDate = data.VerifiedDate;
+    }
+
+    public bool SsoAvailable { get; private set; }
+    public string DomainName { get; private set; }
+    public string OrganizationIdentifier { get; private set; }
+    public bool SsoRequired { get; private set; }
+    public DateTime? VerifiedDate { get; private set; }
+}

src/Api/Utilities/ExceptionHandlerFilterAttribute.cs

@@ -92,6 +92,11 @@ public class ExceptionHandlerFilterAttribute : ExceptionFilterAttribute
             errorMessage = "Unauthorized.";
             context.HttpContext.Response.StatusCode = 401;
         }
+        else if (exception is ConflictException)
+        {
+            errorMessage = exception.Message;
+            context.HttpContext.Response.StatusCode = 409;
+        }
         else if (exception is AggregateException aggregateException)
         {
             context.HttpContext.Response.StatusCode = 400;

src/Api/packages.lock.json

@@ -171,6 +171,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2798,6 +2806,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Billing/packages.lock.json

@@ -160,6 +160,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -3249,6 +3257,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Core/Core.csproj

@@ -27,6 +27,7 @@
     <PackageReference Include="Azure.Storage.Blobs" Version="12.14.1" />
     <PackageReference Include="Azure.Storage.Queues" Version="12.12.0" />
     <PackageReference Include="BitPay.Light" Version="1.0.1907" />
+    <PackageReference Include="DnsClient" Version="1.7.0" />
     <PackageReference Include="Fido2.AspNet" Version="3.0.1" />
     <PackageReference Include="Handlebars.Net" Version="2.1.2" />
     <PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />

src/Core/Entities/Event.cs

@@ -28,6 +28,7 @@ public class Event : ITableObject<Guid>, IEvent
         IpAddress = e.IpAddress;
         ActingUserId = e.ActingUserId;
         SystemUser = e.SystemUser;
+        DomainName = e.DomainName;
     }
 
     public Guid Id { get; set; }
@@ -49,6 +50,8 @@ public class Event : ITableObject<Guid>, IEvent
     public string IpAddress { get; set; }
     public Guid? ActingUserId { get; set; }
     public EventSystemUser? SystemUser { get; set; }
+    public string DomainName { get; set; }
+
 
     public void SetNewId()
     {

src/Core/Entities/OrganizationDomain.cs

@@ -0,0 +1,48 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.Entities;
+
+public class OrganizationDomain : ITableObject<Guid>
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationId { get; set; }
+    public string Txt { get; set; }
+    [MaxLength(255)]
+    public string DomainName { get; set; }
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime? VerifiedDate { get; private set; }
+    public DateTime NextRunDate { get; private set; }
+    public DateTime? LastCheckedDate { get; private set; }
+    public int JobRunCount { get; private set; }
+    public void SetNewId() => Id = CoreHelpers.GenerateComb();
+
+    public void SetNextRunDate(int interval)
+    {
+        //verification can take up to 72 hours
+        //1st job runs after 12hrs, 2nd after 24hrs and 3rd after 36hrs
+        NextRunDate = JobRunCount == 0
+            ? CreationDate.AddHours(interval)
+            : NextRunDate.AddHours((JobRunCount + 1) * interval);
+    }
+
+    public void SetJobRunCount()
+    {
+        if (JobRunCount == 3)
+        {
+            return;
+        }
+
+        JobRunCount++;
+    }
+
+    public void SetVerifiedDate()
+    {
+        VerifiedDate = DateTime.UtcNow;
+    }
+
+    public void SetLastCheckedDate()
+    {
+        LastCheckedDate = DateTime.UtcNow;
+    }
+}

src/Core/Enums/DeviceType.cs

@@ -48,4 +48,6 @@ public enum DeviceType : byte
     SafariExtension = 20,
     [Display(Name = "SDK")]
     SDK = 21,
+    [Display(Name = "Server")]
+    Server = 22
 }

src/Core/Enums/EventSystemUser.cs

@@ -2,5 +2,6 @@
 
 public enum EventSystemUser : byte
 {
-    SCIM = 1
+    SCIM = 1,
+    DomainVerification = 2
 }

src/Core/Enums/EventType.cs

@@ -75,4 +75,9 @@ public enum EventType : int
     ProviderOrganization_Added = 1901,
     ProviderOrganization_Removed = 1902,
     ProviderOrganization_VaultAccessed = 1903,
+
+    OrganizationDomain_Added = 1904,
+    OrganizationDomain_Removed = 1905,
+    OrganizationDomain_Verified = 1906,
+    OrganizationDomain_NotVerified = 1907
 }

src/Core/Exceptions/ConflictException.cs

@@ -1,3 +1,7 @@
 namespace Bit.Core.Exceptions;
 
-public class ConflictException : Exception { }
+public class ConflictException : Exception
+{
+    public ConflictException() : base("Conflict.") { }
+    public ConflictException(string message) : base(message) { }
+}

src/Core/Exceptions/DnsQueryException.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Exceptions;
+
+public class DnsQueryException : Exception
+{
+    public DnsQueryException(string message)
+        : base(message) { }
+}

src/Core/Exceptions/DomainClaimedException.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions;
+
+public class DomainClaimedException : Exception
+{
+    public DomainClaimedException()
+        : base("The domain is not available to be claimed.")
+    {
+
+    }
+}

src/Core/Exceptions/DomainVerifiedException.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions;
+
+public class DomainVerifiedException : Exception
+{
+    public DomainVerifiedException()
+        : base("Domain has already been verified.")
+    {
+
+    }
+}

src/Core/Exceptions/DuplicateDomainException.cs

@@ -0,0 +1,10 @@
+namespace Bit.Core.Exceptions;
+
+public class DuplicateDomainException : Exception
+{
+    public DuplicateDomainException()
+        : base("A domain already exists for this organization.")
+    {
+
+    }
+}

src/Core/MailTemplates/Handlebars/OrganizationDomainUnverified.html.hbs

@@ -0,0 +1,27 @@
+{{#>FullHtmlLayout}}
+<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: left;" valign="top">
+            The domain {{DomainName}} in your Bitwarden organization could not be verified.
+        </td>
+    </tr>
+    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
+            Check the corresponding record in your domain host. Then reverify this domain in Bitwarden to use it for your organization.
+        </td>
+    </tr>
+    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
+            The domain will be removed from your organization in 7 days if it is not verified.
+        </td>
+    </tr>
+    <tr style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none; text-align: center;" valign="top" align="center">
+            <a href="{{{Url}}}" clicktracking=off target="_blank" style="color: #ffffff; text-decoration: none; text-align: center; cursor: pointer; display: inline-block; border-radius: 5px; background-color: #175DDC; border-color: #175DDC; border-style: solid; border-width: 10px 20px; margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
+                Manage Domains
+            </a>
+            <br style="margin: 0; box-sizing: border-box; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;" />
+        </td>
+    </tr>
+</table>
+{{/FullHtmlLayout}}

src/Core/MailTemplates/Handlebars/OrganizationDomainUnverified.text.hbs

@@ -0,0 +1,10 @@
+{{#>BasicTextLayout}}
+The domain {{DomainName}} in your Bitwarden organization could not be verified.
+
+Check the corresponding record in your domain host. Then reverify this domain in Bitwarden to use it for your organization.
+
+The domain will be removed from your organization in 7 days if it is not verified.
+
+{{Url}}
+
+{{/BasicTextLayout}}

src/Core/Models/Data/EventMessage.cs

@@ -32,4 +32,5 @@ public class EventMessage : IEvent
     public string IpAddress { get; set; }
     public Guid? IdempotencyId { get; private set; } = Guid.NewGuid();
     public EventSystemUser? SystemUser { get; set; }
+    public string DomainName { get; set; }
 }

src/Core/Models/Data/EventTableEntity.cs

@@ -27,6 +27,7 @@ public class EventTableEntity : TableEntity, IEvent
         IpAddress = e.IpAddress;
         ActingUserId = e.ActingUserId;
         SystemUser = e.SystemUser;
+        DomainName = e.DomainName;
     }
 
     public DateTime Date { get; set; }
@@ -46,6 +47,7 @@ public class EventTableEntity : TableEntity, IEvent
     public string IpAddress { get; set; }
     public Guid? ActingUserId { get; set; }
     public EventSystemUser? SystemUser { get; set; }
+    public string DomainName { get; set; }
 
     public override IDictionary<string, EntityProperty> WriteEntity(OperationContext operationContext)
     {

src/Core/Models/Data/IEvent.cs

@@ -21,4 +21,5 @@ public interface IEvent
     string IpAddress { get; set; }
     DateTime Date { get; set; }
     EventSystemUser? SystemUser { get; set; }
+    string DomainName { get; set; }
 }

src/Core/Models/Data/Organizations/OrganizationDomainSsoDetailsData.cs

@@ -0,0 +1,16 @@
+using Bit.Core.Enums;
+
+namespace Bit.Core.Models.Data.Organizations;
+
+public class OrganizationDomainSsoDetailsData
+{
+    public Guid OrganizationId { get; set; }
+    public string OrganizationName { get; set; }
+    public string DomainName { get; set; }
+    public bool SsoAvailable { get; set; }
+    public string OrganizationIdentifier { get; set; }
+    public bool SsoRequired { get; set; }
+    public PolicyType PolicyType { get; set; }
+    public DateTime? VerifiedDate { get; set; }
+    public bool OrganizationEnabled { get; set; }
+}

src/Core/Models/Data/Organizations/OrganizationUsers/OrganizationUserUserDetails.cs

@@ -68,4 +68,10 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser
             return Status != OrganizationUserStatusType.Revoked;
         }
     }
+
+    public Permissions GetPermissions()
+    {
+        return string.IsNullOrWhiteSpace(Permissions) ? null
+            : CoreHelpers.LoadClassFromJsonData<Permissions>(Permissions);
+    }
 }

src/Core/Models/Mail/OrganizationDomainUnverifiedViewModel.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Models.Mail;
+
+public class OrganizationDomainUnverifiedViewModel
+{
+    public string Url { get; set; }
+    public string DomainName { get; set; }
+}

src/Core/OrganizationFeatures/OrganizationDomains/CreateOrganizationDomainCommand.cs

@@ -0,0 +1,76 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
+
+public class CreateOrganizationDomainCommand : ICreateOrganizationDomainCommand
+{
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+    private readonly IEventService _eventService;
+    private readonly IDnsResolverService _dnsResolverService;
+    private readonly ILogger<VerifyOrganizationDomainCommand> _logger;
+    private readonly IGlobalSettings _globalSettings;
+
+    public CreateOrganizationDomainCommand(
+        IOrganizationDomainRepository organizationDomainRepository,
+        IEventService eventService,
+        IDnsResolverService dnsResolverService,
+        ILogger<VerifyOrganizationDomainCommand> logger,
+        IGlobalSettings globalSettings)
+    {
+        _organizationDomainRepository = organizationDomainRepository;
+        _eventService = eventService;
+        _dnsResolverService = dnsResolverService;
+        _logger = logger;
+        _globalSettings = globalSettings;
+    }
+
+    public async Task<OrganizationDomain> CreateAsync(OrganizationDomain organizationDomain)
+    {
+        //Domains claimed and verified by an organization cannot be claimed
+        var claimedDomain =
+            await _organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(organizationDomain.DomainName);
+        if (claimedDomain.Any())
+        {
+            throw new ConflictException("The domain is not available to be claimed.");
+        }
+
+        //check for duplicate domain entry for an organization
+        var duplicateOrgDomain =
+            await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(organizationDomain.OrganizationId,
+                organizationDomain.DomainName);
+        if (duplicateOrgDomain is not null)
+        {
+            throw new ConflictException("A domain already exists for this organization.");
+        }
+
+        try
+        {
+            if (await _dnsResolverService.ResolveAsync(organizationDomain.DomainName, organizationDomain.Txt))
+            {
+                organizationDomain.SetVerifiedDate();
+            }
+        }
+        catch (Exception e)
+        {
+            _logger.LogError("Error verifying Organization domain.", e);
+        }
+
+        organizationDomain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+        organizationDomain.SetLastCheckedDate();
+
+        var orgDomain = await _organizationDomainRepository.CreateAsync(organizationDomain);
+
+        await _eventService.LogOrganizationDomainEventAsync(orgDomain, EventType.OrganizationDomain_Added);
+        await _eventService.LogOrganizationDomainEventAsync(orgDomain,
+            orgDomain.VerifiedDate != null ? EventType.OrganizationDomain_Verified : EventType.OrganizationDomain_NotVerified);
+
+        return orgDomain;
+    }
+}

src/Core/OrganizationFeatures/OrganizationDomains/DeleteOrganizationDomainCommand.cs

@@ -0,0 +1,32 @@
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
+
+public class DeleteOrganizationDomainCommand : IDeleteOrganizationDomainCommand
+{
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+    private readonly IEventService _eventService;
+
+    public DeleteOrganizationDomainCommand(IOrganizationDomainRepository organizationDomainRepository,
+        IEventService eventService)
+    {
+        _organizationDomainRepository = organizationDomainRepository;
+        _eventService = eventService;
+    }
+
+    public async Task DeleteAsync(Guid id)
+    {
+        var domain = await _organizationDomainRepository.GetByIdAsync(id);
+        if (domain is null)
+        {
+            throw new NotFoundException();
+        }
+
+        await _organizationDomainRepository.DeleteAsync(domain);
+        await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_Removed);
+    }
+}

src/Core/OrganizationFeatures/OrganizationDomains/GetOrganizationDomainByIdQuery.cs

@@ -0,0 +1,18 @@
+using Bit.Core.Entities;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
+
+public class GetOrganizationDomainByIdQuery : IGetOrganizationDomainByIdQuery
+{
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+
+    public GetOrganizationDomainByIdQuery(IOrganizationDomainRepository organizationDomainRepository)
+    {
+        _organizationDomainRepository = organizationDomainRepository;
+    }
+
+    public async Task<OrganizationDomain> GetOrganizationDomainById(Guid id)
+        => await _organizationDomainRepository.GetByIdAsync(id);
+}

src/Core/OrganizationFeatures/OrganizationDomains/GetOrganizationDomainByOrganizationIdQuery.cs

@@ -0,0 +1,18 @@
+using Bit.Core.Entities;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
+
+public class GetOrganizationDomainByOrganizationIdQuery : IGetOrganizationDomainByOrganizationIdQuery
+{
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+
+    public GetOrganizationDomainByOrganizationIdQuery(IOrganizationDomainRepository organizationDomainRepository)
+    {
+        _organizationDomainRepository = organizationDomainRepository;
+    }
+
+    public async Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationId(Guid orgId)
+        => await _organizationDomainRepository.GetDomainsByOrganizationIdAsync(orgId);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/ICreateOrganizationDomainCommand.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface ICreateOrganizationDomainCommand
+{
+    Task<OrganizationDomain> CreateAsync(OrganizationDomain organizationDomain);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IDeleteOrganizationDomainCommand.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface IDeleteOrganizationDomainCommand
+{
+    Task DeleteAsync(Guid id);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IGetOrganizationDomainByIdQuery.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface IGetOrganizationDomainByIdQuery
+{
+    Task<OrganizationDomain> GetOrganizationDomainById(Guid id);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IGetOrganizationDomainByOrganizationIdQuery.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface IGetOrganizationDomainByOrganizationIdQuery
+{
+    Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationId(Guid orgId);
+}

src/Core/OrganizationFeatures/OrganizationDomains/Interfaces/IVerifyOrganizationDomainCommand.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+
+public interface IVerifyOrganizationDomainCommand
+{
+    Task<OrganizationDomain> VerifyOrganizationDomain(Guid id);
+}

src/Core/OrganizationFeatures/OrganizationDomains/VerifyOrganizationDomainCommand.cs

@@ -0,0 +1,73 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.OrganizationFeatures.OrganizationDomains;
+
+public class VerifyOrganizationDomainCommand : IVerifyOrganizationDomainCommand
+{
+    private readonly IOrganizationDomainRepository _organizationDomainRepository;
+    private readonly IDnsResolverService _dnsResolverService;
+    private readonly IEventService _eventService;
+    private readonly ILogger<VerifyOrganizationDomainCommand> _logger;
+
+    public VerifyOrganizationDomainCommand(
+        IOrganizationDomainRepository organizationDomainRepository,
+        IDnsResolverService dnsResolverService,
+        IEventService eventService,
+        ILogger<VerifyOrganizationDomainCommand> logger)
+    {
+        _organizationDomainRepository = organizationDomainRepository;
+        _dnsResolverService = dnsResolverService;
+        _eventService = eventService;
+        _logger = logger;
+    }
+
+    public async Task<OrganizationDomain> VerifyOrganizationDomain(Guid id)
+    {
+        var domain = await _organizationDomainRepository.GetByIdAsync(id);
+        if (domain is null)
+        {
+            throw new NotFoundException();
+        }
+
+        if (domain.VerifiedDate is not null)
+        {
+            domain.SetLastCheckedDate();
+            await _organizationDomainRepository.ReplaceAsync(domain);
+            throw new ConflictException("Domain has already been verified.");
+        }
+
+        var claimedDomain =
+            await _organizationDomainRepository.GetClaimedDomainsByDomainNameAsync(domain.DomainName);
+        if (claimedDomain.Any())
+        {
+            domain.SetLastCheckedDate();
+            await _organizationDomainRepository.ReplaceAsync(domain);
+            throw new ConflictException("The domain is not available to be claimed.");
+        }
+
+        try
+        {
+            if (await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt))
+            {
+                domain.SetVerifiedDate();
+            }
+        }
+        catch (Exception e)
+        {
+            _logger.LogError("Error verifying Organization domain. {errorMessage}", e.Message);
+        }
+
+        domain.SetLastCheckedDate();
+        await _organizationDomainRepository.ReplaceAsync(domain);
+
+        await _eventService.LogOrganizationDomainEventAsync(domain,
+            domain.VerifiedDate != null ? EventType.OrganizationDomain_Verified : EventType.OrganizationDomain_NotVerified);
+        return domain;
+    }
+}

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -7,6 +7,8 @@ using Bit.Core.OrganizationFeatures.OrganizationCollections;
 using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
 using Bit.Core.OrganizationFeatures.OrganizationConnections;
 using Bit.Core.OrganizationFeatures.OrganizationConnections.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationDomains;
+using Bit.Core.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise;
@@ -35,6 +37,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddOrganizationCollectionCommands();
         services.AddOrganizationGroupCommands();
         services.AddOrganizationLicenseCommandQueries();
+        services.AddOrganizationDomainCommandsQueries();
     }
 
     private static void AddOrganizationConnectionCommands(this IServiceCollection services)
@@ -94,6 +97,15 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<ISelfHostedGetOrganizationLicenseQuery, SelfHostedGetOrganizationLicenseQuery>();
     }
 
+    private static void AddOrganizationDomainCommandsQueries(this IServiceCollection services)
+    {
+        services.AddScoped<ICreateOrganizationDomainCommand, CreateOrganizationDomainCommand>();
+        services.AddScoped<IVerifyOrganizationDomainCommand, VerifyOrganizationDomainCommand>();
+        services.AddScoped<IGetOrganizationDomainByIdQuery, GetOrganizationDomainByIdQuery>();
+        services.AddScoped<IGetOrganizationDomainByOrganizationIdQuery, GetOrganizationDomainByOrganizationIdQuery>();
+        services.AddScoped<IDeleteOrganizationDomainCommand, DeleteOrganizationDomainCommand>();
+    }
+
     private static void AddTokenizers(this IServiceCollection services)
     {
         services.AddSingleton<IDataProtectorTokenFactory<OrganizationSponsorshipOfferTokenable>>(serviceProvider =>

src/Core/Repositories/IOrganizationDomainRepository.cs

@@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+
+namespace Bit.Core.Repositories;
+
+public interface IOrganizationDomainRepository : IRepository<OrganizationDomain, Guid>
+{
+    Task<ICollection<OrganizationDomain>> GetClaimedDomainsByDomainNameAsync(string domainName);
+    Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId);
+    Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date);
+    Task<OrganizationDomainSsoDetailsData> GetOrganizationDomainSsoDetailsAsync(string email);
+    Task<OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName);
+    Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync();
+    Task<bool> DeleteExpiredAsync(int expirationPeriod);
+}

src/Core/Services/IDnsResolverService.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.Services;
+
+public interface IDnsResolverService
+{
+    Task<bool> ResolveAsync(string domain, string txtRecord, CancellationToken cancellationToken = default);
+}

src/Core/Services/IEventService.cs

@@ -23,4 +23,6 @@ public interface IEventService
     Task LogProviderUserEventAsync(ProviderUser providerUser, EventType type, DateTime? date = null);
     Task LogProviderUsersEventAsync(IEnumerable<(ProviderUser, EventType, DateTime?)> events);
     Task LogProviderOrganizationEventAsync(ProviderOrganization providerOrganization, EventType type, DateTime? date = null);
+    Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type, DateTime? date = null);
+    Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type, EventSystemUser systemUser, DateTime? date = null);
 }

src/Core/Services/IMailService.cs

@@ -54,4 +54,5 @@ public interface IMailService
     Task SendOTPEmailAsync(string email, string token);
     Task SendFailedLoginAttemptsEmailAsync(string email, DateTime utcNow, string ip);
     Task SendFailedTwoFactorAttemptsEmailAsync(string email, DateTime utcNow, string ip);
+    Task SendUnverifiedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName);
 }

src/Core/Services/IOrganizationDomainService.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Services;
+
+public interface IOrganizationDomainService
+{
+    Task ValidateOrganizationsDomainAsync();
+    Task OrganizationDomainMaintenanceAsync();
+}

src/Core/Services/Implementations/DnsResolverService.cs

@@ -0,0 +1,21 @@
+using Bit.Core.Exceptions;
+using DnsClient;
+
+namespace Bit.Core.Services;
+
+public class DnsResolverService : IDnsResolverService
+{
+    public async Task<bool> ResolveAsync(string domain, string txtRecord, CancellationToken cancellationToken = default)
+    {
+        var lookup = new LookupClient();
+        var result = await lookup.QueryAsync(new DnsQuestion(domain, QueryType.TXT), cancellationToken);
+        if (!result.HasError)
+        {
+            return result.Answers.TxtRecords()
+                .Select(t => t?.EscapedText?.FirstOrDefault())
+                .Any(t => t == txtRecord);
+        }
+
+        throw new DnsQueryException(result.ErrorMessage);
+    }
+}

src/Core/Services/Implementations/EventService.cs

@@ -181,7 +181,7 @@ public class EventService : IEventService
                 continue;
             }
 
-            eventMessages.Add(new EventMessage(_currentContext)
+            var e = new EventMessage(_currentContext)
             {
                 OrganizationId = group.OrganizationId,
                 GroupId = group.Id,
@@ -190,12 +190,20 @@ public class EventService : IEventService
                 ProviderId = await GetProviderIdAsync(group.OrganizationId),
                 SystemUser = systemUser,
                 Date = date.GetValueOrDefault(DateTime.UtcNow)
-            });
+            };
+
+            if (systemUser is EventSystemUser.SCIM)
+            {
+                // System user only used for SCIM logs in this method
+                // and we want event logs to report server instead of unknown
+                e.DeviceType = DeviceType.Server;
+            }
+
+            eventMessages.Add(e);
         }
         await _eventWriteService.CreateManyAsync(eventMessages);
     }
 
-
     public async Task LogPolicyEventAsync(Policy policy, EventType type, DateTime? date = null)
     {
         var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
@@ -247,7 +255,7 @@ public class EventService : IEventService
                 continue;
             }
 
-            eventMessages.Add(new EventMessage(_currentContext)
+            var e = new EventMessage(_currentContext)
             {
                 OrganizationId = organizationUser.OrganizationId,
                 UserId = organizationUser.UserId,
@@ -257,7 +265,16 @@ public class EventService : IEventService
                 ActingUserId = _currentContext?.UserId,
                 Date = date.GetValueOrDefault(DateTime.UtcNow),
                 SystemUser = systemUser
-            });
+            };
+
+            if (systemUser is EventSystemUser.SCIM)
+            {
+                // System user only used for SCIM logs in this method
+                // and we want event logs to report server instead of unknown
+                e.DeviceType = DeviceType.Server;
+            }
+
+            eventMessages.Add(e);
         }
 
         await _eventWriteService.CreateManyAsync(eventMessages);
@@ -331,6 +348,49 @@ public class EventService : IEventService
         await _eventWriteService.CreateAsync(e);
     }
 
+    public async Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type,
+        DateTime? date = null)
+    {
+        var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        if (!CanUseEvents(orgAbilities, organizationDomain.OrganizationId))
+        {
+            return;
+        }
+
+        var e = new EventMessage(_currentContext)
+        {
+            OrganizationId = organizationDomain.OrganizationId,
+            Type = type,
+            ActingUserId = _currentContext?.UserId,
+            DomainName = organizationDomain.DomainName,
+            Date = date.GetValueOrDefault(DateTime.UtcNow)
+        };
+        await _eventWriteService.CreateAsync(e);
+    }
+
+    public async Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type,
+        EventSystemUser systemUser,
+        DateTime? date = null)
+    {
+        var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync();
+        if (!CanUseEvents(orgAbilities, organizationDomain.OrganizationId))
+        {
+            return;
+        }
+
+        var e = new EventMessage(_currentContext)
+        {
+            OrganizationId = organizationDomain.OrganizationId,
+            Type = type,
+            ActingUserId = _currentContext?.UserId,
+            DomainName = organizationDomain.DomainName,
+            SystemUser = systemUser,
+            Date = date.GetValueOrDefault(DateTime.UtcNow),
+            DeviceType = DeviceType.Server
+        };
+        await _eventWriteService.CreateAsync(e);
+    }
+
     private async Task<Guid?> GetProviderIdAsync(Guid? orgId)
     {
         if (_currentContext == null || !orgId.HasValue)
@@ -360,6 +420,6 @@ public class EventService : IEventService
     private bool CanUseProviderEvents(IDictionary<Guid, ProviderAbility> providerAbilities, Guid providerId)
     {
         return providerAbilities != null && providerAbilities.ContainsKey(providerId) &&
-               providerAbilities[providerId].Enabled && providerAbilities[providerId].UseEvents;
+                providerAbilities[providerId].Enabled && providerAbilities[providerId].UseEvents;
     }
 }

src/Core/Services/Implementations/HandlebarsMailService.cs

@@ -881,6 +881,19 @@ public class HandlebarsMailService : IMailService
         await _mailDeliveryService.SendEmailAsync(message);
     }
 
+    public async Task SendUnverifiedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName)
+    {
+        var message = CreateDefaultMessage("Domain not verified", adminEmails);
+        var model = new OrganizationDomainUnverifiedViewModel
+        {
+            Url = $"{_globalSettings.BaseServiceUri.VaultWithHash}/organizations/{organizationId}/settings/domain-verification",
+            DomainName = domainName
+        };
+        await AddMessageContentAsync(message, "OrganizationDomainUnverified", model);
+        message.Category = "UnverifiedOrganizationDomain";
+        await _mailDeliveryService.SendEmailAsync(message);
+    }
+
     private static string GetUserIdentifier(string email, string userName)
     {
         return string.IsNullOrEmpty(userName) ? email : CoreHelpers.SanitizeForEmail(userName, false);

src/Core/Services/Implementations/OrganizationDomainService.cs

@@ -0,0 +1,139 @@
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.Services;
+
+public class OrganizationDomainService : IOrganizationDomainService
+{
+    private readonly IOrganizationDomainRepository _domainRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IDnsResolverService _dnsResolverService;
+    private readonly IEventService _eventService;
+    private readonly IMailService _mailService;
+    private readonly ILogger<OrganizationDomainService> _logger;
+    private readonly IGlobalSettings _globalSettings;
+
+    public OrganizationDomainService(
+        IOrganizationDomainRepository domainRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IDnsResolverService dnsResolverService,
+        IEventService eventService,
+        IMailService mailService,
+        ILogger<OrganizationDomainService> logger,
+        IGlobalSettings globalSettings)
+    {
+        _domainRepository = domainRepository;
+        _organizationUserRepository = organizationUserRepository;
+        _dnsResolverService = dnsResolverService;
+        _eventService = eventService;
+        _mailService = mailService;
+        _logger = logger;
+        _globalSettings = globalSettings;
+    }
+
+    public async Task ValidateOrganizationsDomainAsync()
+    {
+        //Date should be set 1 hour behind to ensure it selects all domains that should be verified
+        var runDate = DateTime.UtcNow.AddHours(-1);
+
+        var verifiableDomains = await _domainRepository.GetManyByNextRunDateAsync(runDate);
+
+        _logger.LogInformation(Constants.BypassFiltersEventId, "Validating {verifiableDomainsCount} domains.", verifiableDomains.Count);
+
+        foreach (var domain in verifiableDomains)
+        {
+            try
+            {
+                _logger.LogInformation(Constants.BypassFiltersEventId, "Attempting verification for organization {OrgId} with domain {Domain}", domain.OrganizationId, domain.DomainName);
+
+                var status = await _dnsResolverService.ResolveAsync(domain.DomainName, domain.Txt);
+                if (status)
+                {
+                    _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
+
+                    //update entry on OrganizationDomain table 
+                    domain.SetLastCheckedDate();
+                    domain.SetVerifiedDate();
+                    domain.SetJobRunCount();
+                    await _domainRepository.ReplaceAsync(domain);
+
+                    await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_Verified,
+                        EventSystemUser.DomainVerification);
+                }
+                else
+                {
+                    //update entry on OrganizationDomain table 
+                    domain.SetLastCheckedDate();
+                    domain.SetJobRunCount();
+                    domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+                    await _domainRepository.ReplaceAsync(domain);
+
+                    await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
+                        EventSystemUser.DomainVerification);
+                    _logger.LogInformation(Constants.BypassFiltersEventId, "Verification for organization {OrgId} with domain {Domain} failed",
+                        domain.OrganizationId, domain.DomainName);
+                }
+            }
+            catch (Exception ex)
+            {
+                //update entry on OrganizationDomain table 
+                domain.SetLastCheckedDate();
+                domain.SetJobRunCount();
+                domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
+                await _domainRepository.ReplaceAsync(domain);
+
+                await _eventService.LogOrganizationDomainEventAsync(domain, EventType.OrganizationDomain_NotVerified,
+                    EventSystemUser.DomainVerification);
+
+                _logger.LogError(ex, "Verification for organization {OrgId} with domain {Domain} threw an exception: {errorMessage}",
+                    domain.OrganizationId, domain.DomainName, ex.Message);
+            }
+        }
+    }
+
+    public async Task OrganizationDomainMaintenanceAsync()
+    {
+        try
+        {
+            //Get domains that have not been verified within 72 hours
+            var expiredDomains = await _domainRepository.GetExpiredOrganizationDomainsAsync();
+
+            _logger.LogInformation(Constants.BypassFiltersEventId,
+                "Attempting email reminder for {expiredDomainCount} expired domains.", expiredDomains.Count);
+
+            foreach (var domain in expiredDomains)
+            {
+                //get admin emails of organization
+                var adminEmails = await GetAdminEmailsAsync(domain.OrganizationId);
+
+                //Send email to administrators
+                if (adminEmails.Count > 0)
+                {
+                    await _mailService.SendUnverifiedOrganizationDomainEmailAsync(adminEmails,
+                        domain.OrganizationId.ToString(), domain.DomainName);
+                }
+
+                _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
+            }
+            //delete domains that have not been verified within 7 days 
+            var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
+            _logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Organization domain maintenance failed");
+        }
+    }
+
+    private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
+    {
+        var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+        var emailList = orgUsers.Where(o => o.Type <= OrganizationUserType.Admin
+                                        || o.GetPermissions()?.ManageSso == true)
+            .Select(a => a.Email).Distinct().ToList();
+
+        return emailList;
+    }
+}

src/Core/Services/NoopImplementations/NoopEventService.cs

@@ -68,6 +68,19 @@ public class NoopEventService : IEventService
         return Task.FromResult(0);
     }
 
+    public Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type,
+        DateTime? date = null)
+    {
+        return Task.FromResult(0);
+    }
+
+    public Task LogOrganizationDomainEventAsync(OrganizationDomain organizationDomain, EventType type,
+        EventSystemUser systemUser,
+        DateTime? date = null)
+    {
+        return Task.FromResult(0);
+    }
+
     public Task LogOrganizationUserEventAsync(OrganizationUser organizationUser, EventType type, DateTime? date = null)
     {
         return Task.FromResult(0);

src/Core/Services/NoopImplementations/NoopMailService.cs

@@ -237,4 +237,9 @@ public class NoopMailService : IMailService
     {
         return Task.FromResult(0);
     }
+
+    public Task SendUnverifiedOrganizationDomainEmailAsync(IEnumerable<string> adminEmails, string organizationId, string domainName)
+    {
+        return Task.FromResult(0);
+    }
 }

src/Core/Settings/GlobalSettings.cs

@@ -77,6 +77,7 @@ public class GlobalSettings : IGlobalSettings
     public virtual DistributedIpRateLimitingSettings DistributedIpRateLimiting { get; set; } =
         new DistributedIpRateLimitingSettings();
     public virtual IPasswordlessAuthSettings PasswordlessAuth { get; set; } = new PasswordlessAuthSettings();
+    public virtual IDomainVerificationSettings DomainVerification { get; set; } = new DomainVerificationSettings();
 
     public string BuildExternalUri(string explicitValue, string name)
     {
@@ -537,4 +538,10 @@ public class GlobalSettings : IGlobalSettings
     {
         public bool KnownDevicesOnly { get; set; } = true;
     }
+
+    public class DomainVerificationSettings : IDomainVerificationSettings
+    {
+        public int VerificationInterval { get; set; } = 12;
+        public int ExpirationPeriod { get; set; } = 7;
+    }
 }

src/Core/Settings/IDomainVerificationSettings.cs

@@ -0,0 +1,7 @@
+namespace Bit.Core.Settings;
+
+public interface IDomainVerificationSettings
+{
+    public int VerificationInterval { get; set; }
+    public int ExpirationPeriod { get; set; }
+}

src/Core/Settings/IGlobalSettings.cs

@@ -17,4 +17,5 @@ public interface IGlobalSettings
     ISsoSettings Sso { get; set; }
     ILogLevelSettings MinLogLevel { get; set; }
     IPasswordlessAuthSettings PasswordlessAuth { get; set; }
+    IDomainVerificationSettings DomainVerification { get; set; }
 }

src/Core/packages.lock.json

@@ -93,6 +93,15 @@
           "System.Xml.XPath.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Direct",
+        "requested": "[1.7.0, )",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2.AspNet": {
         "type": "Direct",
         "requested": "[3.0.1, )",

src/Events/packages.lock.json

@@ -148,6 +148,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2730,6 +2738,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/EventsProcessor/packages.lock.json

@@ -148,6 +148,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2730,6 +2738,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Icons/packages.lock.json

@@ -158,6 +158,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2740,6 +2748,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Identity/packages.lock.json

@@ -157,6 +157,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2752,6 +2760,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Infrastructure.Dapper/DapperServiceCollectionExtensions.cs

@@ -38,6 +38,7 @@ public static class DapperServiceCollectionExtensions
         services.AddSingleton<ITaxRateRepository, TaxRateRepository>();
         services.AddSingleton<ITransactionRepository, TransactionRepository>();
         services.AddSingleton<IUserRepository, UserRepository>();
+        services.AddSingleton<IOrganizationDomainRepository, OrganizationDomainRepository>();
 
         if (selfHosted)
         {

src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs

@@ -0,0 +1,110 @@
+using System.Data;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Dapper;
+using Microsoft.Data.SqlClient;
+
+namespace Bit.Infrastructure.Dapper.Repositories;
+
+public class OrganizationDomainRepository : Repository<OrganizationDomain, Guid>, IOrganizationDomainRepository
+{
+    public OrganizationDomainRepository(GlobalSettings globalSettings)
+        : this(globalSettings.SqlServer.ConnectionString, globalSettings.SqlServer.ReadOnlyConnectionString)
+    { }
+
+    public OrganizationDomainRepository(string connectionString, string readOnlyConnectionString)
+        : base(connectionString, readOnlyConnectionString)
+    { }
+
+    public async Task<ICollection<OrganizationDomain>> GetClaimedDomainsByDomainNameAsync(string domainName)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationDomain>(
+                $"[{Schema}].[OrganizationDomain_ReadByClaimedDomain]",
+                new { DomainName = domainName },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
+    public async Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationDomain>(
+                $"[{Schema}].[OrganizationDomain_ReadByOrganizationId]",
+                new { OrganizationId = orgId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
+    public async Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date)
+    {
+        using var connection = new SqlConnection(ConnectionString);
+        var results = await connection.QueryAsync<OrganizationDomain>(
+            $"[{Schema}].[OrganizationDomain_ReadByNextRunDate]",
+            new { Date = date }, commandType: CommandType.StoredProcedure
+        );
+
+        return results.ToList();
+    }
+
+    public async Task<OrganizationDomainSsoDetailsData> GetOrganizationDomainSsoDetailsAsync(string email)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection
+                .QueryAsync<OrganizationDomainSsoDetailsData>(
+                    $"[{Schema}].[OrganizationDomainSsoDetails_ReadByEmail]",
+                    new { Email = email },
+                    commandType: CommandType.StoredProcedure);
+
+            return results.SingleOrDefault();
+        }
+    }
+
+    public async Task<OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection
+                .QueryAsync<OrganizationDomain>(
+                    $"[{Schema}].[OrganizationDomain_ReadDomainByOrgIdAndDomainName]",
+                    new { OrganizationId = orgId, DomainName = domainName },
+                    commandType: CommandType.StoredProcedure);
+
+            return results.SingleOrDefault();
+        }
+    }
+
+    public async Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync()
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection
+                .QueryAsync<OrganizationDomain>(
+                    $"[{Schema}].[OrganizationDomain_ReadIfExpired]",
+                    null,
+                    commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
+
+    public async Task<bool> DeleteExpiredAsync(int expirationPeriod)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            return await connection.ExecuteAsync(
+                $"[{Schema}].[OrganizationDomain_DeleteIfExpired]",
+                new { ExpirationPeriod = expirationPeriod },
+                commandType: CommandType.StoredProcedure) > 0;
+        }
+    }
+}

src/Infrastructure.Dapper/packages.lock.json

@@ -132,6 +132,14 @@
           "System.Xml.XPath.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2559,6 +2567,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Infrastructure.EntityFramework/EntityFrameworkServiceCollectionExtensions.cs

@@ -73,6 +73,7 @@ public static class EntityFrameworkServiceCollectionExtensions
         services.AddSingleton<ITaxRateRepository, TaxRateRepository>();
         services.AddSingleton<ITransactionRepository, TransactionRepository>();
         services.AddSingleton<IUserRepository, UserRepository>();
+        services.AddSingleton<IOrganizationDomainRepository, OrganizationDomainRepository>();
 
         if (selfHosted)
         {

src/Infrastructure.EntityFramework/Models/Organization.cs

@@ -13,6 +13,7 @@ public class Organization : Core.Entities.Organization
     public virtual ICollection<Transaction> Transactions { get; set; }
     public virtual ICollection<OrganizationApiKey> ApiKeys { get; set; }
     public virtual ICollection<OrganizationConnection> Connections { get; set; }
+    public virtual ICollection<OrganizationDomain> Domains { get; set; }
 }
 
 public class OrganizationMapperProfile : Profile

src/Infrastructure.EntityFramework/Models/OrganizationDomain.cs

@@ -0,0 +1,16 @@
+using AutoMapper;
+
+namespace Bit.Infrastructure.EntityFramework.Models;
+
+public class OrganizationDomain : Core.Entities.OrganizationDomain
+{
+    public virtual Organization Organization { get; set; }
+}
+
+public class OrganizationDomainMapperProfile : Profile
+{
+    public OrganizationDomainMapperProfile()
+    {
+        CreateMap<Core.Entities.OrganizationDomain, OrganizationDomain>().ReverseMap();
+    }
+}

src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs

@@ -56,6 +56,7 @@ public class DatabaseContext : DbContext
     public DbSet<Transaction> Transactions { get; set; }
     public DbSet<User> Users { get; set; }
     public DbSet<AuthRequest> AuthRequests { get; set; }
+    public DbSet<OrganizationDomain> OrganizationDomains { get; set; }
 
     protected override void OnModelCreating(ModelBuilder builder)
     {
@@ -95,6 +96,7 @@ public class DatabaseContext : DbContext
         var eOrganizationApiKey = builder.Entity<OrganizationApiKey>();
         var eOrganizationConnection = builder.Entity<OrganizationConnection>();
         var eAuthRequest = builder.Entity<AuthRequest>();
+        var eOrganizationDomain = builder.Entity<OrganizationDomain>();
 
         eCipher.Property(c => c.Id).ValueGeneratedNever();
         eCollection.Property(c => c.Id).ValueGeneratedNever();
@@ -116,6 +118,7 @@ public class DatabaseContext : DbContext
         eOrganizationApiKey.Property(c => c.Id).ValueGeneratedNever();
         eOrganizationConnection.Property(c => c.Id).ValueGeneratedNever();
         eAuthRequest.Property(ar => ar.Id).ValueGeneratedNever();
+        eOrganizationDomain.Property(ar => ar.Id).ValueGeneratedNever();
 
         eCollectionCipher.HasKey(cc => new { cc.CollectionId, cc.CipherId });
         eCollectionUser.HasKey(cu => new { cu.CollectionId, cu.OrganizationUserId });
@@ -167,6 +170,7 @@ public class DatabaseContext : DbContext
         eOrganizationApiKey.ToTable(nameof(OrganizationApiKey));
         eOrganizationConnection.ToTable(nameof(OrganizationConnection));
         eAuthRequest.ToTable(nameof(AuthRequest));
+        eOrganizationDomain.ToTable(nameof(OrganizationDomain));
 
         ConfigureDateTimeUtcQueries(builder);
     }

src/Infrastructure.EntityFramework/Repositories/OrganizationDomainRepository.cs

@@ -0,0 +1,147 @@
+using System.Net.Mail;
+using AutoMapper;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Infrastructure.EntityFramework.Repositories;
+
+public class OrganizationDomainRepository : Repository<Core.Entities.OrganizationDomain, OrganizationDomain, Guid>, IOrganizationDomainRepository
+{
+    public OrganizationDomainRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.OrganizationDomains)
+    {
+    }
+
+    public async Task<ICollection<Core.Entities.OrganizationDomain>> GetClaimedDomainsByDomainNameAsync(
+        string domainName)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var claimedDomains = await dbContext.OrganizationDomains
+            .Where(x => x.DomainName == domainName
+                        && x.VerifiedDate != null)
+            .AsNoTracking()
+            .ToListAsync();
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(claimedDomains);
+    }
+
+    public async Task<ICollection<Core.Entities.OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var domains = await dbContext.OrganizationDomains
+            .Where(x => x.OrganizationId == orgId)
+            .AsNoTracking()
+            .ToListAsync();
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(domains);
+    }
+
+    public async Task<ICollection<Core.Entities.OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var domains = await dbContext.OrganizationDomains
+            .Where(x => x.VerifiedDate == null
+                        && x.JobRunCount != 3
+                        && x.NextRunDate.Year == date.Year
+                        && x.NextRunDate.Month == date.Month
+                        && x.NextRunDate.Day == date.Day
+                        && x.NextRunDate.Hour == date.Hour)
+            .AsNoTracking()
+            .ToListAsync();
+
+        //Get records that have ignored/failed by the background service
+        var pastDomains = dbContext.OrganizationDomains
+            .AsEnumerable()
+            .Where(x => (date - x.NextRunDate).TotalHours > 36
+                        && x.VerifiedDate == null
+                        && x.JobRunCount != 3)
+            .ToList();
+
+        var results = domains.Union(pastDomains);
+
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(results);
+    }
+
+    public async Task<OrganizationDomainSsoDetailsData> GetOrganizationDomainSsoDetailsAsync(string email)
+    {
+        var domainName = new MailAddress(email).Host;
+
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var ssoDetails = await dbContext.Organizations
+            .Join(dbContext.OrganizationDomains, o => o.Id, od => od.OrganizationId,
+                (organization, domain) => new { resOrganization = organization, resDomain = domain })
+            .Join(dbContext.Policies, o => o.resOrganization.Id, p => p.OrganizationId,
+                (combinedOrgDomain, policy)
+                    => new
+                    {
+                        Organization = combinedOrgDomain.resOrganization,
+                        Domain = combinedOrgDomain.resDomain,
+                        Policy = policy
+                    })
+            .Select(x => new OrganizationDomainSsoDetailsData
+            {
+                OrganizationId = x.Organization.Id,
+                OrganizationName = x.Organization.Name,
+                SsoAvailable = x.Organization.UseSso,
+                OrganizationIdentifier = x.Organization.Identifier,
+                SsoRequired = x.Policy.Enabled,
+                VerifiedDate = x.Domain.VerifiedDate,
+                PolicyType = x.Policy.Type,
+                DomainName = x.Domain.DomainName,
+                OrganizationEnabled = x.Organization.Enabled
+            })
+            .Where(y => y.DomainName == domainName
+                        && y.OrganizationEnabled == true
+                        && y.PolicyType.Equals(PolicyType.RequireSso))
+            .AsNoTracking()
+            .SingleOrDefaultAsync();
+
+        return ssoDetails;
+    }
+
+    public async Task<Core.Entities.OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var domain = await dbContext.OrganizationDomains
+            .Where(x => x.OrganizationId == orgId && x.DomainName == domainName)
+            .AsNoTracking()
+            .FirstOrDefaultAsync();
+
+        return Mapper.Map<Core.Entities.OrganizationDomain>(domain);
+    }
+
+    public async Task<ICollection<Core.Entities.OrganizationDomain>> GetExpiredOrganizationDomainsAsync()
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        //Get domains that have not been verified after 72 hours
+        var domains = dbContext.OrganizationDomains
+            .AsEnumerable()
+            .Where(x => (DateTime.UtcNow - x.CreationDate).Days >= 4
+                        && x.VerifiedDate == null)
+            .ToList();
+
+        return Mapper.Map<List<Core.Entities.OrganizationDomain>>(domains);
+    }
+
+    public async Task<bool> DeleteExpiredAsync(int expirationPeriod)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var expiredDomains = await dbContext.OrganizationDomains
+            .Where(x => x.LastCheckedDate < DateTime.UtcNow.AddDays(-expirationPeriod))
+            .ToListAsync();
+        dbContext.OrganizationDomains.RemoveRange(expiredDomains);
+        return await dbContext.SaveChangesAsync() > 0;
+    }
+}

src/Infrastructure.EntityFramework/packages.lock.json

@@ -207,6 +207,14 @@
           "System.Xml.XPath.XmlDocument": "4.3.0"
         }
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2732,6 +2740,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Notifications/packages.lock.json

@@ -169,6 +169,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2780,6 +2788,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/SharedWeb/Utilities/ServiceCollectionExtensions.cs

@@ -124,6 +124,7 @@ public static class ServiceCollectionExtensions
         services.AddScoped<ISsoConfigService, SsoConfigService>();
         services.AddScoped<ISendService, SendService>();
         services.AddLoginServices();
+        services.AddScoped<IOrganizationDomainService, OrganizationDomainService>();
     }
 
     public static void AddTokenizers(this IServiceCollection services)
@@ -173,6 +174,7 @@ public static class ServiceCollectionExtensions
         services.AddSingleton<IStripeSyncService, StripeSyncService>();
         services.AddSingleton<IMailService, HandlebarsMailService>();
         services.AddSingleton<ILicensingService, LicensingService>();
+        services.AddSingleton<IDnsResolverService, DnsResolverService>();
         services.AddTokenizers();
 
         if (CoreHelpers.SettingHasValue(globalSettings.ServiceBus.ConnectionString) &&

src/SharedWeb/packages.lock.json

@@ -148,6 +148,14 @@
         "resolved": "2.0.123",
         "contentHash": "RDFF4rBLLmbpi6pwkY7q/M6UXHRJEOerplDGE5jwEkP/JGJnBauAClYavNKJPW1yOTWRPIyfj4is3EaJxQXILQ=="
       },
+      "DnsClient": {
+        "type": "Transitive",
+        "resolved": "1.7.0",
+        "contentHash": "2hrXR83b5g6/ZMJOA36hXp4t56yb7G1mF3Hg6IkrHxvtyaoXRn2WVdgDPN3V8+GugOlUBbTWXgPaka4dXw1QIg==",
+        "dependencies": {
+          "Microsoft.Win32.Registry": "5.0.0"
+        }
+      },
       "Fido2": {
         "type": "Transitive",
         "resolved": "3.0.1",
@@ -2730,6 +2738,7 @@
           "Azure.Storage.Queues": "[12.12.0, )",
           "BitPay.Light": "[1.0.1907, )",
           "Braintree": "[5.12.0, )",
+          "DnsClient": "[1.7.0, )",
           "Fido2.AspNet": "[3.0.1, )",
           "Handlebars.Net": "[2.1.2, )",
           "IdentityServer4": "[4.1.2, )",

src/Sql/Sql.sqlproj

@@ -454,4 +454,20 @@
     <Build Include="SecretsManager\dbo\Views\ApiKeyDetailsView.sql" />
     <Build Include="SecretsManager\dbo\Views\ApiKeyView.sql" />
   </ItemGroup>
+  <ItemGroup>
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_Create.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_DeleteById.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_DeleteIfExpired.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_OrganizationDeleted.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadByClaimedDomain.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadByNextRunDate.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadById.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadByOrganizationId.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadDomainByOrgIdAndDomainName.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_ReadIfExpired.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomain_Update.sql" />
+    <Content Include="dbo\Stored Procedures\OrganizationDomainSsoDetails_ReadByEmail.sql" />
+    <Content Include="dbo\Tables\OrganizationDomain.sql" />
+    <Content Include="dbo\Views\OrganizationDomainView.sql" />
+  </ItemGroup>
 </Project>

src/Sql/dbo/Stored Procedures/Event_Create.sql

@@ -16,7 +16,8 @@
     @DeviceType SMALLINT,
     @IpAddress VARCHAR(50),
     @Date DATETIME2(7),
-    @SystemUser TINYINT = null
+    @SystemUser TINYINT = null,
+    @DomainName VARCHAR(256)
 AS
 BEGIN
     SET NOCOUNT ON
@@ -40,7 +41,8 @@ BEGIN
         [DeviceType],
         [IpAddress],
         [Date],
-        [SystemUser]
+        [SystemUser],
+        [DomainName]
     )
     VALUES
     (
@@ -61,6 +63,7 @@ BEGIN
         @DeviceType,
         @IpAddress,
         @Date,
-        @SystemUser
+        @SystemUser,
+        @DomainName
     )
 END

src/Sql/dbo/Stored Procedures/OrganizationDomainSsoDetails_ReadByEmail.sql

@@ -0,0 +1,29 @@
+CREATE PROCEDURE [dbo].[OrganizationDomainSsoDetails_ReadByEmail]
+    @Email NVARCHAR(256)
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    DECLARE @Domain NVARCHAR(256)
+        
+    SELECT @Domain = SUBSTRING(@Email, CHARINDEX( '@', @Email) + 1, LEN(@Email))
+
+    SELECT
+        O.Id AS OrganizationId,
+        O.[Name] AS OrganizationName,
+        O.UseSso AS SsoAvailable,
+        P.Enabled AS SsoRequired,
+        O.Identifier AS OrganizationIdentifier,
+        OD.VerifiedDate,
+        P.[Type] AS PolicyType,
+        OD.DomainName
+    FROM
+        [dbo].[OrganizationView] O
+    INNER JOIN [dbo].[OrganizationDomainView] OD
+        ON O.Id = OD.OrganizationId
+    LEFT JOIN [dbo].[PolicyView] P
+        ON O.Id = P.OrganizationId
+    WHERE OD.DomainName = @Domain
+    AND O.Enabled = 1
+    AND (P.Id is NULL OR (P.Id IS NOT NULL AND P.[Type] = 4)) -- SSO Type
+END    

src/Sql/dbo/Stored Procedures/OrganizationDomain_Create.sql

@@ -0,0 +1,39 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Txt    VARCHAR(MAX),
+    @DomainName NVARCHAR(255),
+    @CreationDate   DATETIME2(7),
+    @VerifiedDate   DATETIME2(7),
+    @LastCheckedDate DATETIME2(7),
+    @NextRunDate    DATETIME2(7),
+    @JobRunCount   TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    INSERT INTO [dbo].[OrganizationDomain]
+    (
+        [Id],
+        [OrganizationId],
+        [Txt],
+        [DomainName],
+        [CreationDate],
+        [VerifiedDate],
+        [LastCheckedDate],
+        [NextRunDate],
+        [JobRunCount]
+    )
+    VALUES
+    (
+        @Id,
+        @OrganizationId,
+        @Txt,
+        @DomainName,
+        @CreationDate,
+        @VerifiedDate,
+        @LastCheckedDate,
+        @NextRunDate,
+        @JobRunCount
+    )
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_DeleteById.sql

@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_DeleteById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    DELETE      
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        [Id] = @Id
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_DeleteIfExpired.sql

@@ -0,0 +1,10 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_DeleteIfExpired]
+    @ExpirationPeriod TINYINT
+AS
+BEGIN
+    SET NOCOUNT OFF
+        
+    DELETE FROM [dbo].[OrganizationDomain]
+    WHERE DATEDIFF(DAY, [LastCheckedDate], GETUTCDATE()) >= @ExpirationPeriod
+    AND [VerifiedDate] IS NULL
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_OrganizationDeleted.sql

@@ -0,0 +1,12 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_OrganizationDeleted]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    DELETE 
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByClaimedDomain.sql

@@ -0,0 +1,15 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadByClaimedDomain]
+    @DomainName NVARCHAR(255)
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    SELECT 
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        [DomainName] = @DomainName
+    AND
+        [VerifiedDate] IS NOT NULL
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadById.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    SELECT 
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        [Id] = @Id
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByNextRunDate.sql

@@ -0,0 +1,25 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadByNextRunDate]
+    @Date DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    SELECT
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE [VerifiedDate] IS NULL
+    AND [JobRunCount] != 3
+    AND DATEPART(year, [NextRunDate]) = DATEPART(year, @Date)
+    AND DATEPART(month, [NextRunDate]) = DATEPART(month, @Date)
+    AND DATEPART(day, [NextRunDate]) = DATEPART(day, @Date)
+    AND DATEPART(hour, [NextRunDate]) = DATEPART(hour, @Date)
+    UNION
+    SELECT 
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE DATEDIFF(hour, [NextRunDate], @Date) > 36
+    AND [VerifiedDate] IS NULL
+    AND [JobRunCount] != 3
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadByOrganizationId.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadByOrganizationId]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+        
+    SELECT 
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        [OrganizationId] = @OrganizationId
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadDomainByOrgIdAndDomainName.sql

@@ -0,0 +1,16 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadDomainByOrgIdAndDomainName]
+    @OrganizationId UNIQUEIDENTIFIER,
+    @DomainName NVARCHAR(255)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+SELECT
+    *
+FROM
+    [dbo].[OrganizationDomain]
+WHERE
+    [OrganizationId] = @OrganizationId
+  AND
+    [DomainName] = @DomainName
+END

src/Sql/dbo/Stored Procedures/OrganizationDomain_ReadIfExpired.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_ReadIfExpired]
+AS
+BEGIN
+    SET NOCOUNT OFF
+        
+    SELECT 
+        *
+    FROM
+        [dbo].[OrganizationDomain]
+    WHERE
+        DATEDIFF(DAY, [CreationDate], GETUTCDATE()) >= 4 --Get domains that have not been verified after 3 days (72 hours)
+    AND
+        [VerifiedDate] IS NULL

src/Sql/dbo/Stored Procedures/OrganizationDomain_Update.sql

@@ -0,0 +1,28 @@
+CREATE PROCEDURE [dbo].[OrganizationDomain_Update]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @OrganizationId UNIQUEIDENTIFIER,
+    @Txt VARCHAR(MAX),
+    @DomainName NVARCHAR(255),
+    @CreationDate   DATETIME2(7),
+    @VerifiedDate   DATETIME2(7),
+    @LastCheckedDate DATETIME2(7),
+    @NextRunDate    DATETIME2(7),
+    @JobRunCount   TINYINT
+AS
+BEGIN
+    SET NOCOUNT ON
+    
+    UPDATE
+        [dbo].[OrganizationDomain]
+    SET
+        [OrganizationId] = @OrganizationId,
+        [Txt] = @Txt,
+        [DomainName] = @DomainName,
+        [CreationDate] = @CreationDate,
+        [VerifiedDate] = @VerifiedDate,
+        [LastCheckedDate] = @LastCheckedDate
+        [NextRunDate] = @NextRunDate,
+        [JobRunCount] = @JobRunCount
+    WHERE
+        [Id] = @Id
+END

src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql

@@ -60,6 +60,7 @@ BEGIN
     EXEC [dbo].[OrganizationApiKey_OrganizationDeleted] @Id
     EXEC [dbo].[OrganizationConnection_OrganizationDeleted] @Id
     EXEC [dbo].[OrganizationSponsorship_OrganizationDeleted] @Id
+    EXEC [dbo].[OrganizationDomain_OrganizationDeleted] @Id
 
     DELETE
     FROM