Tl;dr Grammarly will add users to the wrong organization if an attacker creates an org with an entityId that matches the victim’s but with extra whitespace at the end.

If an attacker creates a SAML organization with an entityId that is the same as another entityId but with extra whitespace grammarly will get confused when trying to log people into the original organization. It’ll log them in against the right SAML endpoint but then add them to the organization with whitespace in the ID. It seems that it’ll trim the org for lookup and then when it gets multiple responses, just takes the first.