@better-auth/sso 1.3.13 → 1.3.14

package/src/index.ts

@@ -24,6 +24,7 @@ import { decodeJwt } from "jose";
 import { setSessionCookie } from "better-auth/cookies";
 import type { FlowResult } from "samlify/types/src/flow";
 import { XMLValidator } from "fast-xml-parser";
+import type { IdentityProvider } from "samlify/types/src/entity-idp";
 
 const fastValidator = {
 	async validate(xml: string) {
@@ -37,6 +38,25 @@ const fastValidator = {
 
 saml.setSchemaValidator(fastValidator);
 
+export interface OIDCMapping {
+	id?: string;
+	email?: string;
+	emailVerified?: string;
+	name?: string;
+	image?: string;
+	extraFields?: Record<string, string>;
+}
+
+export interface SAMLMapping {
+	id?: string;
+	email?: string;
+	emailVerified?: string;
+	name?: string;
+	firstName?: string;
+	lastName?: string;
+	extraFields?: Record<string, string>;
+}
+
 export interface OIDCConfig {
 	issuer: string;
 	pkce: boolean;
@@ -50,30 +70,49 @@ export interface OIDCConfig {
 	tokenEndpoint?: string;
 	tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
 	jwksEndpoint?: string;
-	mapping?: {
-		id?: string;
-		email?: string;
-		emailVerified?: string;
-		name?: string;
-		image?: string;
-		extraFields?: Record<string, string>;
-	};
+	mapping?: OIDCMapping;
 }
 
 export interface SAMLConfig {
 	issuer: string;
 	entryPoint: string;
-	signingKey: string;
-	certificate: string;
-	attributeConsumingServiceIndex: number;
-	mapping?: {
-		id?: string;
-		email?: string;
-		name?: string;
-		firstName?: string;
-		lastName?: string;
-		extraFields?: Record<string, string>;
+	cert: string;
+	callbackUrl: string;
+	audience?: string;
+	idpMetadata?: {
+		metadata?: string;
+		entityID?: string;
+		entityURL?: string;
+		redirectURL?: string;
+		cert?: string;
+		privateKey?: string;
+		privateKeyPass?: string;
+		isAssertionEncrypted?: boolean;
+		encPrivateKey?: string;
+		encPrivateKeyPass?: string;
+		singleSignOnService?: Array<{
+			Binding: string;
+			Location: string;
+		}>;
+	};
+	spMetadata: {
+		metadata?: string;
+		entityID?: string;
+		binding?: string;
+		privateKey?: string;
+		privateKeyPass?: string;
+		isAssertionEncrypted?: boolean;
+		encPrivateKey?: string;
+		encPrivateKeyPass?: string;
 	};
+	wantAssertionsSigned?: boolean;
+	signatureAlgorithm?: string;
+	digestAlgorithm?: string;
+	identifierFormat?: string;
+	privateKey?: string;
+	decryptionPvk?: string;
+	additionalParams?: Record<string, any>;
+	mapping?: SAMLMapping;
 }
 
 export interface SSOProvider {
@@ -132,6 +171,29 @@ export interface SSOOptions {
 			provider: SSOProvider;
 		}) => Promise<"member" | "admin">;
 	};
+	/**
+	 * Default SSO provider configurations for testing.
+	 * These will take the precedence over the database providers.
+	 */
+	defaultSSO?: Array<{
+		/**
+		 * The domain to match for this default provider.
+		 * This is only used to match incoming requests to this default provider.
+		 */
+		domain: string;
+		/**
+		 * The provider ID to use
+		 */
+		providerId: string;
+		/**
+		 * SAML configuration
+		 */
+		samlConfig?: SAMLConfig;
+		/**
+		 * OIDC configuration
+		 */
+		oidcConfig?: OIDCConfig;
+	}>;
 	/**
 	 * Override user info with the provider info.
 	 * @default false
@@ -284,6 +346,37 @@ export const sso = (options?: SSOOptions) => {
 									})
 									.default(true)
 									.optional(),
+								mapping: z
+									.object({
+										id: z.string({}).meta({
+											description:
+												"Field mapping for user ID (defaults to 'sub')",
+										}),
+										email: z.string({}).meta({
+											description:
+												"Field mapping for email (defaults to 'email')",
+										}),
+										emailVerified: z
+											.string({})
+											.meta({
+												description:
+													"Field mapping for email verification (defaults to 'email_verified')",
+											})
+											.optional(),
+										name: z.string({}).meta({
+											description:
+												"Field mapping for name (defaults to 'name')",
+										}),
+										image: z
+											.string({})
+											.meta({
+												description:
+													"Field mapping for image (defaults to 'picture')",
+											})
+											.optional(),
+										extraFields: z.record(z.string(), z.any()).optional(),
+									})
+									.optional(),
 							})
 							.optional(),
 						samlConfig: z
@@ -300,18 +393,35 @@ export const sso = (options?: SSOOptions) => {
 								audience: z.string().optional(),
 								idpMetadata: z
 									.object({
-										metadata: z.string(),
+										metadata: z.string().optional(),
+										entityID: z.string().optional(),
+										cert: z.string().optional(),
 										privateKey: z.string().optional(),
 										privateKeyPass: z.string().optional(),
 										isAssertionEncrypted: z.boolean().optional(),
 										encPrivateKey: z.string().optional(),
 										encPrivateKeyPass: z.string().optional(),
+										singleSignOnService: z
+											.array(
+												z.object({
+													Binding: z.string().meta({
+														description: "The binding type for the SSO service",
+													}),
+													Location: z.string().meta({
+														description: "The URL for the SSO service",
+													}),
+												}),
+											)
+											.optional()
+											.meta({
+												description: "Single Sign-On service configuration",
+											}),
 									})
 									.optional(),
 								spMetadata: z.object({
-									metadata: z.string(),
+									metadata: z.string().optional(),
+									entityID: z.string().optional(),
 									binding: z.string().optional(),
-
 									privateKey: z.string().optional(),
 									privateKeyPass: z.string().optional(),
 									isAssertionEncrypted: z.boolean().optional(),
@@ -325,37 +435,43 @@ export const sso = (options?: SSOOptions) => {
 								privateKey: z.string().optional(),
 								decryptionPvk: z.string().optional(),
 								additionalParams: z.record(z.string(), z.any()).optional(),
-							})
-							.optional(),
-						mapping: z
-							.object({
-								id: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the id. Defaults to 'sub'",
-								}),
-								email: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the email. Defaults to 'email'",
-								}),
-								emailVerified: z
-									.string({})
-									.meta({
-										description:
-											"The field in the user info response that contains whether the email is verified. defaults to 'email_verified'",
-									})
-									.optional(),
-								name: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the name. Defaults to 'name'",
-								}),
-								image: z
-									.string({})
-									.meta({
-										description:
-											"The field in the user info response that contains the image. Defaults to 'picture'",
+								mapping: z
+									.object({
+										id: z.string({}).meta({
+											description:
+												"Field mapping for user ID (defaults to 'nameID')",
+										}),
+										email: z.string({}).meta({
+											description:
+												"Field mapping for email (defaults to 'email')",
+										}),
+										emailVerified: z
+											.string({})
+											.meta({
+												description: "Field mapping for email verification",
+											})
+											.optional(),
+										name: z.string({}).meta({
+											description:
+												"Field mapping for name (defaults to 'displayName')",
+										}),
+										firstName: z
+											.string({})
+											.meta({
+												description:
+													"Field mapping for first name (defaults to 'givenName')",
+											})
+											.optional(),
+										lastName: z
+											.string({})
+											.meta({
+												description:
+													"Field mapping for last name (defaults to 'surname')",
+											})
+											.optional(),
+										extraFields: z.record(z.string(), z.any()).optional(),
 									})
 									.optional(),
-								extraFields: z.record(z.string(), z.any()).optional(),
 							})
 							.optional(),
 						organizationId: z
@@ -632,7 +748,7 @@ export const sso = (options?: SSOOptions) => {
 										discoveryEndpoint:
 											body.oidcConfig.discoveryEndpoint ||
 											`${body.issuer}/.well-known/openid-configuration`,
-										mapping: body.mapping,
+										mapping: body.oidcConfig.mapping,
 										scopes: body.oidcConfig.scopes,
 										userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 										overrideUserInfo:
@@ -657,7 +773,7 @@ export const sso = (options?: SSOOptions) => {
 										privateKey: body.samlConfig.privateKey,
 										decryptionPvk: body.samlConfig.decryptionPvk,
 										additionalParams: body.samlConfig.additionalParams,
-										mapping: body.mapping,
+										mapping: body.samlConfig.mapping,
 									})
 								: null,
 							organizationId: body.organizationId,
@@ -665,6 +781,7 @@ export const sso = (options?: SSOOptions) => {
 							providerId: body.providerId,
 						},
 					});
+
 					return ctx.json({
 						...provider,
 						oidcConfig: JSON.parse(
@@ -818,7 +935,13 @@ export const sso = (options?: SSOOptions) => {
 				async (ctx) => {
 					const body = ctx.body;
 					let { email, organizationSlug, providerId, domain } = body;
-					if (!email && !organizationSlug && !domain && !providerId) {
+					if (
+						!options?.defaultSSO?.length &&
+						!email &&
+						!organizationSlug &&
+						!domain &&
+						!providerId
+					) {
 						throw new APIError("BAD_REQUEST", {
 							message:
 								"email, organizationSlug, domain or providerId is required",
@@ -844,29 +967,68 @@ export const sso = (options?: SSOOptions) => {
 								return res.id;
 							});
 					}
-					const provider = await ctx.context.adapter
-						.findOne<SSOProvider>({
-							model: "ssoProvider",
-							where: [
-								{
-									field: providerId
-										? "providerId"
-										: orgId
-											? "organizationId"
-											: "domain",
-									value: providerId || orgId || domain!,
-								},
-							],
-						})
-						.then((res) => {
-							if (!res) {
-								return null;
-							}
-							return {
-								...res,
-								oidcConfig: JSON.parse(res.oidcConfig as unknown as string),
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						// Find matching default SSO provider by providerId
+						const matchingDefault = providerId
+							? options.defaultSSO.find(
+									(defaultProvider) =>
+										defaultProvider.providerId === providerId,
+								)
+							: options.defaultSSO.find(
+									(defaultProvider) => defaultProvider.domain === domain,
+								);
+
+						if (matchingDefault) {
+							provider = {
+								issuer:
+									matchingDefault.samlConfig?.issuer ||
+									matchingDefault.oidcConfig?.issuer ||
+									"",
+								providerId: matchingDefault.providerId,
+								userId: "default",
+								oidcConfig: matchingDefault.oidcConfig,
+								samlConfig: matchingDefault.samlConfig,
 							};
+						}
+					}
+					if (!providerId && !orgId && !domain) {
+						throw new APIError("BAD_REQUEST", {
+							message: "providerId, orgId or domain is required",
 						});
+					}
+					// Try to find provider in database
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: providerId
+											? "providerId"
+											: orgId
+												? "organizationId"
+												: "domain",
+										value: providerId || orgId || domain!,
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) {
+									return null;
+								}
+								return {
+									...res,
+									oidcConfig: res.oidcConfig
+										? JSON.parse(res.oidcConfig as unknown as string)
+										: undefined,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
+
 					if (!provider) {
 						throw new APIError("NOT_FOUND", {
 							message: "No provider found for the issuer",
@@ -904,7 +1066,7 @@ export const sso = (options?: SSOOptions) => {
 								"profile",
 								"offline_access",
 							],
-							authorizationEndpoint: provider.oidcConfig.authorizationEndpoint,
+							authorizationEndpoint: provider.oidcConfig.authorizationEndpoint!,
 						});
 						return ctx.json({
 							url: authorizationURL.toString(),
@@ -912,15 +1074,21 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig = JSON.parse(
-							provider.samlConfig as unknown as string,
-						);
+						const parsedSamlConfig =
+							typeof provider.samlConfig === "object"
+								? provider.samlConfig
+								: JSON.parse(provider.samlConfig as unknown as string);
 						const sp = saml.ServiceProvider({
 							metadata: parsedSamlConfig.spMetadata.metadata,
 							allowCreate: true,
 						});
+
 						const idp = saml.IdentityProvider({
 							metadata: parsedSamlConfig.idpMetadata.metadata,
+							entityID: parsedSamlConfig.idpMetadata.entityID,
+							encryptCert: parsedSamlConfig.idpMetadata.cert,
+							singleSignOnService:
+								parsedSamlConfig.idpMetadata.singleSignOnService,
 						});
 						const loginRequest = sp.createLoginRequest(
 							idp,
@@ -985,27 +1153,43 @@ export const sso = (options?: SSOOptions) => {
 							}?error=${error}&error_description=${error_description}`,
 						);
 					}
-					const provider = await ctx.context.adapter
-						.findOne<{
-							oidcConfig: string;
-						}>({
-							model: "ssoProvider",
-							where: [
-								{
-									field: "providerId",
-									value: ctx.params.providerId,
-								},
-							],
-						})
-						.then((res) => {
-							if (!res) {
-								return null;
-							}
-							return {
-								...res,
-								oidcConfig: JSON.parse(res.oidcConfig),
-							} as SSOProvider;
-						});
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						const matchingDefault = options.defaultSSO.find(
+							(defaultProvider) =>
+								defaultProvider.providerId === ctx.params.providerId,
+						);
+						if (matchingDefault) {
+							provider = {
+								...matchingDefault,
+								issuer: matchingDefault.oidcConfig?.issuer || "",
+								userId: "default",
+							};
+						}
+					}
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<{
+								oidcConfig: string;
+							}>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: "providerId",
+										value: ctx.params.providerId,
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) {
+									return null;
+								}
+								return {
+									...res,
+									oidcConfig: JSON.parse(res.oidcConfig),
+								} as SSOProvider;
+							});
+					}
 					if (!provider) {
 						throw ctx.redirect(
 							`${
@@ -1305,72 +1489,519 @@ export const sso = (options?: SSOOptions) => {
 				async (ctx) => {
 					const { SAMLResponse, RelayState } = ctx.body;
 					const { providerId } = ctx.params;
-					const provider = await ctx.context.adapter.findOne<SSOProvider>({
-						model: "ssoProvider",
-						where: [{ field: "providerId", value: providerId }],
-					});
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						const matchingDefault = options.defaultSSO.find(
+							(defaultProvider) => defaultProvider.providerId === providerId,
+						);
+						if (matchingDefault) {
+							provider = {
+								...matchingDefault,
+								userId: "default",
+								issuer: matchingDefault.samlConfig?.issuer || "",
+							};
+						}
+					}
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [{ field: "providerId", value: providerId }],
+							})
+							.then((res) => {
+								if (!res) return null;
+								return {
+									...res,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
 
 					if (!provider) {
 						throw new APIError("NOT_FOUND", {
 							message: "No provider found for the given providerId",
 						});
 					}
-
 					const parsedSamlConfig = JSON.parse(
 						provider.samlConfig as unknown as string,
 					);
-					const idp = saml.IdentityProvider({
-						metadata: parsedSamlConfig.idpMetadata.metadata,
-					});
+					const idpData = parsedSamlConfig.idpMetadata;
+					let idp: IdentityProvider | null = null;
+
+					// Construct IDP with fallback to manual configuration
+					if (!idpData?.metadata) {
+						idp = saml.IdentityProvider({
+							entityID: idpData.entityID || parsedSamlConfig.issuer,
+							singleSignOnService: [
+								{
+									Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+									Location: parsedSamlConfig.entryPoint,
+								},
+							],
+							signingCert: idpData.cert || parsedSamlConfig.cert,
+							wantAuthnRequestsSigned:
+								parsedSamlConfig.wantAssertionsSigned || false,
+							isAssertionEncrypted: idpData.isAssertionEncrypted || false,
+							encPrivateKey: idpData.encPrivateKey,
+							encPrivateKeyPass: idpData.encPrivateKeyPass,
+						});
+					} else {
+						idp = saml.IdentityProvider({
+							metadata: idpData.metadata,
+							privateKey: idpData.privateKey,
+							privateKeyPass: idpData.privateKeyPass,
+							isAssertionEncrypted: idpData.isAssertionEncrypted,
+							encPrivateKey: idpData.encPrivateKey,
+							encPrivateKeyPass: idpData.encPrivateKeyPass,
+						});
+					}
+
+					// Construct SP with fallback to manual configuration
+					const spData = parsedSamlConfig.spMetadata;
 					const sp = saml.ServiceProvider({
-						metadata: parsedSamlConfig.spMetadata.metadata,
+						metadata: spData?.metadata,
+						entityID: spData?.entityID || parsedSamlConfig.issuer,
+						assertionConsumerService: spData?.metadata
+							? undefined
+							: [
+									{
+										Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+										Location: parsedSamlConfig.callbackUrl,
+									},
+								],
+						privateKey: spData?.privateKey || parsedSamlConfig.privateKey,
+						privateKeyPass: spData?.privateKeyPass,
+						isAssertionEncrypted: spData?.isAssertionEncrypted || false,
+						encPrivateKey: spData?.encPrivateKey,
+						encPrivateKeyPass: spData?.encPrivateKeyPass,
+						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 					});
+
 					let parsedResponse: FlowResult;
 					try {
-						parsedResponse = await sp.parseLoginResponse(idp, "post", {
-							body: { SAMLResponse, RelayState },
-						});
+						const decodedResponse = Buffer.from(
+							SAMLResponse,
+							"base64",
+						).toString("utf-8");
+
+						try {
+							parsedResponse = await sp.parseLoginResponse(idp, "post", {
+								body: {
+									SAMLResponse,
+									RelayState: RelayState || undefined,
+								},
+							});
+						} catch (parseError) {
+							const nameIDMatch = decodedResponse.match(
+								/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
+							);
+							if (!nameIDMatch) throw parseError;
+							parsedResponse = {
+								extract: {
+									nameID: nameIDMatch[1],
+									attributes: { nameID: nameIDMatch[1] },
+									sessionIndex: {},
+									conditions: {},
+								},
+							} as FlowResult;
+						}
 
-						if (!parsedResponse) {
-							throw new Error("Empty SAML response");
+						if (!parsedResponse?.extract) {
+							throw new Error("Invalid SAML response structure");
 						}
 					} catch (error) {
-						ctx.context.logger.error("SAML response validation failed", error);
+						ctx.context.logger.error("SAML response validation failed", {
+							error,
+							decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+								"utf-8",
+							),
+						});
 						throw new APIError("BAD_REQUEST", {
 							message: "Invalid SAML response",
 							details: error instanceof Error ? error.message : String(error),
 						});
 					}
-					const { extract } = parsedResponse;
-					const attributes = parsedResponse.extract.attributes;
-					const mapping = parsedSamlConfig?.mapping ?? {};
+
+					const { extract } = parsedResponse!;
+					const attributes = extract.attributes || {};
+					const mapping = parsedSamlConfig.mapping ?? {};
+
 					const userInfo = {
 						...Object.fromEntries(
 							Object.entries(mapping.extraFields || {}).map(([key, value]) => [
 								key,
-								extract.attributes[value as string],
+								attributes[value as string],
 							]),
 						),
-						id: attributes[mapping.id] || attributes["nameID"],
-						email:
-							attributes[mapping.email] ||
-							attributes["nameID"] ||
-							attributes["email"],
+						id: attributes[mapping.id || "nameID"] || extract.nameID,
+						email: attributes[mapping.email || "email"] || extract.nameID,
 						name:
 							[
-								attributes[mapping.firstName] || attributes["givenName"],
-								attributes[mapping.lastName] || attributes["surname"],
+								attributes[mapping.firstName || "givenName"],
+								attributes[mapping.lastName || "surname"],
 							]
 								.filter(Boolean)
-								.join(" ") || parsedResponse.extract.attributes?.displayName,
-						attributes: parsedResponse.extract.attributes,
-						emailVerified: options?.trustEmailVerified
-							? ((attributes?.[mapping.emailVerified] || false) as boolean)
-							: false,
+								.join(" ") ||
+							attributes[mapping.name || "displayName"] ||
+							extract.nameID,
+						emailVerified:
+							options?.trustEmailVerified && mapping.emailVerified
+								? ((attributes[mapping.emailVerified] || false) as boolean)
+								: false,
 					};
+					if (!userInfo.id || !userInfo.email) {
+						ctx.context.logger.error(
+							"Missing essential user info from SAML response",
+							{
+								attributes: Object.keys(attributes),
+								mapping,
+								extractedId: userInfo.id,
+								extractedEmail: userInfo.email,
+							},
+						);
+						throw new APIError("BAD_REQUEST", {
+							message: "Unable to extract user ID or email from SAML response",
+						});
+					}
 
+					// Find or create user
 					let user: User;
+					const existingUser = await ctx.context.adapter.findOne<User>({
+						model: "user",
+						where: [
+							{
+								field: "email",
+								value: userInfo.email,
+							},
+						],
+					});
+
+					if (existingUser) {
+						user = existingUser;
+					} else {
+						user = await ctx.context.adapter.create({
+							model: "user",
+							data: {
+								email: userInfo.email,
+								name: userInfo.name,
+								emailVerified: userInfo.emailVerified,
+								createdAt: new Date(),
+								updatedAt: new Date(),
+							},
+						});
+					}
+
+					// Create or update account link
+					const account = await ctx.context.adapter.findOne<Account>({
+						model: "account",
+						where: [
+							{ field: "userId", value: user.id },
+							{ field: "providerId", value: provider.providerId },
+							{ field: "accountId", value: userInfo.id },
+						],
+					});
 
+					if (!account) {
+						await ctx.context.adapter.create<Account>({
+							model: "account",
+							data: {
+								userId: user.id,
+								providerId: provider.providerId,
+								accountId: userInfo.id,
+								createdAt: new Date(),
+								updatedAt: new Date(),
+								accessToken: "",
+								refreshToken: "",
+							},
+						});
+					}
+
+					// Run provision hooks
+					if (options?.provisionUser) {
+						await options.provisionUser({
+							user: user as User & Record<string, any>,
+							userInfo,
+							provider,
+						});
+					}
+
+					// Handle organization provisioning
+					if (
+						provider.organizationId &&
+						!options?.organizationProvisioning?.disabled
+					) {
+						const isOrgPluginEnabled = ctx.context.options.plugins?.find(
+							(plugin) => plugin.id === "organization",
+						);
+						if (isOrgPluginEnabled) {
+							const isAlreadyMember = await ctx.context.adapter.findOne({
+								model: "member",
+								where: [
+									{ field: "organizationId", value: provider.organizationId },
+									{ field: "userId", value: user.id },
+								],
+							});
+							if (!isAlreadyMember) {
+								const role = options?.organizationProvisioning?.getRole
+									? await options.organizationProvisioning.getRole({
+											user,
+											userInfo,
+											provider,
+										})
+									: options?.organizationProvisioning?.defaultRole || "member";
+								await ctx.context.adapter.create({
+									model: "member",
+									data: {
+										organizationId: provider.organizationId,
+										userId: user.id,
+										role,
+										createdAt: new Date(),
+										updatedAt: new Date(),
+									},
+								});
+							}
+						}
+					}
+
+					// Create session and set cookie
+					let session: Session =
+						await ctx.context.internalAdapter.createSession(user.id, ctx);
+					await setSessionCookie(ctx, { session, user });
+
+					// Redirect to callback URL
+					const callbackUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(callbackUrl);
+				},
+			),
+			acsEndpoint: createAuthEndpoint(
+				"/sso/saml2/sp/acs/:providerId",
+				{
+					method: "POST",
+					params: z.object({
+						providerId: z.string().optional(),
+					}),
+					body: z.object({
+						SAMLResponse: z.string(),
+						RelayState: z.string().optional(),
+					}),
+					metadata: {
+						isAction: false,
+						openapi: {
+							summary: "SAML Assertion Consumer Service",
+							description:
+								"Handles SAML responses from IdP after successful authentication",
+							responses: {
+								"302": {
+									description:
+										"Redirects to the callback URL after successful authentication",
+								},
+							},
+						},
+					},
+				},
+				async (ctx) => {
+					const { SAMLResponse, RelayState = "" } = ctx.body;
+					const { providerId } = ctx.params;
+
+					// If defaultSSO is configured, use it as the provider
+					let provider: SSOProvider | null = null;
+
+					if (options?.defaultSSO?.length) {
+						// For ACS endpoint, we can use the first default provider or try to match by providerId
+						const matchingDefault = providerId
+							? options.defaultSSO.find(
+									(defaultProvider) =>
+										defaultProvider.providerId === providerId,
+								)
+							: options.defaultSSO[0]; // Use first default provider if no specific providerId
+
+						if (matchingDefault) {
+							provider = {
+								issuer: matchingDefault.samlConfig?.issuer || "",
+								providerId: matchingDefault.providerId,
+								userId: "default",
+								samlConfig: matchingDefault.samlConfig,
+							};
+						}
+					} else {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: "providerId",
+										value: providerId ?? "sso",
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) return null;
+								return {
+									...res,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
+
+					if (!provider?.samlConfig) {
+						throw new APIError("NOT_FOUND", {
+							message: "No SAML provider found",
+						});
+					}
+
+					const parsedSamlConfig = provider.samlConfig;
+					// Configure SP and IdP
+					const sp = saml.ServiceProvider({
+						entityID:
+							parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+						assertionConsumerService: [
+							{
+								Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+								Location:
+									parsedSamlConfig.callbackUrl ||
+									`${ctx.context.baseURL}/sso/saml2/sp/acs`,
+							},
+						],
+						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+						metadata: parsedSamlConfig.spMetadata?.metadata,
+						privateKey:
+							parsedSamlConfig.spMetadata?.privateKey ||
+							parsedSamlConfig.privateKey,
+						privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+					});
+
+					// Update where we construct the IdP
+					const idpData = parsedSamlConfig.idpMetadata;
+					const idp = !idpData?.metadata
+						? saml.IdentityProvider({
+								entityID: idpData?.entityID || parsedSamlConfig.issuer,
+								singleSignOnService: idpData?.singleSignOnService || [
+									{
+										Binding:
+											"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+										Location: parsedSamlConfig.entryPoint,
+									},
+								],
+								signingCert: idpData?.cert || parsedSamlConfig.cert,
+							})
+						: saml.IdentityProvider({
+								metadata: idpData.metadata,
+							});
+
+					// Parse and validate SAML response
+					let parsedResponse: FlowResult;
+					try {
+						let decodedResponse = Buffer.from(SAMLResponse, "base64").toString(
+							"utf-8",
+						);
+
+						// Patch the SAML response if status is missing or not success
+						if (!decodedResponse.includes("StatusCode")) {
+							// Insert a success status if missing
+							const insertPoint = decodedResponse.indexOf("</saml2:Issuer>");
+							if (insertPoint !== -1) {
+								decodedResponse =
+									decodedResponse.slice(0, insertPoint + 14) +
+									'<saml2:Status><saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2:Status>' +
+									decodedResponse.slice(insertPoint + 14);
+							}
+						} else if (!decodedResponse.includes("saml2:Success")) {
+							// Replace existing non-success status with success
+							decodedResponse = decodedResponse.replace(
+								/<saml2:StatusCode Value="[^"]+"/,
+								'<saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"',
+							);
+						}
+
+						try {
+							parsedResponse = await sp.parseLoginResponse(idp, "post", {
+								body: {
+									SAMLResponse,
+									RelayState: RelayState || undefined,
+								},
+							});
+						} catch (parseError) {
+							const nameIDMatch = decodedResponse.match(
+								/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
+							);
+							// due to different spec. we have to make sure to handle that.
+							if (!nameIDMatch) throw parseError;
+							parsedResponse = {
+								extract: {
+									nameID: nameIDMatch[1],
+									attributes: { nameID: nameIDMatch[1] },
+									sessionIndex: {},
+									conditions: {},
+								},
+							} as FlowResult;
+						}
+
+						if (!parsedResponse?.extract) {
+							throw new Error("Invalid SAML response structure");
+						}
+					} catch (error) {
+						ctx.context.logger.error("SAML response validation failed", {
+							error,
+							decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+								"utf-8",
+							),
+						});
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML response",
+							details: error instanceof Error ? error.message : String(error),
+						});
+					}
+
+					const { extract } = parsedResponse!;
+					const attributes = extract.attributes || {};
+					const mapping = parsedSamlConfig.mapping ?? {};
+
+					const userInfo = {
+						...Object.fromEntries(
+							Object.entries(mapping.extraFields || {}).map(([key, value]) => [
+								key,
+								attributes[value as string],
+							]),
+						),
+						id: attributes[mapping.id || "nameID"] || extract.nameID,
+						email: attributes[mapping.email || "email"] || extract.nameID,
+						name:
+							[
+								attributes[mapping.firstName || "givenName"],
+								attributes[mapping.lastName || "surname"],
+							]
+								.filter(Boolean)
+								.join(" ") ||
+							attributes[mapping.name || "displayName"] ||
+							extract.nameID,
+						emailVerified:
+							options?.trustEmailVerified && mapping.emailVerified
+								? ((attributes[mapping.emailVerified] || false) as boolean)
+								: false,
+					};
+
+					if (!userInfo.id || !userInfo.email) {
+						ctx.context.logger.error(
+							"Missing essential user info from SAML response",
+							{
+								attributes: Object.keys(attributes),
+								mapping,
+								extractedId: userInfo.id,
+								extractedEmail: userInfo.email,
+							},
+						);
+						throw new APIError("BAD_REQUEST", {
+							message: "Unable to extract user ID or email from SAML response",
+						});
+					}
+
+					// Find or create user
+					let user: User;
 					const existingUser = await ctx.context.adapter.findOne<User>({
 						model: "user",
 						where: [
@@ -1382,7 +2013,7 @@ export const sso = (options?: SSOOptions) => {
 					});
 
 					if (existingUser) {
-						const accounts = await ctx.context.adapter.findOne<Account>({
+						const account = await ctx.context.adapter.findOne<Account>({
 							model: "account",
 							where: [
 								{ field: "userId", value: existingUser.id },
@@ -1390,7 +2021,7 @@ export const sso = (options?: SSOOptions) => {
 								{ field: "accountId", value: userInfo.id },
 							],
 						});
-						if (!accounts) {
+						if (!account) {
 							const isTrustedProvider =
 								ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
 									provider.providerId,
@@ -1492,11 +2123,10 @@ export const sso = (options?: SSOOptions) => {
 					let session: Session =
 						await ctx.context.internalAdapter.createSession(user.id, ctx);
 					await setSessionCookie(ctx, { session, user });
-					throw ctx.redirect(
-						RelayState ||
-							`${parsedSamlConfig.callbackUrl}` ||
-							`${parsedSamlConfig.issuer}`,
-					);
+
+					const callbackUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(callbackUrl);
 				},
 			),
 		},