@better-auth/sso 1.4.0-beta.1 → 1.4.0-beta.3

package/src/index.ts

@@ -24,6 +24,7 @@ import { decodeJwt } from "jose";
 import { setSessionCookie } from "better-auth/cookies";
 import type { FlowResult } from "samlify/types/src/flow";
 import { XMLValidator } from "fast-xml-parser";
+import type { IdentityProvider } from "samlify/types/src/entity-idp";
 
 const fastValidator = {
 	async validate(xml: string) {
@@ -37,6 +38,25 @@ const fastValidator = {
 
 saml.setSchemaValidator(fastValidator);
 
+export interface OIDCMapping {
+	id?: string;
+	email?: string;
+	emailVerified?: string;
+	name?: string;
+	image?: string;
+	extraFields?: Record<string, string>;
+}
+
+export interface SAMLMapping {
+	id?: string;
+	email?: string;
+	emailVerified?: string;
+	name?: string;
+	firstName?: string;
+	lastName?: string;
+	extraFields?: Record<string, string>;
+}
+
 export interface OIDCConfig {
 	issuer: string;
 	pkce: boolean;
@@ -50,30 +70,49 @@ export interface OIDCConfig {
 	tokenEndpoint?: string;
 	tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
 	jwksEndpoint?: string;
-	mapping?: {
-		id?: string;
-		email?: string;
-		emailVerified?: string;
-		name?: string;
-		image?: string;
-		extraFields?: Record<string, string>;
-	};
+	mapping?: OIDCMapping;
 }
 
 export interface SAMLConfig {
 	issuer: string;
 	entryPoint: string;
-	signingKey: string;
-	certificate: string;
-	attributeConsumingServiceIndex: number;
-	mapping?: {
-		id?: string;
-		email?: string;
-		name?: string;
-		firstName?: string;
-		lastName?: string;
-		extraFields?: Record<string, string>;
+	cert: string;
+	callbackUrl: string;
+	audience?: string;
+	idpMetadata?: {
+		metadata?: string;
+		entityID?: string;
+		entityURL?: string;
+		redirectURL?: string;
+		cert?: string;
+		privateKey?: string;
+		privateKeyPass?: string;
+		isAssertionEncrypted?: boolean;
+		encPrivateKey?: string;
+		encPrivateKeyPass?: string;
+		singleSignOnService?: Array<{
+			Binding: string;
+			Location: string;
+		}>;
+	};
+	spMetadata: {
+		metadata?: string;
+		entityID?: string;
+		binding?: string;
+		privateKey?: string;
+		privateKeyPass?: string;
+		isAssertionEncrypted?: boolean;
+		encPrivateKey?: string;
+		encPrivateKeyPass?: string;
 	};
+	wantAssertionsSigned?: boolean;
+	signatureAlgorithm?: string;
+	digestAlgorithm?: string;
+	identifierFormat?: string;
+	privateKey?: string;
+	decryptionPvk?: string;
+	additionalParams?: Record<string, any>;
+	mapping?: SAMLMapping;
 }
 
 export interface SSOProvider {
@@ -132,6 +171,29 @@ export interface SSOOptions {
 			provider: SSOProvider;
 		}) => Promise<"member" | "admin">;
 	};
+	/**
+	 * Default SSO provider configurations for testing.
+	 * These will take the precedence over the database providers.
+	 */
+	defaultSSO?: Array<{
+		/**
+		 * The domain to match for this default provider.
+		 * This is only used to match incoming requests to this default provider.
+		 */
+		domain: string;
+		/**
+		 * The provider ID to use
+		 */
+		providerId: string;
+		/**
+		 * SAML configuration
+		 */
+		samlConfig?: SAMLConfig;
+		/**
+		 * OIDC configuration
+		 */
+		oidcConfig?: OIDCConfig;
+	}>;
 	/**
 	 * Override user info with the provider info.
 	 * @default false
@@ -222,96 +284,107 @@ export const sso = (options?: SSOOptions) => {
 				{
 					method: "POST",
 					body: z.object({
-						providerId: z.string({}).meta({
-							description:
+						providerId: z
+							.string({})
+							.describe(
 								"The ID of the provider. This is used to identify the provider during login and callback",
-						}),
-						issuer: z.string({}).meta({
-							description: "The issuer of the provider",
-						}),
-						domain: z.string({}).meta({
-							description:
+							),
+						issuer: z.string({}).describe("The issuer of the provider"),
+						domain: z
+							.string({})
+							.describe(
 								"The domain of the provider. This is used for email matching",
-						}),
+							),
 						oidcConfig: z
 							.object({
-								clientId: z.string({}).meta({
-									description: "The client ID",
-								}),
-								clientSecret: z.string({}).meta({
-									description: "The client secret",
-								}),
+								clientId: z.string({}).describe("The client ID"),
+								clientSecret: z.string({}).describe("The client secret"),
 								authorizationEndpoint: z
 									.string({})
-									.meta({
-										description: "The authorization endpoint",
-									})
+									.describe("The authorization endpoint")
 									.optional(),
 								tokenEndpoint: z
 									.string({})
-									.meta({
-										description: "The token endpoint",
-									})
+									.describe("The token endpoint")
 									.optional(),
 								userInfoEndpoint: z
 									.string({})
-									.meta({
-										description: "The user info endpoint",
-									})
+									.describe("The user info endpoint")
 									.optional(),
 								tokenEndpointAuthentication: z
 									.enum(["client_secret_post", "client_secret_basic"])
 									.optional(),
 								jwksEndpoint: z
 									.string({})
-									.meta({
-										description: "The JWKS endpoint",
-									})
+									.describe("The JWKS endpoint")
 									.optional(),
 								discoveryEndpoint: z.string().optional(),
 								scopes: z
 									.array(z.string(), {})
-									.meta({
-										description:
-											"The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']",
-									})
+									.describe("The scopes to request. ")
 									.optional(),
 								pkce: z
 									.boolean({})
-									.meta({
-										description:
-											"Whether to use PKCE for the authorization flow",
-									})
+									.describe("Whether to use PKCE for the authorization flow")
 									.default(true)
 									.optional(),
+								mapping: z
+									.object({
+										id: z.string({}).describe("Field mapping for user ID ("),
+										email: z.string({}).describe("Field mapping for email ("),
+										emailVerified: z
+											.string({})
+											.describe("Field mapping for email verification (")
+											.optional(),
+										name: z.string({}).describe("Field mapping for name ("),
+										image: z
+											.string({})
+											.describe("Field mapping for image (")
+											.optional(),
+										extraFields: z.record(z.string(), z.any()).optional(),
+									})
+									.optional(),
 							})
 							.optional(),
 						samlConfig: z
 							.object({
-								entryPoint: z.string({}).meta({
-									description: "The entry point of the provider",
-								}),
-								cert: z.string({}).meta({
-									description: "The certificate of the provider",
-								}),
-								callbackUrl: z.string({}).meta({
-									description: "The callback URL of the provider",
-								}),
+								entryPoint: z
+									.string({})
+									.describe("The entry point of the provider"),
+								cert: z.string({}).describe("The certificate of the provider"),
+								callbackUrl: z
+									.string({})
+									.describe("The callback URL of the provider"),
 								audience: z.string().optional(),
 								idpMetadata: z
 									.object({
-										metadata: z.string(),
+										metadata: z.string().optional(),
+										entityID: z.string().optional(),
+										cert: z.string().optional(),
 										privateKey: z.string().optional(),
 										privateKeyPass: z.string().optional(),
 										isAssertionEncrypted: z.boolean().optional(),
 										encPrivateKey: z.string().optional(),
 										encPrivateKeyPass: z.string().optional(),
+										singleSignOnService: z
+											.array(
+												z.object({
+													Binding: z
+														.string()
+														.describe("The binding type for the SSO service"),
+													Location: z
+														.string()
+														.describe("The URL for the SSO service"),
+												}),
+											)
+											.optional()
+											.describe("Single Sign-On service configuration"),
 									})
 									.optional(),
 								spMetadata: z.object({
-									metadata: z.string(),
+									metadata: z.string().optional(),
+									entityID: z.string().optional(),
 									binding: z.string().optional(),
-
 									privateKey: z.string().optional(),
 									privateKeyPass: z.string().optional(),
 									isAssertionEncrypted: z.boolean().optional(),
@@ -325,52 +398,39 @@ export const sso = (options?: SSOOptions) => {
 								privateKey: z.string().optional(),
 								decryptionPvk: z.string().optional(),
 								additionalParams: z.record(z.string(), z.any()).optional(),
-							})
-							.optional(),
-						mapping: z
-							.object({
-								id: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the id. Defaults to 'sub'",
-								}),
-								email: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the email. Defaults to 'email'",
-								}),
-								emailVerified: z
-									.string({})
-									.meta({
-										description:
-											"The field in the user info response that contains whether the email is verified. defaults to 'email_verified'",
-									})
-									.optional(),
-								name: z.string({}).meta({
-									description:
-										"The field in the user info response that contains the name. Defaults to 'name'",
-								}),
-								image: z
-									.string({})
-									.meta({
-										description:
-											"The field in the user info response that contains the image. Defaults to 'picture'",
+								mapping: z
+									.object({
+										id: z.string({}).describe("Field mapping for user ID ("),
+										email: z.string({}).describe("Field mapping for email ("),
+										emailVerified: z
+											.string({})
+											.describe("Field mapping for email verification")
+											.optional(),
+										name: z.string({}).describe("Field mapping for name ("),
+										firstName: z
+											.string({})
+											.describe("Field mapping for first name (")
+											.optional(),
+										lastName: z
+											.string({})
+											.describe("Field mapping for last name (")
+											.optional(),
+										extraFields: z.record(z.string(), z.any()).optional(),
 									})
 									.optional(),
-								extraFields: z.record(z.string(), z.any()).optional(),
 							})
 							.optional(),
 						organizationId: z
 							.string({})
-							.meta({
-								description:
-									"If organization plugin is enabled, the organization id to link the provider to",
-							})
+							.describe(
+								"If organization plugin is enabled, the organization id to link the provider to",
+							)
 							.optional(),
 						overrideUserInfo: z
 							.boolean({})
-							.meta({
-								description:
-									"Override user info with the provider info. Defaults to false",
-							})
+							.describe(
+								"Override user info with the provider info. Defaults to false",
+							)
 							.default(false)
 							.optional(),
 					}),
@@ -632,7 +692,7 @@ export const sso = (options?: SSOOptions) => {
 										discoveryEndpoint:
 											body.oidcConfig.discoveryEndpoint ||
 											`${body.issuer}/.well-known/openid-configuration`,
-										mapping: body.mapping,
+										mapping: body.oidcConfig.mapping,
 										scopes: body.oidcConfig.scopes,
 										userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 										overrideUserInfo:
@@ -657,7 +717,7 @@ export const sso = (options?: SSOOptions) => {
 										privateKey: body.samlConfig.privateKey,
 										decryptionPvk: body.samlConfig.decryptionPvk,
 										additionalParams: body.samlConfig.additionalParams,
-										mapping: body.mapping,
+										mapping: body.samlConfig.mapping,
 									})
 								: null,
 							organizationId: body.organizationId,
@@ -665,6 +725,7 @@ export const sso = (options?: SSOOptions) => {
 							providerId: body.providerId,
 						},
 					});
+
 					return ctx.json({
 						...provider,
 						oidcConfig: JSON.parse(
@@ -684,58 +745,44 @@ export const sso = (options?: SSOOptions) => {
 					body: z.object({
 						email: z
 							.string({})
-							.meta({
-								description:
-									"The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided",
-							})
+							.describe(
+								"The email address to sign in with. This is used to identify the issuer to sign in with",
+							)
 							.optional(),
 						organizationSlug: z
 							.string({})
-							.meta({
-								description: "The slug of the organization to sign in with",
-							})
+							.describe("The slug of the organization to sign in with")
 							.optional(),
 						providerId: z
 							.string({})
-							.meta({
-								description:
-									"The ID of the provider to sign in with. This can be provided instead of email or issuer",
-							})
+							.describe(
+								"The ID of the provider to sign in with. This can be provided instead of email or issuer",
+							)
 							.optional(),
 						domain: z
 							.string({})
-							.meta({
-								description: "The domain of the provider.",
-							})
+							.describe("The domain of the provider.")
 							.optional(),
-						callbackURL: z.string({}).meta({
-							description: "The URL to redirect to after login",
-						}),
+						callbackURL: z
+							.string({})
+							.describe("The URL to redirect to after login"),
 						errorCallbackURL: z
 							.string({})
-							.meta({
-								description: "The URL to redirect to after login",
-							})
+							.describe("The URL to redirect to after login")
 							.optional(),
 						newUserCallbackURL: z
 							.string({})
-							.meta({
-								description:
-									"The URL to redirect to after login if the user is new",
-							})
+							.describe("The URL to redirect to after login if the user is new")
 							.optional(),
 						scopes: z
 							.array(z.string(), {})
-							.meta({
-								description: "Scopes to request from the provider.",
-							})
+							.describe("Scopes to request from the provider.")
 							.optional(),
 						requestSignUp: z
 							.boolean({})
-							.meta({
-								description:
-									"Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider",
-							})
+							.describe(
+								"Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider",
+							)
 							.optional(),
 						providerType: z.enum(["oidc", "saml"]).optional(),
 					}),
@@ -818,7 +865,13 @@ export const sso = (options?: SSOOptions) => {
 				async (ctx) => {
 					const body = ctx.body;
 					let { email, organizationSlug, providerId, domain } = body;
-					if (!email && !organizationSlug && !domain && !providerId) {
+					if (
+						!options?.defaultSSO?.length &&
+						!email &&
+						!organizationSlug &&
+						!domain &&
+						!providerId
+					) {
 						throw new APIError("BAD_REQUEST", {
 							message:
 								"email, organizationSlug, domain or providerId is required",
@@ -844,29 +897,68 @@ export const sso = (options?: SSOOptions) => {
 								return res.id;
 							});
 					}
-					const provider = await ctx.context.adapter
-						.findOne<SSOProvider>({
-							model: "ssoProvider",
-							where: [
-								{
-									field: providerId
-										? "providerId"
-										: orgId
-											? "organizationId"
-											: "domain",
-									value: providerId || orgId || domain!,
-								},
-							],
-						})
-						.then((res) => {
-							if (!res) {
-								return null;
-							}
-							return {
-								...res,
-								oidcConfig: JSON.parse(res.oidcConfig as unknown as string),
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						// Find matching default SSO provider by providerId
+						const matchingDefault = providerId
+							? options.defaultSSO.find(
+									(defaultProvider) =>
+										defaultProvider.providerId === providerId,
+								)
+							: options.defaultSSO.find(
+									(defaultProvider) => defaultProvider.domain === domain,
+								);
+
+						if (matchingDefault) {
+							provider = {
+								issuer:
+									matchingDefault.samlConfig?.issuer ||
+									matchingDefault.oidcConfig?.issuer ||
+									"",
+								providerId: matchingDefault.providerId,
+								userId: "default",
+								oidcConfig: matchingDefault.oidcConfig,
+								samlConfig: matchingDefault.samlConfig,
 							};
+						}
+					}
+					if (!providerId && !orgId && !domain) {
+						throw new APIError("BAD_REQUEST", {
+							message: "providerId, orgId or domain is required",
 						});
+					}
+					// Try to find provider in database
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: providerId
+											? "providerId"
+											: orgId
+												? "organizationId"
+												: "domain",
+										value: providerId || orgId || domain!,
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) {
+									return null;
+								}
+								return {
+									...res,
+									oidcConfig: res.oidcConfig
+										? JSON.parse(res.oidcConfig as unknown as string)
+										: undefined,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
+
 					if (!provider) {
 						throw new APIError("NOT_FOUND", {
 							message: "No provider found for the issuer",
@@ -904,7 +996,7 @@ export const sso = (options?: SSOOptions) => {
 								"profile",
 								"offline_access",
 							],
-							authorizationEndpoint: provider.oidcConfig.authorizationEndpoint,
+							authorizationEndpoint: provider.oidcConfig.authorizationEndpoint!,
 						});
 						return ctx.json({
 							url: authorizationURL.toString(),
@@ -912,15 +1004,21 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig = JSON.parse(
-							provider.samlConfig as unknown as string,
-						);
+						const parsedSamlConfig =
+							typeof provider.samlConfig === "object"
+								? provider.samlConfig
+								: JSON.parse(provider.samlConfig as unknown as string);
 						const sp = saml.ServiceProvider({
 							metadata: parsedSamlConfig.spMetadata.metadata,
 							allowCreate: true,
 						});
+
 						const idp = saml.IdentityProvider({
 							metadata: parsedSamlConfig.idpMetadata.metadata,
+							entityID: parsedSamlConfig.idpMetadata.entityID,
+							encryptCert: parsedSamlConfig.idpMetadata.cert,
+							singleSignOnService:
+								parsedSamlConfig.idpMetadata.singleSignOnService,
 						});
 						const loginRequest = sp.createLoginRequest(
 							idp,
@@ -985,27 +1083,43 @@ export const sso = (options?: SSOOptions) => {
 							}?error=${error}&error_description=${error_description}`,
 						);
 					}
-					const provider = await ctx.context.adapter
-						.findOne<{
-							oidcConfig: string;
-						}>({
-							model: "ssoProvider",
-							where: [
-								{
-									field: "providerId",
-									value: ctx.params.providerId,
-								},
-							],
-						})
-						.then((res) => {
-							if (!res) {
-								return null;
-							}
-							return {
-								...res,
-								oidcConfig: JSON.parse(res.oidcConfig),
-							} as SSOProvider;
-						});
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						const matchingDefault = options.defaultSSO.find(
+							(defaultProvider) =>
+								defaultProvider.providerId === ctx.params.providerId,
+						);
+						if (matchingDefault) {
+							provider = {
+								...matchingDefault,
+								issuer: matchingDefault.oidcConfig?.issuer || "",
+								userId: "default",
+							};
+						}
+					}
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<{
+								oidcConfig: string;
+							}>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: "providerId",
+										value: ctx.params.providerId,
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) {
+									return null;
+								}
+								return {
+									...res,
+									oidcConfig: JSON.parse(res.oidcConfig),
+								} as SSOProvider;
+							});
+					}
 					if (!provider) {
 						throw ctx.redirect(
 							`${
@@ -1305,72 +1419,519 @@ export const sso = (options?: SSOOptions) => {
 				async (ctx) => {
 					const { SAMLResponse, RelayState } = ctx.body;
 					const { providerId } = ctx.params;
-					const provider = await ctx.context.adapter.findOne<SSOProvider>({
-						model: "ssoProvider",
-						where: [{ field: "providerId", value: providerId }],
-					});
+					let provider: SSOProvider | null = null;
+					if (options?.defaultSSO?.length) {
+						const matchingDefault = options.defaultSSO.find(
+							(defaultProvider) => defaultProvider.providerId === providerId,
+						);
+						if (matchingDefault) {
+							provider = {
+								...matchingDefault,
+								userId: "default",
+								issuer: matchingDefault.samlConfig?.issuer || "",
+							};
+						}
+					}
+					if (!provider) {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [{ field: "providerId", value: providerId }],
+							})
+							.then((res) => {
+								if (!res) return null;
+								return {
+									...res,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
 
 					if (!provider) {
 						throw new APIError("NOT_FOUND", {
 							message: "No provider found for the given providerId",
 						});
 					}
-
 					const parsedSamlConfig = JSON.parse(
 						provider.samlConfig as unknown as string,
 					);
-					const idp = saml.IdentityProvider({
-						metadata: parsedSamlConfig.idpMetadata.metadata,
-					});
+					const idpData = parsedSamlConfig.idpMetadata;
+					let idp: IdentityProvider | null = null;
+
+					// Construct IDP with fallback to manual configuration
+					if (!idpData?.metadata) {
+						idp = saml.IdentityProvider({
+							entityID: idpData.entityID || parsedSamlConfig.issuer,
+							singleSignOnService: [
+								{
+									Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+									Location: parsedSamlConfig.entryPoint,
+								},
+							],
+							signingCert: idpData.cert || parsedSamlConfig.cert,
+							wantAuthnRequestsSigned:
+								parsedSamlConfig.wantAssertionsSigned || false,
+							isAssertionEncrypted: idpData.isAssertionEncrypted || false,
+							encPrivateKey: idpData.encPrivateKey,
+							encPrivateKeyPass: idpData.encPrivateKeyPass,
+						});
+					} else {
+						idp = saml.IdentityProvider({
+							metadata: idpData.metadata,
+							privateKey: idpData.privateKey,
+							privateKeyPass: idpData.privateKeyPass,
+							isAssertionEncrypted: idpData.isAssertionEncrypted,
+							encPrivateKey: idpData.encPrivateKey,
+							encPrivateKeyPass: idpData.encPrivateKeyPass,
+						});
+					}
+
+					// Construct SP with fallback to manual configuration
+					const spData = parsedSamlConfig.spMetadata;
 					const sp = saml.ServiceProvider({
-						metadata: parsedSamlConfig.spMetadata.metadata,
+						metadata: spData?.metadata,
+						entityID: spData?.entityID || parsedSamlConfig.issuer,
+						assertionConsumerService: spData?.metadata
+							? undefined
+							: [
+									{
+										Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+										Location: parsedSamlConfig.callbackUrl,
+									},
+								],
+						privateKey: spData?.privateKey || parsedSamlConfig.privateKey,
+						privateKeyPass: spData?.privateKeyPass,
+						isAssertionEncrypted: spData?.isAssertionEncrypted || false,
+						encPrivateKey: spData?.encPrivateKey,
+						encPrivateKeyPass: spData?.encPrivateKeyPass,
+						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 					});
+
 					let parsedResponse: FlowResult;
 					try {
-						parsedResponse = await sp.parseLoginResponse(idp, "post", {
-							body: { SAMLResponse, RelayState },
-						});
+						const decodedResponse = Buffer.from(
+							SAMLResponse,
+							"base64",
+						).toString("utf-8");
 
-						if (!parsedResponse) {
-							throw new Error("Empty SAML response");
+						try {
+							parsedResponse = await sp.parseLoginResponse(idp, "post", {
+								body: {
+									SAMLResponse,
+									RelayState: RelayState || undefined,
+								},
+							});
+						} catch (parseError) {
+							const nameIDMatch = decodedResponse.match(
+								/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
+							);
+							if (!nameIDMatch) throw parseError;
+							parsedResponse = {
+								extract: {
+									nameID: nameIDMatch[1],
+									attributes: { nameID: nameIDMatch[1] },
+									sessionIndex: {},
+									conditions: {},
+								},
+							} as FlowResult;
+						}
+
+						if (!parsedResponse?.extract) {
+							throw new Error("Invalid SAML response structure");
 						}
 					} catch (error) {
-						ctx.context.logger.error("SAML response validation failed", error);
+						ctx.context.logger.error("SAML response validation failed", {
+							error,
+							decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+								"utf-8",
+							),
+						});
 						throw new APIError("BAD_REQUEST", {
 							message: "Invalid SAML response",
 							details: error instanceof Error ? error.message : String(error),
 						});
 					}
-					const { extract } = parsedResponse;
-					const attributes = parsedResponse.extract.attributes;
-					const mapping = parsedSamlConfig?.mapping ?? {};
+
+					const { extract } = parsedResponse!;
+					const attributes = extract.attributes || {};
+					const mapping = parsedSamlConfig.mapping ?? {};
+
 					const userInfo = {
 						...Object.fromEntries(
 							Object.entries(mapping.extraFields || {}).map(([key, value]) => [
 								key,
-								extract.attributes[value as string],
+								attributes[value as string],
 							]),
 						),
-						id: attributes[mapping.id] || attributes["nameID"],
-						email:
-							attributes[mapping.email] ||
-							attributes["nameID"] ||
-							attributes["email"],
+						id: attributes[mapping.id || "nameID"] || extract.nameID,
+						email: attributes[mapping.email || "email"] || extract.nameID,
 						name:
 							[
-								attributes[mapping.firstName] || attributes["givenName"],
-								attributes[mapping.lastName] || attributes["surname"],
+								attributes[mapping.firstName || "givenName"],
+								attributes[mapping.lastName || "surname"],
 							]
 								.filter(Boolean)
-								.join(" ") || parsedResponse.extract.attributes?.displayName,
-						attributes: parsedResponse.extract.attributes,
-						emailVerified: options?.trustEmailVerified
-							? ((attributes?.[mapping.emailVerified] || false) as boolean)
-							: false,
+								.join(" ") ||
+							attributes[mapping.name || "displayName"] ||
+							extract.nameID,
+						emailVerified:
+							options?.trustEmailVerified && mapping.emailVerified
+								? ((attributes[mapping.emailVerified] || false) as boolean)
+								: false,
 					};
+					if (!userInfo.id || !userInfo.email) {
+						ctx.context.logger.error(
+							"Missing essential user info from SAML response",
+							{
+								attributes: Object.keys(attributes),
+								mapping,
+								extractedId: userInfo.id,
+								extractedEmail: userInfo.email,
+							},
+						);
+						throw new APIError("BAD_REQUEST", {
+							message: "Unable to extract user ID or email from SAML response",
+						});
+					}
 
+					// Find or create user
 					let user: User;
+					const existingUser = await ctx.context.adapter.findOne<User>({
+						model: "user",
+						where: [
+							{
+								field: "email",
+								value: userInfo.email,
+							},
+						],
+					});
 
+					if (existingUser) {
+						user = existingUser;
+					} else {
+						user = await ctx.context.adapter.create({
+							model: "user",
+							data: {
+								email: userInfo.email,
+								name: userInfo.name,
+								emailVerified: userInfo.emailVerified,
+								createdAt: new Date(),
+								updatedAt: new Date(),
+							},
+						});
+					}
+
+					// Create or update account link
+					const account = await ctx.context.adapter.findOne<Account>({
+						model: "account",
+						where: [
+							{ field: "userId", value: user.id },
+							{ field: "providerId", value: provider.providerId },
+							{ field: "accountId", value: userInfo.id },
+						],
+					});
+
+					if (!account) {
+						await ctx.context.adapter.create<Account>({
+							model: "account",
+							data: {
+								userId: user.id,
+								providerId: provider.providerId,
+								accountId: userInfo.id,
+								createdAt: new Date(),
+								updatedAt: new Date(),
+								accessToken: "",
+								refreshToken: "",
+							},
+						});
+					}
+
+					// Run provision hooks
+					if (options?.provisionUser) {
+						await options.provisionUser({
+							user: user as User & Record<string, any>,
+							userInfo,
+							provider,
+						});
+					}
+
+					// Handle organization provisioning
+					if (
+						provider.organizationId &&
+						!options?.organizationProvisioning?.disabled
+					) {
+						const isOrgPluginEnabled = ctx.context.options.plugins?.find(
+							(plugin) => plugin.id === "organization",
+						);
+						if (isOrgPluginEnabled) {
+							const isAlreadyMember = await ctx.context.adapter.findOne({
+								model: "member",
+								where: [
+									{ field: "organizationId", value: provider.organizationId },
+									{ field: "userId", value: user.id },
+								],
+							});
+							if (!isAlreadyMember) {
+								const role = options?.organizationProvisioning?.getRole
+									? await options.organizationProvisioning.getRole({
+											user,
+											userInfo,
+											provider,
+										})
+									: options?.organizationProvisioning?.defaultRole || "member";
+								await ctx.context.adapter.create({
+									model: "member",
+									data: {
+										organizationId: provider.organizationId,
+										userId: user.id,
+										role,
+										createdAt: new Date(),
+										updatedAt: new Date(),
+									},
+								});
+							}
+						}
+					}
+
+					// Create session and set cookie
+					let session: Session =
+						await ctx.context.internalAdapter.createSession(user.id, ctx);
+					await setSessionCookie(ctx, { session, user });
+
+					// Redirect to callback URL
+					const callbackUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(callbackUrl);
+				},
+			),
+			acsEndpoint: createAuthEndpoint(
+				"/sso/saml2/sp/acs/:providerId",
+				{
+					method: "POST",
+					params: z.object({
+						providerId: z.string().optional(),
+					}),
+					body: z.object({
+						SAMLResponse: z.string(),
+						RelayState: z.string().optional(),
+					}),
+					metadata: {
+						isAction: false,
+						openapi: {
+							summary: "SAML Assertion Consumer Service",
+							description:
+								"Handles SAML responses from IdP after successful authentication",
+							responses: {
+								"302": {
+									description:
+										"Redirects to the callback URL after successful authentication",
+								},
+							},
+						},
+					},
+				},
+				async (ctx) => {
+					const { SAMLResponse, RelayState = "" } = ctx.body;
+					const { providerId } = ctx.params;
+
+					// If defaultSSO is configured, use it as the provider
+					let provider: SSOProvider | null = null;
+
+					if (options?.defaultSSO?.length) {
+						// For ACS endpoint, we can use the first default provider or try to match by providerId
+						const matchingDefault = providerId
+							? options.defaultSSO.find(
+									(defaultProvider) =>
+										defaultProvider.providerId === providerId,
+								)
+							: options.defaultSSO[0]; // Use first default provider if no specific providerId
+
+						if (matchingDefault) {
+							provider = {
+								issuer: matchingDefault.samlConfig?.issuer || "",
+								providerId: matchingDefault.providerId,
+								userId: "default",
+								samlConfig: matchingDefault.samlConfig,
+							};
+						}
+					} else {
+						provider = await ctx.context.adapter
+							.findOne<SSOProvider>({
+								model: "ssoProvider",
+								where: [
+									{
+										field: "providerId",
+										value: providerId ?? "sso",
+									},
+								],
+							})
+							.then((res) => {
+								if (!res) return null;
+								return {
+									...res,
+									samlConfig: res.samlConfig
+										? JSON.parse(res.samlConfig as unknown as string)
+										: undefined,
+								};
+							});
+					}
+
+					if (!provider?.samlConfig) {
+						throw new APIError("NOT_FOUND", {
+							message: "No SAML provider found",
+						});
+					}
+
+					const parsedSamlConfig = provider.samlConfig;
+					// Configure SP and IdP
+					const sp = saml.ServiceProvider({
+						entityID:
+							parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+						assertionConsumerService: [
+							{
+								Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+								Location:
+									parsedSamlConfig.callbackUrl ||
+									`${ctx.context.baseURL}/sso/saml2/sp/acs`,
+							},
+						],
+						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+						metadata: parsedSamlConfig.spMetadata?.metadata,
+						privateKey:
+							parsedSamlConfig.spMetadata?.privateKey ||
+							parsedSamlConfig.privateKey,
+						privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+					});
+
+					// Update where we construct the IdP
+					const idpData = parsedSamlConfig.idpMetadata;
+					const idp = !idpData?.metadata
+						? saml.IdentityProvider({
+								entityID: idpData?.entityID || parsedSamlConfig.issuer,
+								singleSignOnService: idpData?.singleSignOnService || [
+									{
+										Binding:
+											"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+										Location: parsedSamlConfig.entryPoint,
+									},
+								],
+								signingCert: idpData?.cert || parsedSamlConfig.cert,
+							})
+						: saml.IdentityProvider({
+								metadata: idpData.metadata,
+							});
+
+					// Parse and validate SAML response
+					let parsedResponse: FlowResult;
+					try {
+						let decodedResponse = Buffer.from(SAMLResponse, "base64").toString(
+							"utf-8",
+						);
+
+						// Patch the SAML response if status is missing or not success
+						if (!decodedResponse.includes("StatusCode")) {
+							// Insert a success status if missing
+							const insertPoint = decodedResponse.indexOf("</saml2:Issuer>");
+							if (insertPoint !== -1) {
+								decodedResponse =
+									decodedResponse.slice(0, insertPoint + 14) +
+									'<saml2:Status><saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2:Status>' +
+									decodedResponse.slice(insertPoint + 14);
+							}
+						} else if (!decodedResponse.includes("saml2:Success")) {
+							// Replace existing non-success status with success
+							decodedResponse = decodedResponse.replace(
+								/<saml2:StatusCode Value="[^"]+"/,
+								'<saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"',
+							);
+						}
+
+						try {
+							parsedResponse = await sp.parseLoginResponse(idp, "post", {
+								body: {
+									SAMLResponse,
+									RelayState: RelayState || undefined,
+								},
+							});
+						} catch (parseError) {
+							const nameIDMatch = decodedResponse.match(
+								/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
+							);
+							// due to different spec. we have to make sure to handle that.
+							if (!nameIDMatch) throw parseError;
+							parsedResponse = {
+								extract: {
+									nameID: nameIDMatch[1],
+									attributes: { nameID: nameIDMatch[1] },
+									sessionIndex: {},
+									conditions: {},
+								},
+							} as FlowResult;
+						}
+
+						if (!parsedResponse?.extract) {
+							throw new Error("Invalid SAML response structure");
+						}
+					} catch (error) {
+						ctx.context.logger.error("SAML response validation failed", {
+							error,
+							decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+								"utf-8",
+							),
+						});
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML response",
+							details: error instanceof Error ? error.message : String(error),
+						});
+					}
+
+					const { extract } = parsedResponse!;
+					const attributes = extract.attributes || {};
+					const mapping = parsedSamlConfig.mapping ?? {};
+
+					const userInfo = {
+						...Object.fromEntries(
+							Object.entries(mapping.extraFields || {}).map(([key, value]) => [
+								key,
+								attributes[value as string],
+							]),
+						),
+						id: attributes[mapping.id || "nameID"] || extract.nameID,
+						email: attributes[mapping.email || "email"] || extract.nameID,
+						name:
+							[
+								attributes[mapping.firstName || "givenName"],
+								attributes[mapping.lastName || "surname"],
+							]
+								.filter(Boolean)
+								.join(" ") ||
+							attributes[mapping.name || "displayName"] ||
+							extract.nameID,
+						emailVerified:
+							options?.trustEmailVerified && mapping.emailVerified
+								? ((attributes[mapping.emailVerified] || false) as boolean)
+								: false,
+					};
+
+					if (!userInfo.id || !userInfo.email) {
+						ctx.context.logger.error(
+							"Missing essential user info from SAML response",
+							{
+								attributes: Object.keys(attributes),
+								mapping,
+								extractedId: userInfo.id,
+								extractedEmail: userInfo.email,
+							},
+						);
+						throw new APIError("BAD_REQUEST", {
+							message: "Unable to extract user ID or email from SAML response",
+						});
+					}
+
+					// Find or create user
+					let user: User;
 					const existingUser = await ctx.context.adapter.findOne<User>({
 						model: "user",
 						where: [
@@ -1382,7 +1943,7 @@ export const sso = (options?: SSOOptions) => {
 					});
 
 					if (existingUser) {
-						const accounts = await ctx.context.adapter.findOne<Account>({
+						const account = await ctx.context.adapter.findOne<Account>({
 							model: "account",
 							where: [
 								{ field: "userId", value: existingUser.id },
@@ -1390,7 +1951,7 @@ export const sso = (options?: SSOOptions) => {
 								{ field: "accountId", value: userInfo.id },
 							],
 						});
-						if (!accounts) {
+						if (!account) {
 							const isTrustedProvider =
 								ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
 									provider.providerId,
@@ -1492,11 +2053,10 @@ export const sso = (options?: SSOOptions) => {
 					let session: Session =
 						await ctx.context.internalAdapter.createSession(user.id, ctx);
 					await setSessionCookie(ctx, { session, user });
-					throw ctx.redirect(
-						RelayState ||
-							`${parsedSamlConfig.callbackUrl}` ||
-							`${parsedSamlConfig.issuer}`,
-					);
+
+					const callbackUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(callbackUrl);
 				},
 			),
 		},