@better-auth/sso 1.4.17 → 1.4.19

package/dist/index.mjs

@@ -1,16 +1,68 @@
-import { APIError, createAuthEndpoint, createAuthMiddleware, sessionMiddleware } from "better-auth/api";
+import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
+import { X509Certificate } from "node:crypto";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
-import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
-import { base64 } from "@better-auth/utils/base64";
 
+//#region src/utils.ts
+/**
+* Safely parses a value that might be a JSON string or already a parsed object.
+* This handles cases where ORMs like Drizzle might return already parsed objects
+* instead of JSON strings from TEXT/JSON columns.
+*
+* @param value - The value to parse (string, object, null, or undefined)
+* @returns The parsed object or null
+* @throws Error if string parsing fails
+*/
+function safeJsonParse(value) {
+	if (!value) return null;
+	if (typeof value === "object") return value;
+	if (typeof value === "string") try {
+		return JSON.parse(value);
+	} catch (error) {
+		throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+	return null;
+}
+/**
+* Checks if a domain matches any domain in a comma-separated list.
+*/
+const domainMatches = (searchDomain, domainList) => {
+	const search = searchDomain.toLowerCase();
+	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
+};
+/**
+* Validates email domain against allowed domain(s).
+* Supports comma-separated domains for multi-domain SSO.
+*/
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain || !domain) return false;
+	return domainMatches(emailDomain, domain);
+};
+function parseCertificate(certPem) {
+	const cert = new X509Certificate(certPem.includes("-----BEGIN") ? certPem : `-----BEGIN CERTIFICATE-----\n${certPem}\n-----END CERTIFICATE-----`);
+	return {
+		fingerprintSha256: cert.fingerprint256,
+		notBefore: cert.validFrom,
+		notAfter: cert.validTo,
+		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
+	};
+}
+function maskClientId(clientId) {
+	if (clientId.length <= 4) return "****";
+	return `****${clientId.slice(-4)}`;
+}
+
+//#endregion
 //#region src/linking/org-assignment.ts
 /**
 * Assigns a user to an organization based on the SSO provider's organizationId.
@@ -20,7 +72,7 @@ async function assignOrganizationFromProvider(ctx, options) {
 	const { user, profile, provider, token, provisioningOptions } = options;
 	if (!provider.organizationId) return;
 	if (provisioningOptions?.disabled) return;
-	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	if (!(ctx.context.options.plugins?.some((plugin) => plugin.id === "organization") ?? false)) return;
 	if (await ctx.context.adapter.findOne({
 		model: "member",
 		where: [{
@@ -58,7 +110,7 @@ async function assignOrganizationFromProvider(ctx, options) {
 async function assignOrganizationByDomain(ctx, options) {
 	const { user, provisioningOptions, domainVerification } = options;
 	if (provisioningOptions?.disabled) return;
-	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	if (!(ctx.context.options.plugins?.some((plugin) => plugin.id === "organization") ?? false)) return;
 	const domain = user.email.split("@")[1];
 	if (!domain) return;
 	const whereClause = [{
@@ -69,10 +121,17 @@ async function assignOrganizationByDomain(ctx, options) {
 		field: "domainVerified",
 		value: true
 	});
-	const ssoProvider = await ctx.context.adapter.findOne({
+	let ssoProvider = await ctx.context.adapter.findOne({
 		model: "ssoProvider",
 		where: whereClause
 	});
+	if (!ssoProvider) ssoProvider = (await ctx.context.adapter.findMany({
+		model: "ssoProvider",
+		where: domainVerification?.enabled ? [{
+			field: "domainVerified",
+			value: true
+		}] : []
+	})).find((p) => domainMatches(domain, p.domain)) ?? null;
 	if (!ssoProvider || !ssoProvider.organizationId) return;
 	if (await ctx.context.adapter.findOne({
 		model: "member",
@@ -102,7 +161,12 @@ async function assignOrganizationByDomain(ctx, options) {
 
 //#endregion
 //#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
 const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
@@ -150,11 +214,12 @@ const requestDomainVerification = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -169,7 +234,7 @@ const requestDomainVerification = (options) => {
 		await ctx.context.adapter.create({
 			model: "verification",
 			data: {
-				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				identifier,
 				createdAt: /* @__PURE__ */ new Date(),
 				updatedAt: /* @__PURE__ */ new Date(),
 				value: domainVerificationToken,
@@ -228,11 +293,16 @@ const verifyDomain = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -255,7 +325,8 @@ const verifyDomain = (options) => {
 			});
 		}
 		try {
-			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+			const hostname = new URL(provider.domain).hostname;
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
 		} catch (error) {
 			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
 		}
@@ -318,637 +389,1023 @@ const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
 const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
 
 //#endregion
-//#region src/oidc/types.ts
-/**
-* Custom error class for OIDC discovery failures.
-* Can be caught and mapped to APIError at the edge.
-*/
-var DiscoveryError = class DiscoveryError extends Error {
-	code;
-	details;
-	constructor(code, message, details, options) {
-		super(message, options);
-		this.name = "DiscoveryError";
-		this.code = code;
-		this.details = details;
-		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
 	}
-};
-/**
-* Required fields that must be present in a valid discovery document.
-*/
-const REQUIRED_DISCOVERY_FIELDS = [
-	"issuer",
-	"authorization_endpoint",
-	"token_endpoint",
-	"jwks_uri"
-];
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
 
 //#endregion
-//#region src/oidc/discovery.ts
-/**
-* OIDC Discovery Pipeline
-*
-* Implements OIDC discovery document fetching, validation, and hydration.
-* This module is used both at provider registration time (to persist validated config)
-* and at runtime (to hydrate legacy providers that are missing metadata).
-*
-* @see https://openid.net/specs/openid-connect-discovery-1_0.html
-*/
-/** Default timeout for discovery requests (10 seconds) */
-const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
-/**
-* Main entry point: Discover and hydrate OIDC configuration from an issuer.
-*
-* This function:
-* 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL
-* 3. Fetches the discovery document
-* 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs
-* 6. Selects token endpoint auth method
-* 7. Merges with existing config (existing values take precedence)
-*
-* @param params - Discovery parameters
-* @param isTrustedOrigin - Origin verification tester function
-* @returns Hydrated OIDC configuration ready for persistence
-* @throws DiscoveryError on any failure
-*/
-async function discoverOIDCConfig(params) {
-	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
-	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
-	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
-	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
-	return {
-		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
-		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
-		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
-		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
-		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
-		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
-		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
-		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
-	};
-}
-/**
-* Compute the discovery URL from an issuer URL.
-*
-* Per OIDC Discovery spec, the discovery document is located at:
-* <issuer>/.well-known/openid-configuration
-*
-* Handles trailing slashes correctly.
-*/
-function computeDiscoveryUrl(issuer) {
-	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+};
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Validate a discovery URL before fetching.
-*
-* @param url - The discovery URL to validate
-* @param isTrustedOrigin - Origin verification tester function
-* @throws DiscoveryError if URL is invalid
-*/
-function validateDiscoveryUrl(url, isTrustedOrigin) {
-	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
-	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Fetch the OIDC discovery document from the IdP.
-*
-* @param url - The discovery endpoint URL
-* @param timeout - Request timeout in milliseconds
-* @returns The parsed discovery document
-* @throws DiscoveryError on network errors, timeouts, or invalid responses
-*/
-async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+function extractEncryptionAlgorithms(xml) {
 	try {
-		const response = await betterFetch(url, {
-			method: "GET",
-			timeout
-		});
-		if (response.error) {
-			const { status } = response.error;
-			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
-				url,
-				status
-			});
-			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-				url,
-				timeout
-			});
-			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
-				url,
-				...response.error
-			});
-		}
-		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
-		const data = response.data;
-		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
-			url,
-			bodyPreview: data.slice(0, 200)
-		});
-		return data;
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-			url,
-			timeout
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
+}
+function hasEncryptedAssertion(xml) {
+	try {
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
 		});
-		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
 	}
 }
-/**
-* Validate a discovery document.
-*
-* Checks:
-* 1. All required fields are present
-* 2. Issuer matches the configured issuer (case-sensitive, exact match)
-*
-* Invariant: If this function returns without throwing, the document is safe
-* to use for hydrating OIDC config (required fields present, issuer matches
-* configured value, basic structural sanity verified).
-*
-* @param doc - The discovery document to validate
-* @param configuredIssuer - The expected issuer value
-* @throws DiscoveryError if validation fails
-*/
-function validateDiscoveryDocument(doc, configuredIssuer) {
-	const missingFields = [];
-	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
-	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
-	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
-		discovered: doc.issuer,
-		configured: configuredIssuer
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
 	});
 }
-/**
-* Normalize URLs in the discovery document.
-*
-* @param document - The discovery document
-* @param issuer - The base issuer URL
-* @param isTrustedOrigin - Origin verification tester function
-* @returns The normalized discovery document
-*/
-function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
-	const doc = { ...document };
-	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
-	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
-	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
-	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
-	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
-	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
-	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
-	return doc;
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
 }
-/**
-* Normalizes and validates a single URL endpoint
-* @param name The url name
-* @param endpoint The url to validate
-* @param issuer The issuer base url
-* @param isTrustedOrigin - Origin verification tester function
-* @returns
-*/
-function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
-	const url = normalizeUrl(name, endpoint, issuer);
-	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
-		endpoint: name,
-		url
-	});
-	return url;
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
 }
-/**
-* Normalize a single URL endpoint.
-*
-* @param name - The endpoint name (e.g token_endpoint)
-* @param endpoint - The endpoint URL to normalize
-* @param issuer - The base issuer URL
-* @returns The normalized endpoint URL
-*/
-function normalizeUrl(name, endpoint, issuer) {
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
+
+//#endregion
+//#region src/saml/assertions.ts
+/** @lintignore used in tests */
+function countAssertions(xml) {
+	let parsed;
 	try {
-		return parseURL(name, endpoint).toString();
+		parsed = xmlParser.parse(xml);
 	} catch {
-		const issuerURL = parseURL(name, issuer);
-		const basePath = issuerURL.pathname.replace(/\/+$/, "");
-		const endpointPath = endpoint.replace(/^\/+/, "");
-		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
 	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
 }
-/**
-* Parses the given URL or throws in case of invalid or unsupported protocols
-*
-* @param name the url name
-* @param endpoint the endpoint url
-* @param [base] optional base path
-* @returns
-*/
-function parseURL(name, endpoint, base) {
-	let endpointURL;
+function validateSingleAssertion(samlResponse) {
+	let xml;
 	try {
-		endpointURL = new URL(endpoint, base);
-		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
-	} catch (error) {
-		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
 	}
-	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
-		url: endpoint,
-		protocol: endpointURL.protocol
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
 	});
-}
-/**
-* Select the token endpoint authentication method.
-*
-* @param doc - The discovery document
-* @param existing - Existing authentication method from config
-* @returns The selected authentication method
-*/
-function selectTokenEndpointAuthMethod(doc, existing) {
-	if (existing) return existing;
-	const supported = doc.token_endpoint_auth_methods_supported;
-	if (!supported || supported.length === 0) return "client_secret_basic";
-	if (supported.includes("client_secret_basic")) return "client_secret_basic";
-	if (supported.includes("client_secret_post")) return "client_secret_post";
-	return "client_secret_basic";
-}
-/**
-* Check if a provider configuration needs runtime discovery.
-*
-* Returns true if we need discovery at runtime to complete the token exchange
-* and validation. Specifically checks for:
-* - `tokenEndpoint` - required for exchanging authorization code for tokens
-* - `jwksEndpoint` - required for validating ID token signatures
-*
-* Note: `authorizationEndpoint` is handled separately in the sign-in flow,
-* so it's not checked here.
-*
-* @param config - Partial OIDC config from the provider
-* @returns true if runtime discovery should be performed
-*/
-function needsRuntimeDiscovery(config) {
-	if (!config) return true;
-	return !config.tokenEndpoint || !config.jwksEndpoint;
-}
-
-//#endregion
-//#region src/oidc/errors.ts
-/**
-* OIDC Discovery Error Mapping
-*
-* Maps DiscoveryError codes to appropriate APIError responses.
-* Used at the boundary between the discovery pipeline and HTTP handlers.
-*/
-/**
-* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
-*
-* Error code mapping:
-* - discovery_invalid_url       → 400 BAD_REQUEST
-* - discovery_not_found         → 400 BAD_REQUEST
-* - discovery_invalid_json      → 400 BAD_REQUEST
-* - discovery_incomplete        → 400 BAD_REQUEST
-* - issuer_mismatch             → 400 BAD_REQUEST
-* - unsupported_token_auth_method → 400 BAD_REQUEST
-* - discovery_timeout           → 502 BAD_GATEWAY
-* - discovery_unexpected_error  → 502 BAD_GATEWAY
-*
-* @param error - The DiscoveryError to map
-* @returns An APIError with appropriate status and message
-*/
-function mapDiscoveryErrorToAPIError(error) {
-	switch (error.code) {
-		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery timed out: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery failed: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_not_found": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
-			message: `Invalid OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
-			message: `Untrusted OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery returned invalid data: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery document is missing required fields: ${error.message}`,
-			code: error.code
-		});
-		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
-			message: `OIDC issuer mismatch: ${error.message}`,
-			code: error.code
-		});
-		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
-			message: `Incompatible OIDC provider: ${error.message}`,
-			code: error.code
-		});
-		default:
-			error.code;
-			return new APIError("INTERNAL_SERVER_ERROR", {
-				message: `Unexpected discovery error: ${error.message}`,
-				code: "discovery_unexpected_error"
-			});
-	}
 }
 
 //#endregion
-//#region src/saml/parser.ts
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-	processEntities: false
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	image: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	firstName: z.string().optional(),
+	lastName: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const oidcConfigSchema = z.object({
+	clientId: z.string().optional(),
+	clientSecret: z.string().optional(),
+	authorizationEndpoint: z.string().url().optional(),
+	tokenEndpoint: z.string().url().optional(),
+	userInfoEndpoint: z.string().url().optional(),
+	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	jwksEndpoint: z.string().url().optional(),
+	discoveryEndpoint: z.string().url().optional(),
+	scopes: z.array(z.string()).optional(),
+	pkce: z.boolean().optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().optional(),
+	cert: z.string().optional(),
+	callbackUrl: z.string().url().optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	decryptionPvk: z.string().optional(),
+	additionalParams: z.record(z.string(), z.any()).optional(),
+	mapping: samlMappingSchema
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional()
 });
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
-function countAllNodes(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return 0;
-	let count = 0;
-	const record = obj;
-	if (nodeName in record) {
-		const node = record[nodeName];
-		count += Array.isArray(node) ? node.length : 1;
-	}
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
-	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
-	return count;
-}
 
 //#endregion
-//#region src/saml/algorithms.ts
-const SignatureAlgorithm = {
-	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
-};
-const DigestAlgorithm = {
-	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
-	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
-};
-const KeyEncryptionAlgorithm = {
-	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
-	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
-	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
-};
-const DataEncryptionAlgorithm = {
-	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
-	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
-	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
-	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
-	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
-	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
-	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
-};
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
-const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
-const SECURE_SIGNATURE_ALGORITHMS = [
-	SignatureAlgorithm.RSA_SHA256,
-	SignatureAlgorithm.RSA_SHA384,
-	SignatureAlgorithm.RSA_SHA512,
-	SignatureAlgorithm.ECDSA_SHA256,
-	SignatureAlgorithm.ECDSA_SHA384,
-	SignatureAlgorithm.ECDSA_SHA512
-];
-const SECURE_DIGEST_ALGORITHMS = [
-	DigestAlgorithm.SHA256,
-	DigestAlgorithm.SHA384,
-	DigestAlgorithm.SHA512
-];
-const SHORT_FORM_SIGNATURE_TO_URI = {
-	sha1: SignatureAlgorithm.RSA_SHA1,
-	sha256: SignatureAlgorithm.RSA_SHA256,
-	sha384: SignatureAlgorithm.RSA_SHA384,
-	sha512: SignatureAlgorithm.RSA_SHA512,
-	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
-	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
-	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
-	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
-	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
-	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
-	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
-};
-const SHORT_FORM_DIGEST_TO_URI = {
-	sha1: DigestAlgorithm.SHA1,
-	sha256: DigestAlgorithm.SHA256,
-	sha384: DigestAlgorithm.SHA384,
-	sha512: DigestAlgorithm.SHA512
-};
-function normalizeSignatureAlgorithm(alg) {
-	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
+	});
+	if (!member) return false;
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
 }
-function normalizeDigestAlgorithm(alg) {
-	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
+	});
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
 }
-function extractEncryptionAlgorithms(xml) {
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
 	try {
-		const parsed = xmlParser.parse(xml);
-		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
-		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
-		return {
-			keyEncryption: keyAlg || null,
-			dataEncryption: dataAlg || null
-		};
+		oidcConfig = safeJsonParse(provider.oidcConfig);
 	} catch {
-		return {
-			keyEncryption: null,
-			dataEncryption: null
-		};
+		oidcConfig = null;
 	}
-}
-function hasEncryptedAssertion(xml) {
 	try {
-		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+		samlConfig = safeJsonParse(provider.samlConfig);
 	} catch {
-		return false;
+		samlConfig = null;
 	}
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			callbackUrl: samlConfig.callbackUrl,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: (() => {
+				try {
+					return parseCertificate(samlConfig.cert);
+				} catch {
+					return { error: "Failed to parse certificate" };
+				}
+			})()
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
 }
-function handleDeprecatedAlgorithm(message, behavior, errorCode) {
-	switch (behavior) {
-		case "reject": throw new APIError("BAD_REQUEST", {
-			message,
-			code: errorCode
-		});
-		case "warn":
-			console.warn(`[SAML Security Warning] ${message}`);
-			break;
-		case "allow": break;
-	}
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers" } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.options.plugins?.some(({ id }) => id === "organization") ?? false;
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderParamsSchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.options.plugins?.some(({ id }) => id === "organization") ?? false) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
 }
-function validateSignatureAlgorithm(algorithm, options = {}) {
-	if (!algorithm) return;
-	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
-	if (allowedSignatureAlgorithms) {
-		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
-			code: "SAML_ALGORITHM_NOT_ALLOWED"
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "GET",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+	});
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
+	try {
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
+	}
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
+}
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
+	};
+}
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "PATCH",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		body: updateSSOProviderBodySchema,
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		const body = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
 		});
-		return;
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "DELETE",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		return ctx.json({ success: true });
+	});
+};
+
+//#endregion
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
 	}
-	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
-		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-		return;
+};
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
+];
+
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
+	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+	return {
+		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
+		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
+		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
+		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
+		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
+		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
+		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
+		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+	};
+}
+/**
+* Compute the discovery URL from an issuer URL.
+*
+* Per OIDC Discovery spec, the discovery document is located at:
+* <issuer>/.well-known/openid-configuration
+*
+* Handles trailing slashes correctly.
+*/
+function computeDiscoveryUrl(issuer) {
+	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
+}
+/**
+* Validate a discovery URL before fetching.
+*
+* @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
+* @throws DiscoveryError if URL is invalid
+*/
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+}
+/**
+* Fetch the OIDC discovery document from the IdP.
+*
+* @param url - The discovery endpoint URL
+* @param timeout - Request timeout in milliseconds
+* @returns The parsed discovery document
+* @throws DiscoveryError on network errors, timeouts, or invalid responses
+*/
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+	try {
+		const response = await betterFetch(url, {
+			method: "GET",
+			timeout
+		});
+		if (response.error) {
+			const { status } = response.error;
+			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
+				url,
+				status
+			});
+			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+				url,
+				timeout
+			});
+			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
+				url,
+				...response.error
+			});
+		}
+		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
+		const data = response.data;
+		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
+			url,
+			bodyPreview: data.slice(0, 200)
+		});
+		return data;
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw error;
+		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+			url,
+			timeout
+		});
+		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
+	}
+}
+/**
+* Validate a discovery document.
+*
+* Checks:
+* 1. All required fields are present
+* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+*
+* Invariant: If this function returns without throwing, the document is safe
+* to use for hydrating OIDC config (required fields present, issuer matches
+* configured value, basic structural sanity verified).
+*
+* @param doc - The discovery document to validate
+* @param configuredIssuer - The expected issuer value
+* @throws DiscoveryError if validation fails
+*/
+function validateDiscoveryDocument(doc, configuredIssuer) {
+	const missingFields = [];
+	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
+	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
+	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
+		discovered: doc.issuer,
+		configured: configuredIssuer
+	});
+}
+/**
+* Normalize URLs in the discovery document.
+*
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
+* @returns The normalized discovery document
+*/
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
+	return doc;
+}
+/**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
+* Normalize a single URL endpoint.
+*
+* @param name - The endpoint name (e.g token_endpoint)
+* @param endpoint - The endpoint URL to normalize
+* @param issuer - The base issuer URL
+* @returns The normalized endpoint URL
+*/
+function normalizeUrl(name, endpoint, issuer) {
+	try {
+		return parseURL(name, endpoint).toString();
+	} catch {
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+	}
+}
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
 	}
-	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-		message: `SAML signature algorithm not recognized: ${algorithm}`,
-		code: "SAML_UNKNOWN_ALGORITHM"
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
 	});
 }
-function validateEncryptionAlgorithms(algorithms, options = {}) {
-	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
-	const { keyEncryption, dataEncryption } = algorithms;
-	if (keyEncryption) {
-		if (allowedKeyEncryptionAlgorithms) {
-			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-	if (dataEncryption) {
-		if (allowedDataEncryptionAlgorithms) {
-			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
+/**
+* Select the token endpoint authentication method.
+*
+* @param doc - The discovery document
+* @param existing - Existing authentication method from config
+* @returns The selected authentication method
+*/
+function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing) return existing;
+	const supported = doc.token_endpoint_auth_methods_supported;
+	if (!supported || supported.length === 0) return "client_secret_basic";
+	if (supported.includes("client_secret_basic")) return "client_secret_basic";
+	if (supported.includes("client_secret_post")) return "client_secret_post";
+	return "client_secret_basic";
 }
-function validateSAMLAlgorithms(response, options) {
-	validateSignatureAlgorithm(response.sigAlg, options);
-	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+/**
+* Check if a provider configuration needs runtime discovery.
+*
+* Returns true if we need discovery at runtime to complete the token exchange
+* and validation. Specifically checks for:
+* - `tokenEndpoint` - required for exchanging authorization code for tokens
+* - `jwksEndpoint` - required for validating ID token signatures
+*
+* Note: `authorizationEndpoint` is handled separately in the sign-in flow,
+* so it's not checked here.
+*
+* @param config - Partial OIDC config from the provider
+* @returns true if runtime discovery should be performed
+*/
+function needsRuntimeDiscovery(config) {
+	if (!config) return true;
+	return !config.tokenEndpoint || !config.jwksEndpoint;
 }
-function validateConfigAlgorithms(config, options = {}) {
-	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
-	if (config.signatureAlgorithm) {
-		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
-		if (allowedSignatureAlgorithms) {
-			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+
+//#endregion
+//#region src/oidc/errors.ts
+/**
+* OIDC Discovery Error Mapping
+*
+* Maps DiscoveryError codes to appropriate APIError responses.
+* Used at the boundary between the discovery pipeline and HTTP handlers.
+*/
+/**
+* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
+*
+* Error code mapping:
+* - discovery_invalid_url       → 400 BAD_REQUEST
+* - discovery_not_found         → 400 BAD_REQUEST
+* - discovery_invalid_json      → 400 BAD_REQUEST
+* - discovery_incomplete        → 400 BAD_REQUEST
+* - issuer_mismatch             → 400 BAD_REQUEST
+* - unsupported_token_auth_method → 400 BAD_REQUEST
+* - discovery_timeout           → 502 BAD_GATEWAY
+* - discovery_unexpected_error  → 502 BAD_GATEWAY
+*
+* @param error - The DiscoveryError to map
+* @returns An APIError with appropriate status and message
+*/
+function mapDiscoveryErrorToAPIError(error) {
+	switch (error.code) {
+		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery timed out: ${error.message}`,
+			code: error.code
 		});
-	}
-	if (config.digestAlgorithm) {
-		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
-		if (allowedDigestAlgorithms) {
-			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery failed: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_not_found": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
+			message: `Invalid OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery returned invalid data: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery document is missing required fields: ${error.message}`,
+			code: error.code
+		});
+		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
+			message: `OIDC issuer mismatch: ${error.message}`,
+			code: error.code
+		});
+		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
+			message: `Incompatible OIDC provider: ${error.message}`,
+			code: error.code
 		});
+		default:
+			error.code;
+			return new APIError("INTERNAL_SERVER_ERROR", {
+				message: `Unexpected discovery error: ${error.message}`,
+				code: "discovery_unexpected_error"
+			});
 	}
 }
 
 //#endregion
-//#region src/saml/assertions.ts
-/** @lintignore used in tests */
-function countAssertions(xml) {
-	let parsed;
+//#region src/saml-state.ts
+async function generateRelayState(c, link, additionalData) {
+	const callbackURL = c.body.callbackURL;
+	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
+	const codeVerifier = generateRandomString(128);
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body.errorCallbackURL,
+		newUserURL: c.body.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body.requestSignUp
+	};
 	try {
-		parsed = xmlParser.parse(xml);
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Failed to parse SAML response XML",
-			code: "SAML_INVALID_XML"
+		return generateGenericState(c, stateData, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to create verification for relay state", error);
+		throw new APIError("INTERNAL_SERVER_ERROR", {
+			message: "State error: Unable to create verification for relay state",
+			cause: error
 		});
 	}
-	const assertions = countAllNodes(parsed, "Assertion");
-	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
-	return {
-		assertions,
-		encryptedAssertions,
-		total: assertions + encryptedAssertions
-	};
 }
-function validateSingleAssertion(samlResponse) {
-	let xml;
+async function parseRelayState(c) {
+	const state = c.body.RelayState;
+	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	let parsedData;
 	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse));
-		if (!xml.includes("<")) throw new Error("Not XML");
-	} catch {
+		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to parse relay state", error);
 		throw new APIError("BAD_REQUEST", {
-			message: "Invalid base64-encoded SAML response",
-			code: "SAML_INVALID_ENCODING"
+			message: "State error: failed to validate relay state",
+			cause: error
 		});
 	}
-	const counts = countAssertions(xml);
-	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
-		message: "SAML response contains no assertions",
-		code: "SAML_NO_ASSERTION"
-	});
-	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
-		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
-		code: "SAML_MULTIPLE_ASSERTIONS"
-	});
-}
-
-//#endregion
-//#region src/utils.ts
-/**
-* Safely parses a value that might be a JSON string or already a parsed object.
-* This handles cases where ORMs like Drizzle might return already parsed objects
-* instead of JSON strings from TEXT/JSON columns.
-*
-* @param value - The value to parse (string, object, null, or undefined)
-* @returns The parsed object or null
-* @throws Error if string parsing fails
-*/
-function safeJsonParse(value) {
-	if (!value) return null;
-	if (typeof value === "object") return value;
-	if (typeof value === "string") try {
-		return JSON.parse(value);
-	} catch (error) {
-		throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
-	}
-	return null;
+	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
+	return parsedData;
 }
-const validateEmailDomain = (email, domain) => {
-	const emailDomain = email.split("@")[1]?.toLowerCase();
-	const providerDomain = domain.toLowerCase();
-	if (!emailDomain || !providerDomain) return false;
-	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
-};
 
 //#endregion
 //#region src/routes/sso.ts
@@ -1043,6 +1500,7 @@ const spMetadata = () => {
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
 			}],
+			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 		});
@@ -1052,7 +1510,7 @@ const spMetadata = () => {
 const ssoProviderBodySchema = z.object({
 	providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
 	issuer: z.string({}).meta({ description: "The issuer of the provider" }),
-	domain: z.string({}).meta({ description: "The domain of the provider. This is used for email matching" }),
+	domain: z.string({}).meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
 	oidcConfig: z.object({
 		clientId: z.string({}).meta({ description: "The client ID" }),
 		clientSecret: z.string({}).meta({ description: "The client secret" }),
@@ -1427,7 +1885,7 @@ const registerSSOProvider = (options) => {
 			await ctx.context.adapter.create({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					identifier: getVerificationIdentifier(options, provider.providerId),
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
 					value: domainVerificationToken,
@@ -1551,20 +2009,33 @@ const signInSSO = (options) => {
 			};
 		}
 		if (!providerId && !orgId && !domain) throw new APIError("BAD_REQUEST", { message: "providerId, orgId or domain is required" });
-		if (!provider) provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: providerId ? "providerId" : orgId ? "organizationId" : "domain",
-				value: providerId || orgId || domain
-			}]
-		}).then((res) => {
-			if (!res) return null;
-			return {
-				...res,
-				oidcConfig: res.oidcConfig ? safeJsonParse(res.oidcConfig) || void 0 : void 0,
-				samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+		if (!provider) {
+			const parseProvider = (res) => {
+				if (!res) return null;
+				return {
+					...res,
+					oidcConfig: res.oidcConfig ? safeJsonParse(res.oidcConfig) || void 0 : void 0,
+					samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+				};
 			};
-		});
+			if (providerId || orgId) provider = parseProvider(await ctx.context.adapter.findOne({
+				model: "ssoProvider",
+				where: [{
+					field: providerId ? "providerId" : "organizationId",
+					value: providerId || orgId
+				}]
+			}));
+			else if (domain) {
+				provider = parseProvider(await ctx.context.adapter.findOne({
+					model: "ssoProvider",
+					where: [{
+						field: "domain",
+						value: domain
+					}]
+				}));
+				if (!provider) provider = parseProvider((await ctx.context.adapter.findMany({ model: "ssoProvider" })).find((p) => domainMatches(domain, p.domain)) ?? null);
+			}
+		}
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the issuer" });
 		if (body.providerType) {
 			if (body.providerType === "oidc" && !provider.oidcConfig) throw new APIError("BAD_REQUEST", { message: "OIDC provider is not configured" });
@@ -1613,21 +2084,41 @@ const signInSSO = (options) => {
 					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
 				}],
+				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 			}).getMetadata() || "";
 			const sp = saml.ServiceProvider({
 				metadata,
+				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 				allowCreate: true
 			});
-			const idp = saml.IdentityProvider({
-				metadata: parsedSamlConfig.idpMetadata?.metadata,
-				entityID: parsedSamlConfig.idpMetadata?.entityID,
-				encryptCert: parsedSamlConfig.idpMetadata?.cert,
-				singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
+			const idpData = parsedSamlConfig.idpMetadata;
+			let idp;
+			if (!idpData?.metadata) idp = saml.IdentityProvider({
+				entityID: idpData?.entityID || parsedSamlConfig.issuer,
+				singleSignOnService: idpData?.singleSignOnService || [{
+					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+					Location: parsedSamlConfig.entryPoint
+				}],
+				signingCert: idpData?.cert || parsedSamlConfig.cert,
+				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
+				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+				encPrivateKey: idpData?.encPrivateKey,
+				encPrivateKeyPass: idpData?.encPrivateKeyPass
+			});
+			else idp = saml.IdentityProvider({
+				metadata: idpData.metadata,
+				privateKey: idpData.privateKey,
+				privateKeyPass: idpData.privateKeyPass,
+				isAssertionEncrypted: idpData.isAssertionEncrypted,
+				encPrivateKey: idpData.encPrivateKey,
+				encPrivateKeyPass: idpData.encPrivateKeyPass
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
+			const { state: relayState } = await generateRelayState(ctx, void 0, false);
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation) {
 				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
 				const record = {
@@ -1643,7 +2134,7 @@ const signInSSO = (options) => {
 				});
 			}
 			return ctx.json({
-				url: `${loginRequest.context}&RelayState=${encodeURIComponent(body.callbackURL)}`,
+				url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
 				redirect: true
 			});
 		}
@@ -1702,10 +2193,10 @@ const callbackSSO = (options) => {
 				oidcConfig: safeJsonParse(res.oidcConfig) || void 0
 			};
 		});
-		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		let config = provider.oidcConfig;
-		if (!config) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (!config) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 		const discovery = await betterFetch(config.discoveryEndpoint);
 		if (discovery.data) config = {
 			tokenEndpoint: discovery.data.token_endpoint,
@@ -1719,7 +2210,7 @@ const callbackSSO = (options) => {
 			],
 			...config
 		};
-		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_endpoint_not_found`);
+		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
 		const tokenResponse = await validateAuthorizationCode({
 			code,
 			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
@@ -1734,17 +2225,19 @@ const callbackSSO = (options) => {
 			if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
 			return null;
 		});
-		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_response_not_found`);
+		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 		let userInfo = null;
 		if (tokenResponse.idToken) {
 			const idToken = decodeJwt(tokenResponse.idToken);
-			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=jwks_endpoint_not_found`);
-			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint).catch((e) => {
+			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
+			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
+				audience: config.clientId,
+				issuer: provider.issuer
+			}).catch((e) => {
 				ctx.context.logger.error(e);
 				return null;
 			});
-			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_not_verified`);
-			if (verified.payload.iss !== provider.issuer) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=issuer_mismatch`);
+			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
 			const mapping = config.mapping || {};
 			userInfo = {
 				...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
@@ -1756,12 +2249,12 @@ const callbackSSO = (options) => {
 			};
 		}
 		if (!userInfo) {
-			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=user_info_endpoint_not_found`);
+			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 			const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 			userInfo = userInfoResponse.data;
 		}
-		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
+		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 		const linked = await handleOAuthUserInfo(ctx, {
 			userInfo: {
@@ -1786,7 +2279,7 @@ const callbackSSO = (options) => {
 			overrideUserInfo: config.overrideUserInfo,
 			isTrustedProvider
 		});
-		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
+		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
 		const { session, user } = linked.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -1825,17 +2318,46 @@ const callbackSSOSAMLBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional()
 });
+/**
+* Validates and returns a safe redirect URL.
+* - Prevents open redirect attacks by validating against trusted origins
+* - Prevents redirect loops by checking if URL points to callback route
+* - Falls back to appOrigin if URL is invalid or unsafe
+*/
+const getSafeRedirectUrl = (url, callbackPath, appOrigin, isTrustedOrigin) => {
+	if (!url) return appOrigin;
+	if (url.startsWith("/") && !url.startsWith("//")) {
+		try {
+			const absoluteUrl = new URL(url, appOrigin);
+			if (absoluteUrl.origin !== appOrigin) return appOrigin;
+			const callbackPathname = new URL(callbackPath).pathname;
+			if (absoluteUrl.pathname === callbackPathname) return appOrigin;
+		} catch {
+			return appOrigin;
+		}
+		return url;
+	}
+	if (!isTrustedOrigin(url, { allowRelativePaths: false })) return appOrigin;
+	try {
+		const callbackPathname = new URL(callbackPath).pathname;
+		if (new URL(url).pathname === callbackPathname) return appOrigin;
+	} catch {
+		if (url === callbackPath || url.startsWith(`${callbackPath}?`)) return appOrigin;
+	}
+	return url;
+};
 const callbackSSOSAML = (options) => {
 	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
-		method: "POST",
-		body: callbackSSOSAMLBodySchema,
+		method: ["GET", "POST"],
+		body: callbackSSOSAMLBodySchema.optional(),
+		query: z.object({ RelayState: z.string().optional() }).optional(),
 		metadata: {
 			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
 				operationId: "handleSAMLCallback",
 				summary: "Callback URL for SAML provider",
-				description: "This endpoint is used as the callback URL for SAML providers.",
+				description: "This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
 				responses: {
 					"302": { description: "Redirects to the callback URL" },
 					"400": { description: "Invalid SAML response" },
@@ -1844,10 +2366,26 @@ const callbackSSOSAML = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse, RelayState } = ctx.body;
 		const { providerId } = ctx.params;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
+		const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
+		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
+			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			const relayState$1 = ctx.query?.RelayState;
+			const safeRedirectUrl = getSafeRedirectUrl(relayState$1, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+			throw ctx.redirect(safeRedirectUrl);
+		}
+		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
+		const { SAMLResponse } = ctx.body;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
@@ -1875,16 +2413,18 @@ const callbackSSOSAML = (options) => {
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const isTrusted = (url, settings) => ctx.context.isTrustedOrigin(url, settings);
+		const safeErrorUrl = getSafeRedirectUrl(relayState?.errorURL || relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const idpData = parsedSamlConfig.idpMetadata;
 		let idp = null;
 		if (!idpData?.metadata) idp = saml.IdentityProvider({
 			entityID: idpData?.entityID || parsedSamlConfig.issuer,
-			singleSignOnService: [{
+			singleSignOnService: idpData?.singleSignOnService || [{
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 				Location: parsedSamlConfig.entryPoint
 			}],
 			signingCert: idpData?.cert || parsedSamlConfig.cert,
-			wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
 			encPrivateKey: idpData?.encPrivateKey,
 			encPrivateKeyPass: idpData?.encPrivateKeyPass
@@ -1918,13 +2458,13 @@ const callbackSSOSAML = (options) => {
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
 				SAMLResponse,
-				RelayState: RelayState || void 0
+				RelayState: ctx.body.RelayState || void 0
 			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -1955,8 +2495,7 @@ const callbackSSOSAML = (options) => {
 						inResponseTo,
 						providerId: provider.providerId
 					});
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== provider.providerId) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
@@ -1965,14 +2504,12 @@ const callbackSSOSAML = (options) => {
 						actualProvider: provider.providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+				throw ctx.redirect(`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
 		const samlContent = parsedResponse.samlContent;
@@ -1998,8 +2535,7 @@ const callbackSSOSAML = (options) => {
 					issuer,
 					providerId: provider.providerId
 				});
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+				throw ctx.redirect(`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
 				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
@@ -2032,7 +2568,7 @@ const callbackSSOSAML = (options) => {
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
 		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const safeCallbackUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2046,11 +2582,11 @@ const callbackSSOSAML = (options) => {
 				accessToken: "",
 				refreshToken: ""
 			},
-			callbackURL: callbackUrl,
+			callbackURL: safeCallbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
 			isTrustedProvider
 		});
-		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		if (result.error) throw ctx.redirect(`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`);
 		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -2074,7 +2610,7 @@ const callbackSSOSAML = (options) => {
 			session,
 			user
 		});
-		throw ctx.redirect(callbackUrl);
+		throw ctx.redirect(safeCallbackUrl);
 	});
 };
 const acsEndpointBodySchema = z.object({
@@ -2096,10 +2632,18 @@ const acsEndpoint = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse, RelayState = "" } = ctx.body;
+		const { SAMLResponse } = ctx.body;
 		const { providerId } = ctx.params;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
@@ -2127,6 +2671,8 @@ const acsEndpoint = (options) => {
 		if (!provider?.samlConfig) throw new APIError("NOT_FOUND", { message: "No SAML provider found" });
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = provider.samlConfig;
+		const isTrusted = (url, settings) => ctx.context.isTrustedOrigin(url, settings);
+		const safeErrorUrl = getSafeRedirectUrl(relayState?.errorURL || relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const sp = saml.ServiceProvider({
 			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
 			assertionConsumerService: [{
@@ -2152,9 +2698,8 @@ const acsEndpoint = (options) => {
 			validateSingleAssertion(SAMLResponse);
 		} catch (error) {
 			if (error instanceof APIError) {
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
-				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
+				throw ctx.redirect(`${safeErrorUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
 			}
 			throw error;
 		}
@@ -2162,13 +2707,13 @@ const acsEndpoint = (options) => {
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
 				SAMLResponse,
-				RelayState: RelayState || void 0
+				RelayState: ctx.body.RelayState || void 0
 			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2199,8 +2744,7 @@ const acsEndpoint = (options) => {
 						inResponseTo: inResponseToAcs,
 						providerId
 					});
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== providerId) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
@@ -2209,17 +2753,15 @@ const acsEndpoint = (options) => {
 						actualProvider: providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+				throw ctx.redirect(`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
@@ -2241,8 +2783,7 @@ const acsEndpoint = (options) => {
 					issuer,
 					providerId
 				});
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+				throw ctx.redirect(`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
 				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`,
@@ -2275,7 +2816,7 @@ const acsEndpoint = (options) => {
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
 		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const safeCallbackUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2289,11 +2830,11 @@ const acsEndpoint = (options) => {
 				accessToken: "",
 				refreshToken: ""
 			},
-			callbackURL: callbackUrl,
+			callbackURL: safeCallbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
 			isTrustedProvider
 		});
-		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		if (result.error) throw ctx.redirect(`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`);
 		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -2317,7 +2858,7 @@ const acsEndpoint = (options) => {
 			session,
 			user
 		});
-		throw ctx.redirect(callbackUrl);
+		throw ctx.redirect(safeCallbackUrl);
 	});
 };
 
@@ -2327,6 +2868,12 @@ saml.setSchemaValidator({ async validate(xml) {
 	if (XMLValidator.validate(xml, { allowBooleanAttributes: true }) === true) return "SUCCESS_VALIDATE_XML";
 	throw "ERR_INVALID_XML";
 } });
+/**
+* SAML endpoint paths that should skip origin check validation.
+* These endpoints receive POST requests from external Identity Providers,
+* which won't have a matching Origin header.
+*/
+const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/callback", "/sso/saml2/sp/acs"];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
@@ -2335,7 +2882,11 @@ function sso(options) {
 		signInSSO: signInSSO(optionsWithStore),
 		callbackSSO: callbackSSO(optionsWithStore),
 		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
-		acsEndpoint: acsEndpoint(optionsWithStore)
+		acsEndpoint: acsEndpoint(optionsWithStore),
+		listSSOProviders: listSSOProviders(),
+		getSSOProvider: getSSOProvider(),
+		updateSSOProvider: updateSSOProvider(optionsWithStore),
+		deleteSSOProvider: deleteSSOProvider()
 	};
 	if (options?.domainVerification?.enabled) {
 		const domainVerificationEndpoints = {
@@ -2349,6 +2900,11 @@ function sso(options) {
 	}
 	return {
 		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) return {};
+			return { context: { skipOriginCheck: [...Array.isArray(existing) ? existing : [], ...SAML_SKIP_ORIGIN_CHECK_PATHS] } };
+		},
 		endpoints,
 		hooks: { after: [{
 			matcher(context) {
@@ -2357,7 +2913,7 @@ function sso(options) {
 			handler: createAuthMiddleware(async (ctx) => {
 				const newSession = ctx.context.newSession;
 				if (!newSession?.user) return;
-				if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+				if (!(ctx.context.options.plugins?.some((plugin) => plugin.id === "organization") ?? false)) return;
 				await assignOrganizationByDomain(ctx, {
 					user: newSession.user,
 					provisioningOptions: options?.organizationProvisioning,
@@ -2418,4 +2974,5 @@ function sso(options) {
 }
 
 //#endregion
-export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+//# sourceMappingURL=index.mjs.map