npm - @better-auth/sso - Versions diffs - 1.4.18 → 1.4.20 - Mend

@better-auth/sso 1.4.18 → 1.4.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/.turbo/turbo-build.log +7 -7
package/dist/client.d.mts +1 -1
package/dist/{index-C4nbdf2g.d.mts → index-D-VInsst.d.mts} +7 -3
package/dist/index.d.mts +1 -1
package/dist/index.mjs +97 -62
package/dist/index.mjs.map +1 -1
package/package.json +4 -3
package/src/domain-verification.test.ts +46 -4
package/src/linking/org-assignment.ts +2 -2
package/src/oidc.test.ts +1 -3
package/src/routes/domain-verification.ts +34 -12
package/src/routes/sso.ts +131 -93
package/src/saml-state.ts +1 -1
package/src/saml.test.ts +392 -0
package/src/types.ts +6 -2

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @better-auth/sso@1.4.18 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.20 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 [34mℹ[39m tsdown [2mv0.17.2[22m powered by rolldown [2mv1.0.0-beta.53[22m
@@ -7,12 +7,12 @@
 [34mℹ[39m entry: [34msrc/index.ts, src/client.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m120.19 kB[22m [2m│ gzip: 23.98 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m120.93 kB[22m [2m│ gzip: 24.08 kB[22m
 [34mℹ[39m [2mdist/[22m[1mclient.mjs[22m            [2m  0.28 kB[22m [2m│ gzip:  0.21 kB[22m
-[34mℹ[39m [2mdist/[22mindex.mjs.map         [2m244.62 kB[22m [2m│ gzip: 47.01 kB[22m
+[34mℹ[39m [2mdist/[22mindex.mjs.map         [2m246.56 kB[22m [2m│ gzip: 47.33 kB[22m
 [34mℹ[39m [2mdist/[22mclient.mjs.map        [2m  0.94 kB[22m [2m│ gzip:  0.50 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m  1.67 kB[22m [2m│ gzip:  0.57 kB[22m
-[34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m  0.62 kB[22m [2m│ gzip:  0.36 kB[22m
-[34mℹ[39m [2mdist/[22m[32mindex-C4nbdf2g.d.mts[39m  [2m 55.71 kB[22m [2m│ gzip:  9.86 kB[22m
-[34mℹ[39m 7 files, total: 424.03 kB
-[32m✔[39m Build complete in [32m18417ms[39m
+[34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m  0.62 kB[22m [2m│ gzip:  0.35 kB[22m
+[34mℹ[39m [2mdist/[22m[32mindex-D-VInsst.d.mts[39m  [2m 55.92 kB[22m [2m│ gzip:  9.95 kB[22m
+[34mℹ[39m 7 files, total: 426.92 kB
+[32m✔[39m Build complete in [32m19437ms[39m

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-C4nbdf2g.mjs";
+import { t as SSOPlugin } from "./index-D-VInsst.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-C4nbdf2g.d.mts → index-D-VInsst.d.mts} RENAMED Viewed

@@ -109,6 +109,7 @@ interface SAMLConfig {
     encPrivateKeyPass?: string | undefined;
   };
   wantAssertionsSigned?: boolean | undefined;
+  authnRequestsSigned?: boolean | undefined;
   signatureAlgorithm?: string | undefined;
   digestAlgorithm?: string | undefined;
   identifierFormat?: string | undefined;
@@ -278,9 +279,12 @@ interface SSOOptions {
      */
     enabled?: boolean;
     /**
-     * Prefix used to generate the domain verification token
+     * Prefix used to generate the domain verification token.
+     * An underscore is automatically prepended to follow DNS
+     * infrastructure subdomain conventions (RFC 8552), so do
+     * not include a leading underscore.
      *
-     * @default "better-auth-token-"
+     * @default "better-auth-token"
      */
     tokenPrefix?: string;
   };
@@ -1656,4 +1660,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
 };
 //#endregion
 export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
-//# sourceMappingURL=index-C4nbdf2g.d.mts.map
+//# sourceMappingURL=index-D-VInsst.d.mts.map

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-C4nbdf2g.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-D-VInsst.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs CHANGED Viewed

@@ -11,7 +11,6 @@ import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateSt
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
-import { APIError as APIError$1 } from "better-call";
 //#region src/utils.ts
 /**
@@ -162,7 +161,12 @@ async function assignOrganizationByDomain(ctx, options) {
 //#endregion
 //#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
 const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
@@ -210,11 +214,12 @@ const requestDomainVerification = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -229,7 +234,7 @@ const requestDomainVerification = (options) => {
 		await ctx.context.adapter.create({
 			model: "verification",
 			data: {
-				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				identifier,
 				createdAt: /* @__PURE__ */ new Date(),
 				updatedAt: /* @__PURE__ */ new Date(),
 				value: domainVerificationToken,
@@ -288,11 +293,16 @@ const verifyDomain = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -315,7 +325,8 @@ const verifyDomain = (options) => {
 			});
 		}
 		try {
-			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+			const hostname = new URL(provider.domain).hostname;
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
 		} catch (error) {
 			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
 		}
@@ -1357,7 +1368,7 @@ function mapDiscoveryErrorToAPIError(error) {
 //#region src/saml-state.ts
 async function generateRelayState(c, link, additionalData) {
 	const callbackURL = c.body.callbackURL;
-	if (!callbackURL) throw new APIError$1("BAD_REQUEST", { message: "callbackURL is required" });
+	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
 	const codeVerifier = generateRandomString(128);
 	const stateData = {
 		...additionalData ? additionalData : {},
@@ -1373,7 +1384,7 @@ async function generateRelayState(c, link, additionalData) {
 		return generateGenericState(c, stateData, { cookieName: "relay_state" });
 	} catch (error) {
 		c.context.logger.error("Failed to create verification for relay state", error);
-		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		throw new APIError("INTERNAL_SERVER_ERROR", {
 			message: "State error: Unable to create verification for relay state",
 			cause: error
 		});
@@ -1387,7 +1398,7 @@ async function parseRelayState(c) {
 		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
 	} catch (error) {
 		c.context.logger.error("Failed to parse relay state", error);
-		throw new APIError$1("BAD_REQUEST", {
+		throw new APIError("BAD_REQUEST", {
 			message: "State error: failed to validate relay state",
 			cause: error
 		});
@@ -1489,6 +1500,7 @@ const spMetadata = () => {
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
 			}],
+			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 		});
@@ -1873,7 +1885,7 @@ const registerSSOProvider = (options) => {
 			await ctx.context.adapter.create({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					identifier: getVerificationIdentifier(options, provider.providerId),
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
 					value: domainVerificationToken,
@@ -2072,18 +2084,37 @@ const signInSSO = (options) => {
 					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
 				}],
+				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 			}).getMetadata() || "";
 			const sp = saml.ServiceProvider({
 				metadata,
+				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 				allowCreate: true
 			});
-			const idp = saml.IdentityProvider({
-				metadata: parsedSamlConfig.idpMetadata?.metadata,
-				entityID: parsedSamlConfig.idpMetadata?.entityID,
-				encryptCert: parsedSamlConfig.idpMetadata?.cert,
-				singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
+			const idpData = parsedSamlConfig.idpMetadata;
+			let idp;
+			if (!idpData?.metadata) idp = saml.IdentityProvider({
+				entityID: idpData?.entityID || parsedSamlConfig.issuer,
+				singleSignOnService: idpData?.singleSignOnService || [{
+					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+					Location: parsedSamlConfig.entryPoint
+				}],
+				signingCert: idpData?.cert || parsedSamlConfig.cert,
+				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
+				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+				encPrivateKey: idpData?.encPrivateKey,
+				encPrivateKeyPass: idpData?.encPrivateKeyPass
+			});
+			else idp = saml.IdentityProvider({
+				metadata: idpData.metadata,
+				privateKey: idpData.privateKey,
+				privateKeyPass: idpData.privateKeyPass,
+				isAssertionEncrypted: idpData.isAssertionEncrypted,
+				encPrivateKey: idpData.encPrivateKey,
+				encPrivateKeyPass: idpData.encPrivateKeyPass
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
@@ -2162,10 +2193,10 @@ const callbackSSO = (options) => {
 				oidcConfig: safeJsonParse(res.oidcConfig) || void 0
 			};
 		});
-		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		let config = provider.oidcConfig;
-		if (!config) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (!config) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 		const discovery = await betterFetch(config.discoveryEndpoint);
 		if (discovery.data) config = {
 			tokenEndpoint: discovery.data.token_endpoint,
@@ -2179,7 +2210,7 @@ const callbackSSO = (options) => {
 			],
 			...config
 		};
-		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_endpoint_not_found`);
+		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
 		const tokenResponse = await validateAuthorizationCode({
 			code,
 			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
@@ -2194,17 +2225,19 @@ const callbackSSO = (options) => {
 			if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
 			return null;
 		});
-		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_response_not_found`);
+		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 		let userInfo = null;
 		if (tokenResponse.idToken) {
 			const idToken = decodeJwt(tokenResponse.idToken);
-			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=jwks_endpoint_not_found`);
-			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint).catch((e) => {
+			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
+			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
+				audience: config.clientId,
+				issuer: provider.issuer
+			}).catch((e) => {
 				ctx.context.logger.error(e);
 				return null;
 			});
-			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_not_verified`);
-			if (verified.payload.iss !== provider.issuer) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=issuer_mismatch`);
+			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
 			const mapping = config.mapping || {};
 			userInfo = {
 				...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
@@ -2216,12 +2249,12 @@ const callbackSSO = (options) => {
 			};
 		}
 		if (!userInfo) {
-			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=user_info_endpoint_not_found`);
+			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 			const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 			userInfo = userInfoResponse.data;
 		}
-		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
+		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 		const linked = await handleOAuthUserInfo(ctx, {
 			userInfo: {
@@ -2246,7 +2279,7 @@ const callbackSSO = (options) => {
 			overrideUserInfo: config.overrideUserInfo,
 			isTrustedProvider
 		});
-		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
+		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
 		const { session, user } = linked.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -2340,8 +2373,8 @@ const callbackSSOSAML = (options) => {
 		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
 			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
 			const relayState$1 = ctx.query?.RelayState;
-			const safeRedirectUrl$1 = getSafeRedirectUrl(relayState$1, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
-			throw ctx.redirect(safeRedirectUrl$1);
+			const safeRedirectUrl = getSafeRedirectUrl(relayState$1, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+			throw ctx.redirect(safeRedirectUrl);
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
 		const { SAMLResponse } = ctx.body;
@@ -2380,16 +2413,18 @@ const callbackSSOSAML = (options) => {
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const isTrusted = (url, settings) => ctx.context.isTrustedOrigin(url, settings);
+		const safeErrorUrl = getSafeRedirectUrl(relayState?.errorURL || relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const idpData = parsedSamlConfig.idpMetadata;
 		let idp = null;
 		if (!idpData?.metadata) idp = saml.IdentityProvider({
 			entityID: idpData?.entityID || parsedSamlConfig.issuer,
-			singleSignOnService: [{
+			singleSignOnService: idpData?.singleSignOnService || [{
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 				Location: parsedSamlConfig.entryPoint
 			}],
 			signingCert: idpData?.cert || parsedSamlConfig.cert,
-			wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
 			encPrivateKey: idpData?.encPrivateKey,
 			encPrivateKeyPass: idpData?.encPrivateKeyPass
@@ -2429,7 +2464,7 @@ const callbackSSOSAML = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2460,8 +2495,7 @@ const callbackSSOSAML = (options) => {
 						inResponseTo,
 						providerId: provider.providerId
 					});
-					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== provider.providerId) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
@@ -2470,14 +2504,12 @@ const callbackSSOSAML = (options) => {
 						actualProvider: provider.providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
-				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+				throw ctx.redirect(`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
 		const samlContent = parsedResponse.samlContent;
@@ -2503,8 +2535,7 @@ const callbackSSOSAML = (options) => {
 					issuer,
 					providerId: provider.providerId
 				});
-				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+				throw ctx.redirect(`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
 				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
@@ -2537,7 +2568,7 @@ const callbackSSOSAML = (options) => {
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
 		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const safeCallbackUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2551,11 +2582,11 @@ const callbackSSOSAML = (options) => {
 				accessToken: "",
 				refreshToken: ""
 			},
-			callbackURL: callbackUrl,
+			callbackURL: safeCallbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
 			isTrustedProvider
 		});
-		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		if (result.error) throw ctx.redirect(`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`);
 		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -2579,8 +2610,7 @@ const callbackSSOSAML = (options) => {
 			session,
 			user
 		});
-		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
-		throw ctx.redirect(safeRedirectUrl);
+		throw ctx.redirect(safeCallbackUrl);
 	});
 };
 const acsEndpointBodySchema = z.object({
@@ -2602,10 +2632,18 @@ const acsEndpoint = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse, RelayState = "" } = ctx.body;
+		const { SAMLResponse } = ctx.body;
 		const { providerId } = ctx.params;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
@@ -2633,6 +2671,8 @@ const acsEndpoint = (options) => {
 		if (!provider?.samlConfig) throw new APIError("NOT_FOUND", { message: "No SAML provider found" });
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = provider.samlConfig;
+		const isTrusted = (url, settings) => ctx.context.isTrustedOrigin(url, settings);
+		const safeErrorUrl = getSafeRedirectUrl(relayState?.errorURL || relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const sp = saml.ServiceProvider({
 			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
 			assertionConsumerService: [{
@@ -2658,9 +2698,8 @@ const acsEndpoint = (options) => {
 			validateSingleAssertion(SAMLResponse);
 		} catch (error) {
 			if (error instanceof APIError) {
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
-				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
+				throw ctx.redirect(`${safeErrorUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
 			}
 			throw error;
 		}
@@ -2668,13 +2707,13 @@ const acsEndpoint = (options) => {
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
 				SAMLResponse,
-				RelayState: RelayState || void 0
+				RelayState: ctx.body.RelayState || void 0
 			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2705,8 +2744,7 @@ const acsEndpoint = (options) => {
 						inResponseTo: inResponseToAcs,
 						providerId
 					});
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== providerId) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
@@ -2715,17 +2753,15 @@ const acsEndpoint = (options) => {
 						actualProvider: providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+					throw ctx.redirect(`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+				throw ctx.redirect(`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
@@ -2747,8 +2783,7 @@ const acsEndpoint = (options) => {
 					issuer,
 					providerId
 				});
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+				throw ctx.redirect(`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
 				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`,
@@ -2781,7 +2816,7 @@ const acsEndpoint = (options) => {
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
 		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const safeCallbackUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, isTrusted);
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2795,11 +2830,11 @@ const acsEndpoint = (options) => {
 				accessToken: "",
 				refreshToken: ""
 			},
-			callbackURL: callbackUrl,
+			callbackURL: safeCallbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
 			isTrustedProvider
 		});
-		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		if (result.error) throw ctx.redirect(`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`);
 		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
@@ -2823,7 +2858,7 @@ const acsEndpoint = (options) => {
 			session,
 			user
 		});
-		throw ctx.redirect(callbackUrl);
+		throw ctx.redirect(safeCallbackUrl);
 	});
 };