@better-auth/sso 1.4.7-beta.4 → 1.4.8-beta.1

package/dist/index.mjs

@@ -1,56 +1,102 @@
-import { XMLValidator } from "fast-xml-parser";
+import { APIError, createAuthEndpoint, createAuthMiddleware, sessionMiddleware } from "better-auth/api";
+import { XMLParser, XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
-import { APIError, createAuthEndpoint, sessionMiddleware } from "better-auth/api";
 import { generateRandomString } from "better-auth/crypto";
-import * as z from "zod/v4";
+import * as z$1 from "zod/v4";
+import z from "zod/v4";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 
-//#region src/authn-request-store.ts
+//#region src/linking/org-assignment.ts
 /**
-* Default TTL for AuthnRequest records (5 minutes).
-* This should be sufficient for most IdPs while protecting against stale requests.
+* Assigns a user to an organization based on the SSO provider's organizationId.
+* Used in SSO flows (OIDC, SAML) where the provider is already linked to an org.
 */
-const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+async function assignOrganizationFromProvider(ctx, options) {
+	const { user, profile, provider, token, provisioningOptions } = options;
+	if (!provider.organizationId) return;
+	if (provisioningOptions?.disabled) return;
+	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	if (await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: provider.organizationId
+		}, {
+			field: "userId",
+			value: user.id
+		}]
+	})) return;
+	const role = provisioningOptions?.getRole ? await provisioningOptions.getRole({
+		user,
+		userInfo: profile.rawAttributes || {},
+		token,
+		provider
+	}) : provisioningOptions?.defaultRole || "member";
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: provider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: /* @__PURE__ */ new Date()
+		}
+	});
+}
 /**
-* In-memory implementation of AuthnRequestStore.
-* ⚠️ Only suitable for testing or single-instance non-serverless deployments.
-* For production, rely on the default behavior (uses verification table)
-* or provide a custom Redis-backed store.
+* Assigns a user to an organization based on their email domain.
+* Looks up SSO providers that match the user's email domain and assigns
+* the user to the associated organization.
+*
+* This enables domain-based org assignment for non-SSO sign-in methods
+* (e.g., Google OAuth with @acme.com email gets added to Acme's org).
 */
-function createInMemoryAuthnRequestStore() {
-	const store = /* @__PURE__ */ new Map();
-	const cleanup = () => {
-		const now = Date.now();
-		for (const [id, record] of store.entries()) if (record.expiresAt < now) store.delete(id);
-	};
-	const cleanupInterval = setInterval(cleanup, 60 * 1e3);
-	if (typeof cleanupInterval.unref === "function") cleanupInterval.unref();
-	return {
-		async save(record) {
-			store.set(record.id, record);
-		},
-		async get(id) {
-			const record = store.get(id);
-			if (!record) return null;
-			if (record.expiresAt < Date.now()) {
-				store.delete(id);
-				return null;
-			}
-			return record;
-		},
-		async delete(id) {
-			store.delete(id);
+async function assignOrganizationByDomain(ctx, options) {
+	const { user, provisioningOptions } = options;
+	if (provisioningOptions?.disabled) return;
+	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	const domain = user.email.split("@")[1];
+	if (!domain) return;
+	const ssoProvider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "domain",
+			value: domain
+		}]
+	});
+	if (!ssoProvider || !ssoProvider.organizationId) return;
+	if (await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: ssoProvider.organizationId
+		}, {
+			field: "userId",
+			value: user.id
+		}]
+	})) return;
+	const role = provisioningOptions?.getRole ? await provisioningOptions.getRole({
+		user,
+		userInfo: {},
+		provider: ssoProvider
+	}) : provisioningOptions?.defaultRole || "member";
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: ssoProvider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: /* @__PURE__ */ new Date()
 		}
-	};
+	});
 }
 
 //#endregion
 //#region src/routes/domain-verification.ts
-const domainVerificationBodySchema = z.object({ providerId: z.string() });
+const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
@@ -223,6 +269,38 @@ const verifyDomain = (options) => {
 	});
 };
 
+//#endregion
+//#region src/constants.ts
+/**
+* SAML Constants
+*
+* Centralized constants for SAML SSO functionality.
+*/
+/** Prefix for AuthnRequest IDs used in InResponseTo validation */
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+/** Prefix for used Assertion IDs used in replay protection */
+const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
+/**
+* Default TTL for AuthnRequest records (5 minutes).
+* This should be sufficient for most IdPs while protecting against stale requests.
+*/
+const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default TTL for used assertion records (15 minutes).
+* This should match the maximum expected NotOnOrAfter window plus clock skew.
+*/
+const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
+/**
+* Default clock skew tolerance (5 minutes).
+* Allows for minor time differences between IdP and SP servers.
+*
+* Accommodates:
+* - Network latency and processing time
+* - Clock synchronization differences (NTP drift)
+* - Distributed systems across timezones
+*/
+const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+
 //#endregion
 //#region src/oidc/types.ts
 /**
@@ -268,24 +346,25 @@ const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
 *
 * This function:
 * 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL (stub for now)
+* 2. Validates the discovery URL
 * 3. Fetches the discovery document
 * 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs (stub for now)
+* 5. Normalizes URLs
 * 6. Selects token endpoint auth method
 * 7. Merges with existing config (existing values take precedence)
 *
 * @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
 * @returns Hydrated OIDC configuration ready for persistence
 * @throws DiscoveryError on any failure
 */
 async function discoverOIDCConfig(params) {
 	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
 	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
 	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
 	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
 	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
 	return {
 		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
@@ -313,19 +392,12 @@ function computeDiscoveryUrl(issuer) {
 * Validate a discovery URL before fetching.
 *
 * @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
 * @throws DiscoveryError if URL is invalid
 */
-function validateDiscoveryUrl(url) {
-	try {
-		const parsed = new URL(url);
-		if (parsed.protocol !== "https:" && parsed.protocol !== "http:") throw new DiscoveryError("discovery_invalid_url", `Discovery URL must use HTTP or HTTPS protocol: ${url}`, {
-			url,
-			protocol: parsed.protocol
-		});
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		throw new DiscoveryError("discovery_invalid_url", `Invalid discovery URL: ${url}`, { url }, { cause: error });
-	}
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
 }
 /**
 * Fetch the OIDC discovery document from the IdP.
@@ -399,22 +471,76 @@ function validateDiscoveryDocument(doc, configuredIssuer) {
 /**
 * Normalize URLs in the discovery document.
 *
-* @param doc - The discovery document
-* @param _issuerBase - The base issuer URL
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
 * @returns The normalized discovery document
 */
-function normalizeDiscoveryUrls(doc, _issuerBase) {
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
 	return doc;
 }
 /**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
 * Normalize a single URL endpoint.
 *
+* @param name - The endpoint name (e.g token_endpoint)
 * @param endpoint - The endpoint URL to normalize
-* @param _issuerBase - The base issuer URL
+* @param issuer - The base issuer URL
 * @returns The normalized endpoint URL
 */
-function normalizeUrl(endpoint, _issuerBase) {
-	return endpoint;
+function normalizeUrl(name, endpoint, issuer) {
+	try {
+		return parseURL(name, endpoint).toString();
+	} catch {
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+	}
+}
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+	}
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
+	});
 }
 /**
 * Select the token endpoint authentication method.
@@ -492,6 +618,10 @@ function mapDiscoveryErrorToAPIError(error) {
 			message: `Invalid OIDC discovery URL: ${error.message}`,
 			code: error.code
 		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
 		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
 			message: `OIDC discovery returned invalid data: ${error.message}`,
 			code: error.code
@@ -517,6 +647,146 @@ function mapDiscoveryErrorToAPIError(error) {
 	}
 }
 
+//#endregion
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+};
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function extractEncryptionAlgorithms(xml) {
+	try {
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
+}
+function hasEncryptedAssertion(xml) {
+	try {
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
+		});
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
+	});
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+
 //#endregion
 //#region src/utils.ts
 /**
@@ -547,9 +817,6 @@ const validateEmailDomain = (email, domain) => {
 
 //#endregion
 //#region src/routes/sso.ts
-const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Default clock skew tolerance: 5 minutes */
-const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
 /**
 * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
 * Prevents acceptance of expired or future-dated assertions.
@@ -589,6 +856,27 @@ function validateSAMLTimestamp(conditions, options = {}) {
 		});
 	}
 }
+/**
+* Extracts the Assertion ID from a SAML response XML.
+* Returns null if the assertion ID cannot be found.
+*/
+function extractAssertionId(samlContent) {
+	try {
+		const parsed = new XMLParser({
+			ignoreAttributes: false,
+			attributeNamePrefix: "@_",
+			removeNSPrefix: true
+		}).parse(samlContent);
+		const response = parsed.Response || parsed["samlp:Response"];
+		if (!response) return null;
+		const rawAssertion = response.Assertion || response["saml:Assertion"];
+		const assertion = Array.isArray(rawAssertion) ? rawAssertion[0] : rawAssertion;
+		if (!assertion) return null;
+		return assertion["@_ID"] || null;
+	} catch {
+		return null;
+	}
+}
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml")
@@ -918,7 +1206,8 @@ const registerSSOProvider = (options) => {
 					jwksEndpoint: body.oidcConfig.jwksEndpoint,
 					userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 					tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication
-				}
+				},
+				isTrustedOrigin: ctx.context.isTrustedOrigin
 			});
 		} catch (error) {
 			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
@@ -1195,7 +1484,7 @@ const signInSSO = (options) => {
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
-			if (loginRequest.id && (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation)) {
+			if (loginRequest.id && options?.saml?.enableInResponseToValidation) {
 				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
 				const record = {
 					id: loginRequest.id,
@@ -1203,8 +1492,7 @@ const signInSSO = (options) => {
 					createdAt: Date.now(),
 					expiresAt: Date.now() + ttl
 				};
-				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.save(record);
-				else await ctx.context.internalAdapter.createVerificationValue({
+				await ctx.context.internalAdapter.createVerificationValue({
 					identifier: `${AUTHN_REQUEST_KEY_PREFIX}${record.id}`,
 					value: JSON.stringify(record),
 					expiresAt: new Date(record.expiresAt)
@@ -1362,37 +1650,20 @@ const callbackSSO = (options) => {
 			token: tokenResponse,
 			provider
 		});
-		if (provider.organizationId && !options?.organizationProvisioning?.disabled) {
-			if (ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) {
-				if (!await ctx.context.adapter.findOne({
-					model: "member",
-					where: [{
-						field: "organizationId",
-						value: provider.organizationId
-					}, {
-						field: "userId",
-						value: user.id
-					}]
-				})) {
-					const role = options?.organizationProvisioning?.getRole ? await options.organizationProvisioning.getRole({
-						user,
-						userInfo,
-						token: tokenResponse,
-						provider
-					}) : options?.organizationProvisioning?.defaultRole || "member";
-					await ctx.context.adapter.create({
-						model: "member",
-						data: {
-							organizationId: provider.organizationId,
-							userId: user.id,
-							role,
-							createdAt: /* @__PURE__ */ new Date(),
-							updatedAt: /* @__PURE__ */ new Date()
-						}
-					});
-				}
-			}
-		}
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "oidc",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: userInfo
+			},
+			provider,
+			token: tokenResponse,
+			provisioningOptions: options?.organizationProvisioning
+		});
 		await setSessionCookie(ctx, {
 			session,
 			user
@@ -1514,25 +1785,23 @@ const callbackSSOSAML = (options) => {
 			});
 		}
 		const { extract } = parsedResponse;
+		validateSAMLAlgorithms(parsedResponse, options?.saml?.algorithms);
 		validateSAMLTimestamp(extract.conditions, {
 			clockSkew: options?.saml?.clockSkew,
 			requireTimestamps: options?.saml?.requireTimestamps,
 			logger: ctx.context.logger
 		});
 		const inResponseTo = extract.inResponseTo;
-		if (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation) {
+		if (options?.saml?.enableInResponseToValidation) {
 			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
 			if (inResponseTo) {
 				let storedRequest = null;
-				if (options?.saml?.authnRequestStore) storedRequest = await options.saml.authnRequestStore.get(inResponseTo);
-				else {
-					const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-					if (verification) try {
-						storedRequest = JSON.parse(verification.value);
-						if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
-					} catch {
-						storedRequest = null;
-					}
+				const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+				if (verification) try {
+					storedRequest = JSON.parse(verification.value);
+					if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+				} catch {
+					storedRequest = null;
 				}
 				if (!storedRequest) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
@@ -1548,19 +1817,55 @@ const callbackSSOSAML = (options) => {
 						expectedProvider: storedRequest.providerId,
 						actualProvider: provider.providerId
 					});
-					if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseTo);
-					else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
-				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseTo);
-				else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
 				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
+		const samlContent = parsedResponse.samlContent;
+		const assertionId = samlContent ? extractAssertionId(samlContent) : null;
+		if (assertionId) {
+			const issuer = idp.entityMeta.getEntityID();
+			const conditions = extract.conditions;
+			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
+			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
+			let isReplay = false;
+			if (existingAssertion) try {
+				if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
+			} catch (error) {
+				ctx.context.logger.warn("Failed to parse stored assertion record", {
+					assertionId,
+					error
+				});
+			}
+			if (isReplay) {
+				ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+					assertionId,
+					issuer,
+					providerId: provider.providerId
+				});
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+			}
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
+				value: JSON.stringify({
+					assertionId,
+					issuer,
+					providerId: provider.providerId,
+					usedAt: Date.now(),
+					expiresAt
+				}),
+				expiresAt: new Date(expiresAt)
+			});
+		} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId: provider.providerId });
 		const attributes = extract.attributes || {};
 		const mapping = parsedSamlConfig.mapping ?? {};
 		const userInfo = {
@@ -1579,100 +1884,49 @@ const callbackSSOSAML = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		let user;
-		const existingUser = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "email",
-				value: userInfo.email
-			}]
-		});
-		if (existingUser) {
-			if (!await ctx.context.adapter.findOne({
-				model: "account",
-				where: [
-					{
-						field: "userId",
-						value: existingUser.id
-					},
-					{
-						field: "providerId",
-						value: provider.providerId
-					},
-					{
-						field: "accountId",
-						value: userInfo.id
-					}
-				]
-			})) {
-				if (!(ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain))) {
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-					throw ctx.redirect(`${redirectUrl}?error=account_not_linked`);
-				}
-				await ctx.context.internalAdapter.createAccount({
-					userId: existingUser.id,
-					providerId: provider.providerId,
-					accountId: userInfo.id,
-					accessToken: "",
-					refreshToken: ""
-				});
-			}
-			user = existingUser;
-		} else {
-			if (options?.disableImplicitSignUp) throw new APIError("UNAUTHORIZED", { message: "User not found and implicit sign up is disabled for this provider" });
-			user = await ctx.context.internalAdapter.createUser({
+		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
 				email: userInfo.email,
-				name: userInfo.name,
-				emailVerified: userInfo.emailVerified
-			});
-			await ctx.context.internalAdapter.createAccount({
-				userId: user.id,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
 				providerId: provider.providerId,
 				accountId: userInfo.id,
 				accessToken: "",
 				refreshToken: ""
-			});
-		}
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
 			userInfo,
 			provider
 		});
-		if (provider.organizationId && !options?.organizationProvisioning?.disabled) {
-			if (ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) {
-				if (!await ctx.context.adapter.findOne({
-					model: "member",
-					where: [{
-						field: "organizationId",
-						value: provider.organizationId
-					}, {
-						field: "userId",
-						value: user.id
-					}]
-				})) {
-					const role = options?.organizationProvisioning?.getRole ? await options.organizationProvisioning.getRole({
-						user,
-						userInfo,
-						provider
-					}) : options?.organizationProvisioning?.defaultRole || "member";
-					await ctx.context.adapter.create({
-						model: "member",
-						data: {
-							organizationId: provider.organizationId,
-							userId: user.id,
-							role,
-							createdAt: /* @__PURE__ */ new Date(),
-							updatedAt: /* @__PURE__ */ new Date()
-						}
-					});
-				}
-			}
-		}
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "saml",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: attributes
+			},
+			provider,
+			provisioningOptions: options?.organizationProvisioning
+		});
 		await setSessionCookie(ctx, {
-			session: await ctx.context.internalAdapter.createSession(user.id),
+			session,
 			user
 		});
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		throw ctx.redirect(callbackUrl);
 	});
 };
@@ -1765,25 +2019,23 @@ const acsEndpoint = (options) => {
 			});
 		}
 		const { extract } = parsedResponse;
+		validateSAMLAlgorithms(parsedResponse, options?.saml?.algorithms);
 		validateSAMLTimestamp(extract.conditions, {
 			clockSkew: options?.saml?.clockSkew,
 			requireTimestamps: options?.saml?.requireTimestamps,
 			logger: ctx.context.logger
 		});
 		const inResponseToAcs = extract.inResponseTo;
-		if (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation) {
+		if (options?.saml?.enableInResponseToValidation) {
 			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
 			if (inResponseToAcs) {
 				let storedRequest = null;
-				if (options?.saml?.authnRequestStore) storedRequest = await options.saml.authnRequestStore.get(inResponseToAcs);
-				else {
-					const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
-					if (verification) try {
-						storedRequest = JSON.parse(verification.value);
-						if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
-					} catch {
-						storedRequest = null;
-					}
+				const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+				if (verification) try {
+					storedRequest = JSON.parse(verification.value);
+					if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+				} catch {
+					storedRequest = null;
 				}
 				if (!storedRequest) {
 					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
@@ -1799,19 +2051,54 @@ const acsEndpoint = (options) => {
 						expectedProvider: storedRequest.providerId,
 						actualProvider: providerId
 					});
-					if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseToAcs);
-					else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
 					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
-				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseToAcs);
-				else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
 				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
+		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		if (assertionIdAcs) {
+			const issuer = idp.entityMeta.getEntityID();
+			const conditions = extract.conditions;
+			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
+			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`);
+			let isReplay = false;
+			if (existingAssertion) try {
+				if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
+			} catch (error) {
+				ctx.context.logger.warn("Failed to parse stored assertion record", {
+					assertionId: assertionIdAcs,
+					error
+				});
+			}
+			if (isReplay) {
+				ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+					assertionId: assertionIdAcs,
+					issuer,
+					providerId
+				});
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+			}
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`,
+				value: JSON.stringify({
+					assertionId: assertionIdAcs,
+					issuer,
+					providerId,
+					usedAt: Date.now(),
+					expiresAt
+				}),
+				expiresAt: new Date(expiresAt)
+			});
+		} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 		const attributes = extract.attributes || {};
 		const mapping = parsedSamlConfig.mapping ?? {};
 		const userInfo = {
@@ -1830,99 +2117,49 @@ const acsEndpoint = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		let user;
-		const existingUser = await ctx.context.adapter.findOne({
-			model: "user",
-			where: [{
-				field: "email",
-				value: userInfo.email
-			}]
-		});
-		if (existingUser) {
-			if (!await ctx.context.adapter.findOne({
-				model: "account",
-				where: [
-					{
-						field: "userId",
-						value: existingUser.id
-					},
-					{
-						field: "providerId",
-						value: provider.providerId
-					},
-					{
-						field: "accountId",
-						value: userInfo.id
-					}
-				]
-			})) {
-				if (!(ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain))) throw ctx.redirect(`${parsedSamlConfig.callbackUrl}?error=account_not_found`);
-				await ctx.context.internalAdapter.createAccount({
-					userId: existingUser.id,
-					providerId: provider.providerId,
-					accountId: userInfo.id,
-					accessToken: "",
-					refreshToken: ""
-				});
-			}
-			user = existingUser;
-		} else {
-			user = await ctx.context.internalAdapter.createUser({
+		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
 				email: userInfo.email,
-				name: userInfo.name,
-				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-			});
-			await ctx.context.internalAdapter.createAccount({
-				userId: user.id,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
 				providerId: provider.providerId,
 				accountId: userInfo.id,
 				accessToken: "",
-				refreshToken: "",
-				accessTokenExpiresAt: /* @__PURE__ */ new Date(),
-				refreshTokenExpiresAt: /* @__PURE__ */ new Date(),
-				scope: ""
-			});
-		}
+				refreshToken: ""
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		const { session, user } = result.data;
 		if (options?.provisionUser) await options.provisionUser({
 			user,
 			userInfo,
 			provider
 		});
-		if (provider.organizationId && !options?.organizationProvisioning?.disabled) {
-			if (ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) {
-				if (!await ctx.context.adapter.findOne({
-					model: "member",
-					where: [{
-						field: "organizationId",
-						value: provider.organizationId
-					}, {
-						field: "userId",
-						value: user.id
-					}]
-				})) {
-					const role = options?.organizationProvisioning?.getRole ? await options.organizationProvisioning.getRole({
-						user,
-						userInfo,
-						provider
-					}) : options?.organizationProvisioning?.defaultRole || "member";
-					await ctx.context.adapter.create({
-						model: "member",
-						data: {
-							organizationId: provider.organizationId,
-							userId: user.id,
-							role,
-							createdAt: /* @__PURE__ */ new Date(),
-							updatedAt: /* @__PURE__ */ new Date()
-						}
-					});
-				}
-			}
-		}
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "saml",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: attributes
+			},
+			provider,
+			provisioningOptions: options?.organizationProvisioning
+		});
 		await setSessionCookie(ctx, {
-			session: await ctx.context.internalAdapter.createSession(user.id),
+			session,
 			user
 		});
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		throw ctx.redirect(callbackUrl);
 	});
 };
@@ -1956,6 +2193,20 @@ function sso(options) {
 	return {
 		id: "sso",
 		endpoints,
+		hooks: { after: [{
+			matcher(context) {
+				return context.path?.startsWith("/callback/") ?? false;
+			},
+			handler: createAuthMiddleware(async (ctx) => {
+				const newSession = ctx.context.newSession;
+				if (!newSession?.user) return;
+				if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+				await assignOrganizationByDomain(ctx, {
+					user: newSession.user,
+					provisioningOptions: options?.organizationProvisioning
+				});
+			})
+		}] },
 		schema: { ssoProvider: {
 			modelName: options?.modelName ?? "ssoProvider",
 			fields: {
@@ -2008,4 +2259,4 @@ function sso(options) {
 }
 
 //#endregion
-export { DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoveryError, REQUIRED_DISCOVERY_FIELDS, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+export { DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };