@better-auth/sso 1.4.8-beta.7 → 1.4.9

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.8-beta.7 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.9 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             92.65 kB │ gzip: 18.13 kB
+ℹ dist/index.mjs             95.91 kB │ gzip: 18.60 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
 ℹ dist/index.d.mts            1.48 kB │ gzip:  0.51 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
-ℹ dist/index-DNWhGQW-.d.mts  42.86 kB │ gzip:  8.79 kB
-ℹ 5 files, total: 137.63 kB
-✔ Build complete in 16370ms
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
+ℹ dist/index-CvpS40sl.d.mts  43.12 kB │ gzip:  8.83 kB
+ℹ 5 files, total: 141.14 kB
+✔ Build complete in 22963ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DNWhGQW-.mjs";
+import { t as SSOPlugin } from "./index-CvpS40sl.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-DNWhGQW-.d.mts → index-CvpS40sl.d.mts}

@@ -776,9 +776,17 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
 }, O["domainVerification"] extends {
   enabled: true;
 } ? {
+  redirectURI: string;
+  oidcConfig: OIDCConfig | null;
+  samlConfig: SAMLConfig | null;
+} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig"> & {
   domainVerified: boolean;
   domainVerificationToken: string;
-} & SSOProvider<O> : SSOProvider<O>>;
+} : {
+  redirectURI: string;
+  oidcConfig: OIDCConfig | null;
+  samlConfig: SAMLConfig | null;
+} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">>;
 declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DNWhGQW-.mjs";
+import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CvpS40sl.mjs";
 export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -4,6 +4,7 @@ import * as saml from "samlify";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
@@ -686,6 +687,7 @@ const DataEncryptionAlgorithm = {
 const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
 const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
 const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
 const SECURE_SIGNATURE_ALGORITHMS = [
 	SignatureAlgorithm.RSA_SHA256,
 	SignatureAlgorithm.RSA_SHA384,
@@ -694,6 +696,36 @@ const SECURE_SIGNATURE_ALGORITHMS = [
 	SignatureAlgorithm.ECDSA_SHA384,
 	SignatureAlgorithm.ECDSA_SHA512
 ];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+}
 const xmlParser = new XMLParser({
 	ignoreAttributes: false,
 	attributeNamePrefix: "@_",
@@ -791,6 +823,35 @@ function validateSAMLAlgorithms(response, options) {
 	validateSignatureAlgorithm(response.sigAlg, options);
 	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
 }
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
 
 //#endregion
 //#region src/utils.ts
@@ -1252,6 +1313,10 @@ const registerSSOProvider = (options) => {
 				overrideUserInfo: ctx.body.overrideUserInfo || options?.defaultOverrideUserInfo || false
 			});
 		};
+		if (body.samlConfig) validateConfigAlgorithms({
+			signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+			digestAlgorithm: body.samlConfig.digestAlgorithm
+		}, options?.saml?.algorithms);
 		const provider = await ctx.context.adapter.create({
 			model: "ssoProvider",
 			data: {
@@ -1297,14 +1362,15 @@ const registerSSOProvider = (options) => {
 				}
 			});
 		}
-		return ctx.json({
+		const result = {
 			...provider,
 			oidcConfig: safeJsonParse(provider.oidcConfig),
 			samlConfig: safeJsonParse(provider.samlConfig),
 			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
-		});
+		};
+		return ctx.json(result);
 	});
 };
 const signInSSOBodySchema = z.object({
@@ -1782,7 +1848,7 @@ const callbackSSOSAML = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2016,7 +2082,7 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2067,7 +2133,7 @@ const acsEndpoint = (options) => {
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.8-beta.7",
+  "version": "1.4.9",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -52,6 +52,7 @@
     }
   },
   "dependencies": {
+    "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
@@ -66,10 +67,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.8-beta.7"
+    "better-auth": "1.4.9"
   },
   "peerDependencies": {
-    "better-auth": "1.4.8-beta.7"
+    "better-auth": "1.4.9"
   },
   "scripts": {
     "test": "vitest",

package/src/routes/sso.ts

@@ -1,3 +1,4 @@
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -45,7 +46,7 @@ import {
 	discoverOIDCConfig,
 	mapDiscoveryErrorToAPIError,
 } from "../oidc";
-import { validateSAMLAlgorithms } from "../saml";
+import { validateConfigAlgorithms, validateSAMLAlgorithms } from "../saml";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
 import { safeJsonParse, validateEmailDomain } from "../utils";
 
@@ -780,6 +781,16 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				});
 			};
 
+			if (body.samlConfig) {
+				validateConfigAlgorithms(
+					{
+						signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+						digestAlgorithm: body.samlConfig.digestAlgorithm,
+					},
+					options?.saml?.algorithms,
+				);
+			}
+
 			const provider = await ctx.context.adapter.create<
 				Record<string, any>,
 				SSOProvider<O>
@@ -836,14 +847,20 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				});
 			}
 
+			type SSOProviderResponse = {
+				redirectURI: string;
+				oidcConfig: OIDCConfig | null;
+				samlConfig: SAMLConfig | null;
+			} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">;
+
 			type SSOProviderReturn = O["domainVerification"] extends { enabled: true }
-				? {
+				? SSOProviderResponse & {
 						domainVerified: boolean;
 						domainVerificationToken: string;
-					} & SSOProvider<O>
-				: SSOProvider<O>;
+					}
+				: SSOProviderResponse;
 
-			return ctx.json({
+			const result = {
 				...provider,
 				oidcConfig: safeJsonParse<OIDCConfig>(
 					provider.oidcConfig as unknown as string,
@@ -856,7 +873,9 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				...(options?.domainVerification?.enabled
 					? { domainVerificationToken }
 					: {}),
-			} as unknown as SSOProviderReturn);
+			};
+
+			return ctx.json(result as SSOProviderReturn);
 		},
 	);
 };
@@ -1807,8 +1826,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2237,8 +2256,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2334,8 +2353,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			// Assertion Replay Protection
-			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
-				"utf-8",
+			const samlContentAcs = new TextDecoder().decode(
+				base64.decode(SAMLResponse),
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);
 

package/src/saml/algorithms.test.ts

@@ -203,3 +203,247 @@ describe("algorithm constants", () => {
 		);
 	});
 });
+
+describe("validateConfigAlgorithms", () => {
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
+
+	describe("signature algorithm validation", () => {
+		it("should accept secure signature algorithms", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA256,
+				}),
+			).not.toThrow();
+		});
+
+		it("should warn by default for deprecated signature algorithms", () => {
+			const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA1,
+				}),
+			).not.toThrow();
+
+			expect(warnSpy).toHaveBeenCalledWith(
+				expect.stringContaining("SAML Security Warning"),
+			);
+		});
+
+		it("should reject deprecated signature with onDeprecated: reject", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA1 },
+					{ onDeprecated: "reject" },
+				),
+			).toThrow(/deprecated/i);
+		});
+
+		it("should silently allow deprecated with onDeprecated: allow", () => {
+			const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA1 },
+					{ onDeprecated: "allow" },
+				),
+			).not.toThrow();
+
+			expect(warnSpy).not.toHaveBeenCalled();
+		});
+
+		it("should enforce custom signature allow-list", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA256 },
+					{ allowedSignatureAlgorithms: [alg.SignatureAlgorithm.RSA_SHA512] },
+				),
+			).toThrow(/not in allow-list/i);
+		});
+
+		it("should reject unknown signature algorithms", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: "http://example.com/unknown-algo",
+				}),
+			).toThrow(/not recognized/i);
+		});
+
+		it("should pass undefined signatureAlgorithm without error", () => {
+			expect(() => alg.validateConfigAlgorithms({})).not.toThrow();
+		});
+
+		it("should accept short-form signature algorithm names", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: "rsa-sha256",
+				}),
+			).not.toThrow();
+		});
+
+		it("should accept digest-style short-form for signature (backward compat)", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: "sha256",
+				}),
+			).not.toThrow();
+		});
+
+		it("should reject typos in short-form signature algorithm names", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: "rsa-sha257",
+				}),
+			).toThrow(/not recognized/i);
+		});
+
+		it("should warn for deprecated short-form signature algorithms", () => {
+			const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: "rsa-sha1",
+				}),
+			).not.toThrow();
+
+			expect(warnSpy).toHaveBeenCalledWith(
+				expect.stringContaining("SAML Security Warning"),
+			);
+		});
+
+		it("should support short-form names in signature allow-list", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ signatureAlgorithm: "rsa-sha256" },
+					{ allowedSignatureAlgorithms: ["rsa-sha256", "rsa-sha512"] },
+				),
+			).not.toThrow();
+		});
+	});
+
+	describe("digest algorithm validation", () => {
+		it("should accept secure digest algorithms", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: alg.DigestAlgorithm.SHA256,
+				}),
+			).not.toThrow();
+		});
+
+		it("should warn by default for deprecated digest algorithms", () => {
+			const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: alg.DigestAlgorithm.SHA1,
+				}),
+			).not.toThrow();
+
+			expect(warnSpy).toHaveBeenCalledWith(
+				expect.stringContaining("SAML Security Warning"),
+			);
+		});
+
+		it("should reject deprecated digest with onDeprecated: reject", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ digestAlgorithm: alg.DigestAlgorithm.SHA1 },
+					{ onDeprecated: "reject" },
+				),
+			).toThrow(/deprecated/i);
+		});
+
+		it("should enforce custom digest allow-list", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ digestAlgorithm: alg.DigestAlgorithm.SHA256 },
+					{ allowedDigestAlgorithms: [alg.DigestAlgorithm.SHA512] },
+				),
+			).toThrow(/not in allow-list/i);
+		});
+
+		it("should reject unknown digest algorithms", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: "http://example.com/unknown-digest",
+				}),
+			).toThrow(/not recognized/i);
+		});
+
+		it("should accept short-form digest algorithm names", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: "sha256",
+				}),
+			).not.toThrow();
+		});
+
+		it("should reject typos in short-form digest algorithm names", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: "sha257",
+				}),
+			).toThrow(/not recognized/i);
+		});
+
+		it("should warn for deprecated short-form digest algorithms", () => {
+			const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					digestAlgorithm: "sha1",
+				}),
+			).not.toThrow();
+
+			expect(warnSpy).toHaveBeenCalledWith(
+				expect.stringContaining("SAML Security Warning"),
+			);
+		});
+
+		it("should support short-form names in digest allow-list", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{ digestAlgorithm: "sha256" },
+					{ allowedDigestAlgorithms: ["sha256", "sha512"] },
+				),
+			).not.toThrow();
+		});
+	});
+
+	describe("combined validation", () => {
+		it("should validate both signature and digest algorithms", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms({
+					signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA256,
+					digestAlgorithm: alg.DigestAlgorithm.SHA256,
+				}),
+			).not.toThrow();
+		});
+
+		it("should reject if signature is deprecated even if digest is secure", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{
+						signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA1,
+						digestAlgorithm: alg.DigestAlgorithm.SHA256,
+					},
+					{ onDeprecated: "reject" },
+				),
+			).toThrow(/deprecated/i);
+		});
+
+		it("should reject if digest is deprecated even if signature is secure", () => {
+			expect(() =>
+				alg.validateConfigAlgorithms(
+					{
+						signatureAlgorithm: alg.SignatureAlgorithm.RSA_SHA256,
+						digestAlgorithm: alg.DigestAlgorithm.SHA1,
+					},
+					{ onDeprecated: "reject" },
+				),
+			).toThrow(/deprecated/i);
+		});
+	});
+});

package/src/saml/algorithms.ts

@@ -46,6 +46,8 @@ const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS: readonly string[] = [
 	DataEncryptionAlgorithm.TRIPLEDES_CBC,
 ];
 
+const DEPRECATED_DIGEST_ALGORITHMS: readonly string[] = [DigestAlgorithm.SHA1];
+
 const SECURE_SIGNATURE_ALGORITHMS: readonly string[] = [
 	SignatureAlgorithm.RSA_SHA256,
 	SignatureAlgorithm.RSA_SHA384,
@@ -55,6 +57,41 @@ const SECURE_SIGNATURE_ALGORITHMS: readonly string[] = [
 	SignatureAlgorithm.ECDSA_SHA512,
 ];
 
+const SECURE_DIGEST_ALGORITHMS: readonly string[] = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512,
+];
+
+const SHORT_FORM_SIGNATURE_TO_URI: Record<string, string> = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512,
+};
+
+const SHORT_FORM_DIGEST_TO_URI: Record<string, string> = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512,
+};
+
+function normalizeSignatureAlgorithm(alg: string): string {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+}
+
+function normalizeDigestAlgorithm(alg: string): string {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+}
+
 export type DeprecatedAlgorithmBehavior = "reject" | "warn" | "allow";
 
 export interface AlgorithmValidationOptions {
@@ -257,3 +294,75 @@ export function validateSAMLAlgorithms(
 		validateEncryptionAlgorithms(encAlgs, options);
 	}
 }
+
+export interface ConfigAlgorithmValidationOptions {
+	onDeprecated?: DeprecatedAlgorithmBehavior;
+	allowedSignatureAlgorithms?: string[];
+	allowedDigestAlgorithms?: string[];
+}
+
+export function validateConfigAlgorithms(
+	config: {
+		signatureAlgorithm?: string | undefined;
+		digestAlgorithm?: string | undefined;
+	},
+	options: ConfigAlgorithmValidationOptions = {},
+): void {
+	const {
+		onDeprecated = "warn",
+		allowedSignatureAlgorithms,
+		allowedDigestAlgorithms,
+	} = options;
+
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			const normalizedAllowList = allowedSignatureAlgorithms.map(
+				normalizeSignatureAlgorithm,
+			);
+			if (!normalizedAllowList.includes(normalized)) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+					code: "SAML_ALGORITHM_NOT_ALLOWED",
+				});
+			}
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) {
+			handleDeprecatedAlgorithm(
+				`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`,
+				onDeprecated,
+				"SAML_DEPRECATED_CONFIG_ALGORITHM",
+			);
+		} else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) {
+			throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+				code: "SAML_UNKNOWN_ALGORITHM",
+			});
+		}
+	}
+
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			const normalizedAllowList = allowedDigestAlgorithms.map(
+				normalizeDigestAlgorithm,
+			);
+			if (!normalizedAllowList.includes(normalized)) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+					code: "SAML_ALGORITHM_NOT_ALLOWED",
+				});
+			}
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) {
+			handleDeprecatedAlgorithm(
+				`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`,
+				onDeprecated,
+				"SAML_DEPRECATED_CONFIG_ALGORITHM",
+			);
+		} else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) {
+			throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+				code: "SAML_UNKNOWN_ALGORITHM",
+			});
+		}
+	}
+}

package/src/saml/index.ts

@@ -1,9 +1,11 @@
 export {
 	type AlgorithmValidationOptions,
+	type ConfigAlgorithmValidationOptions,
 	DataEncryptionAlgorithm,
 	type DeprecatedAlgorithmBehavior,
 	DigestAlgorithm,
 	KeyEncryptionAlgorithm,
 	SignatureAlgorithm,
+	validateConfigAlgorithms,
 	validateSAMLAlgorithms,
 } from "./algorithms";