npm - @better-auth/sso - Versions diffs - 1.5.0-beta.13 → 1.5.0-beta.16 - Mend

@better-auth/sso 1.5.0-beta.13 → 1.5.0-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/.turbo/turbo-build.log +11 -11
package/dist/client.d.mts +3 -2
package/dist/client.mjs +1 -1
package/dist/client.mjs.map +1 -1
package/dist/{index-DCUy0gtM.d.mts → index-CbKvQr9M.d.mts} +129 -65
package/dist/index.d.mts +56 -2
package/dist/index.mjs +637 -238
package/dist/index.mjs.map +1 -1
package/package.json +8 -8
package/src/client.ts +1 -1
package/src/constants.ts +21 -0
package/src/domain-verification.test.ts +46 -5
package/src/index.ts +43 -2
package/src/oidc/discovery.test.ts +7 -12
package/src/oidc.test.ts +302 -1
package/src/providers.test.ts +39 -45
package/src/routes/domain-verification.ts +34 -12
package/src/routes/helpers.ts +126 -0
package/src/routes/providers.ts +16 -14
package/src/routes/sso.ts +932 -365
package/src/saml/algorithms.test.ts +1 -9
package/src/saml/error-codes.ts +11 -0
package/src/saml.test.ts +736 -4
package/src/types.ts +53 -2
package/src/utils.test.ts +3 -0
package/vitest.config.ts +6 -1

package/dist/index.mjs CHANGED Viewed

@@ -8,10 +8,65 @@ import z from "zod/v4";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
-import { setSessionCookie } from "better-auth/cookies";
+import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+//#region src/constants.ts
+/**
+* SAML Constants
+*
+* Centralized constants for SAML SSO functionality.
+*/
+/** Prefix for AuthnRequest IDs used in InResponseTo validation */
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+/** Prefix for used Assertion IDs used in replay protection */
+const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
+/** Prefix for SAML session data (NameID + SessionIndex) for SLO */
+const SAML_SESSION_KEY_PREFIX = "saml-session:";
+/** Prefix for reverse lookup of SAML session by Better Auth session ID */
+const SAML_SESSION_BY_ID_PREFIX = "saml-session-by-id:";
+/** Prefix for LogoutRequest IDs used in SP-initiated SLO validation */
+const LOGOUT_REQUEST_KEY_PREFIX = "saml-logout-request:";
+/**
+* Default TTL for AuthnRequest records (5 minutes).
+* This should be sufficient for most IdPs while protecting against stale requests.
+*/
+const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default TTL for used assertion records (15 minutes).
+* This should match the maximum expected NotOnOrAfter window plus clock skew.
+*/
+const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
+/**
+* Default TTL for LogoutRequest records (5 minutes).
+* Should be sufficient for IdP to process and respond.
+*/
+const DEFAULT_LOGOUT_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default clock skew tolerance (5 minutes).
+* Allows for minor time differences between IdP and SP servers.
+*
+* Accommodates:
+* - Network latency and processing time
+* - Clock synchronization differences (NTP drift)
+* - Distributed systems across timezones
+*/
+const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+/**
+* Default maximum size for SAML responses (256 KB).
+* Protects against memory exhaustion from oversized SAML payloads.
+*/
+const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+* Default maximum size for IdP metadata (100 KB).
+* Protects against oversized metadata documents.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
+//#endregion
 //#region src/utils.ts
 /**
 * Safely parses a value that might be a JSON string or already a parsed object.
@@ -161,7 +216,12 @@ async function assignOrganizationByDomain(ctx, options) {
 //#endregion
 //#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
 const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
@@ -209,11 +269,12 @@ const requestDomainVerification = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -228,7 +289,7 @@ const requestDomainVerification = (options) => {
 		await ctx.context.adapter.create({
 			model: "verification",
 			data: {
-				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				identifier,
 				createdAt: /* @__PURE__ */ new Date(),
 				updatedAt: /* @__PURE__ */ new Date(),
 				value: domainVerificationToken,
@@ -287,11 +348,16 @@ const verifyDomain = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -314,7 +380,8 @@ const verifyDomain = (options) => {
 			});
 		}
 		try {
-			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+			const hostname = new URL(provider.domain).hostname;
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
 		} catch (error) {
 			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
 		}
@@ -334,48 +401,6 @@ const verifyDomain = (options) => {
 	});
 };
-//#endregion
-//#region src/constants.ts
-/**
-* SAML Constants
-*
-* Centralized constants for SAML SSO functionality.
-*/
-/** Prefix for AuthnRequest IDs used in InResponseTo validation */
-const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Prefix for used Assertion IDs used in replay protection */
-const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
-/**
-* Default TTL for AuthnRequest records (5 minutes).
-* This should be sufficient for most IdPs while protecting against stale requests.
-*/
-const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
-/**
-* Default TTL for used assertion records (15 minutes).
-* This should match the maximum expected NotOnOrAfter window plus clock skew.
-*/
-const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
-/**
-* Default clock skew tolerance (5 minutes).
-* Allows for minor time differences between IdP and SP servers.
-*
-* Accommodates:
-* - Network latency and processing time
-* - Clock synchronization differences (NTP drift)
-* - Distributed systems across timezones
-*/
-const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
-/**
-* Default maximum size for SAML responses (256 KB).
-* Protects against memory exhaustion from oversized SAML payloads.
-*/
-const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
-/**
-* Default maximum size for IdP metadata (100 KB).
-* Protects against oversized metadata documents.
-*/
-const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
 //#endregion
 //#region src/saml/parser.ts
 const xmlParser = new XMLParser({
@@ -829,7 +854,7 @@ const listSSOProviders = () => {
 		return ctx.json({ providers });
 	});
 };
-const getSSOProviderParamsSchema = z.object({ providerId: z.string() });
+const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
 async function checkProviderAccess(ctx, providerId) {
 	const userId = ctx.context.session.user.id;
 	const provider = await ctx.context.adapter.findOne({
@@ -848,10 +873,10 @@ async function checkProviderAccess(ctx, providerId) {
 	return provider;
 }
 const getSSOProvider = () => {
-	return createAuthEndpoint("/sso/providers/:providerId", {
+	return createAuthEndpoint("/sso/get-provider", {
 		method: "GET",
 		use: [sessionMiddleware],
-		params: getSSOProviderParamsSchema,
+		query: getSSOProviderQuerySchema,
 		metadata: { openapi: {
 			operationId: "getSSOProvider",
 			summary: "Get SSO provider details",
@@ -863,7 +888,7 @@ const getSSOProvider = () => {
 			}
 		} }
 	}, async (ctx) => {
-		const { providerId } = ctx.params;
+		const { providerId } = ctx.query;
 		const provider = await checkProviderAccess(ctx, providerId);
 		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
 	});
@@ -916,11 +941,10 @@ function mergeOIDCConfig(current, updates, issuer) {
 	};
 }
 const updateSSOProvider = (options) => {
-	return createAuthEndpoint("/sso/providers/:providerId", {
-		method: "PATCH",
+	return createAuthEndpoint("/sso/update-provider", {
+		method: "POST",
 		use: [sessionMiddleware],
-		params: getSSOProviderParamsSchema,
-		body: updateSSOProviderBodySchema,
+		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
 		metadata: { openapi: {
 			operationId: "updateSSOProvider",
 			summary: "Update SSO provider",
@@ -932,8 +956,7 @@ const updateSSOProvider = (options) => {
 			}
 		} }
 	}, async (ctx) => {
-		const { providerId } = ctx.params;
-		const body = ctx.body;
+		const { providerId, ...body } = ctx.body;
 		const { issuer, domain, samlConfig, oidcConfig } = body;
 		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
 		const existingProvider = await checkProviderAccess(ctx, providerId);
@@ -981,10 +1004,10 @@ const updateSSOProvider = (options) => {
 	});
 };
 const deleteSSOProvider = () => {
-	return createAuthEndpoint("/sso/providers/:providerId", {
-		method: "DELETE",
+	return createAuthEndpoint("/sso/delete-provider", {
+		method: "POST",
 		use: [sessionMiddleware],
-		params: getSSOProviderParamsSchema,
+		body: z.object({ providerId: z.string() }),
 		metadata: { openapi: {
 			operationId: "deleteSSOProvider",
 			summary: "Delete SSO provider",
@@ -996,7 +1019,7 @@ const deleteSSOProvider = () => {
 			}
 		} }
 	}, async (ctx) => {
-		const { providerId } = ctx.params;
+		const { providerId } = ctx.body;
 		await checkProviderAccess(ctx, providerId);
 		await ctx.context.adapter.delete({
 			model: "ssoProvider",
@@ -1355,6 +1378,17 @@ function mapDiscoveryErrorToAPIError(error) {
 	}
 }
+//#endregion
+//#region src/saml/error-codes.ts
+const SAML_ERROR_CODES = defineErrorCodes({
+	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
+	INVALID_LOGOUT_RESPONSE: "Invalid LogoutResponse",
+	INVALID_LOGOUT_REQUEST: "Invalid LogoutRequest",
+	LOGOUT_FAILED_AT_IDP: "Logout failed at IdP",
+	IDP_SLO_NOT_SUPPORTED: "IdP does not support Single Logout Service",
+	SAML_PROVIDER_NOT_FOUND: "SAML provider not found"
+});
 //#endregion
 //#region src/saml-state.ts
 async function generateRelayState(c, link, additionalData) {
@@ -1398,9 +1432,102 @@ async function parseRelayState(c) {
 	return parsedData;
 }
+//#endregion
+//#region src/routes/helpers.ts
+async function findSAMLProvider(providerId, options, adapter) {
+	if (options?.defaultSSO?.length) {
+		const match = options.defaultSSO.find((p) => p.providerId === providerId);
+		if (match) return {
+			...match,
+			userId: "default",
+			issuer: match.samlConfig?.issuer || "",
+			...options.domainVerification?.enabled ? { domainVerified: true } : {}
+		};
+	}
+	const res = await adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!res) return null;
+	return {
+		...res,
+		samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+	};
+}
+function createSP(config, baseURL, providerId, sloOptions) {
+	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
+	return saml.ServiceProvider({
+		entityID: config.spMetadata?.entityID || config.issuer,
+		assertionConsumerService: [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`
+		}],
+		singleLogoutService: [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: sloLocation
+		}, {
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: sloLocation
+		}],
+		wantMessageSigned: config.wantAssertionsSigned || false,
+		wantLogoutRequestSigned: sloOptions?.wantLogoutRequestSigned ?? false,
+		wantLogoutResponseSigned: sloOptions?.wantLogoutResponseSigned ?? false,
+		metadata: config.spMetadata?.metadata,
+		privateKey: config.spMetadata?.privateKey || config.privateKey,
+		privateKeyPass: config.spMetadata?.privateKeyPass
+	});
+}
+function createIdP(config) {
+	const idpData = config.idpMetadata;
+	if (idpData?.metadata) return saml.IdentityProvider({
+		metadata: idpData.metadata,
+		privateKey: idpData.privateKey,
+		privateKeyPass: idpData.privateKeyPass,
+		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKeyPass: idpData.encPrivateKeyPass
+	});
+	return saml.IdentityProvider({
+		entityID: idpData?.entityID || config.issuer,
+		singleSignOnService: idpData?.singleSignOnService || [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: config.entryPoint
+		}],
+		singleLogoutService: idpData?.singleLogoutService,
+		signingCert: idpData?.cert || config.cert
+	});
+}
+function escapeHtml(str) {
+	if (!str) return "";
+	return String(str).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function createSAMLPostForm(action, samlParam, samlValue, relayState) {
+	const safeAction = escapeHtml(action);
+	const safeSamlParam = escapeHtml(samlParam);
+	const safeSamlValue = escapeHtml(samlValue);
+	const safeRelayState = relayState ? escapeHtml(relayState) : void 0;
+	const html = `<!DOCTYPE html><html><body onload="document.forms[0].submit();"><form method="POST" action="${safeAction}"><input type="hidden" name="${safeSamlParam}" value="${safeSamlValue}" />${safeRelayState ? `<input type="hidden" name="RelayState" value="${safeRelayState}" />` : ""}<noscript><input type="submit" value="Continue" /></noscript></form></body></html>`;
+	return new Response(html, { headers: { "Content-Type": "text/html" } });
+}
 //#endregion
 //#region src/routes/sso.ts
 /**
+* Builds the OIDC redirect URI. Uses the shared `redirectURI` option
+* when set, otherwise falls back to `/sso/callback/:providerId`.
+*/
+function getOIDCRedirectURI(baseURL, providerId, options) {
+	if (options?.redirectURI?.trim()) try {
+		new URL(options.redirectURI);
+		return options.redirectURI;
+	} catch {
+		return `${baseURL}${options.redirectURI.startsWith("/") ? options.redirectURI : `/${options.redirectURI}`}`;
+	}
+	return `${baseURL}/sso/callback/${providerId}`;
+}
+/**
 * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
 * Prevents acceptance of expired or future-dated assertions.
 * @throws {APIError} If timestamps are invalid, expired, or not yet valid
@@ -1464,7 +1591,7 @@ const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml")
 });
-const spMetadata = () => {
+const spMetadata = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/metadata", {
 		method: "GET",
 		query: spMetadataQuerySchema,
@@ -1485,12 +1612,21 @@ const spMetadata = () => {
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const sloLocation = `${ctx.context.baseURL}/sso/saml2/sp/slo/${ctx.query.providerId}`;
+		const singleLogoutService = options?.saml?.enableSingleLogout ? [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: sloLocation
+		}, {
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: sloLocation
+		}] : void 0;
 		const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({ metadata: parsedSamlConfig.spMetadata.metadata }) : saml.SPMetadata({
 			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
 			assertionConsumerService: [{
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
 			}],
+			singleLogoutService,
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
@@ -1878,7 +2014,7 @@ const registerSSOProvider = (options) => {
 			await ctx.context.adapter.create({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					identifier: getVerificationIdentifier(options, provider.providerId),
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
 					value: domainVerificationToken,
@@ -1890,7 +2026,7 @@ const registerSSOProvider = (options) => {
 			...provider,
 			oidcConfig: safeJsonParse(provider.oidcConfig),
 			samlConfig: safeJsonParse(provider.samlConfig),
-			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
+			redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
 		};
@@ -2042,8 +2178,8 @@ const signInSSO = (options) => {
 				if (discovery.data) finalAuthUrl = discovery.data.authorization_endpoint;
 			}
 			if (!finalAuthUrl) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
-			const state = await generateState(ctx, void 0, false);
-			const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
+			const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+			const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
 			const authorizationURL = await createAuthorizationURL({
 				id: provider.issuer,
 				options: {
@@ -2141,171 +2277,214 @@ const callbackSSOQuerySchema = z.object({
 	error: z.string().optional(),
 	error_description: z.string().optional()
 });
+/**
+* Core OIDC callback handler logic, shared between the per-provider and
+* shared callback endpoints. Resolves the provider, exchanges the
+* authorization code for tokens, and creates a session.
+*
+* @param stateData - Pre-parsed state data. If not provided, it will be
+*   parsed from the request context.
+*/
+async function handleOIDCCallback(ctx, options, providerId, stateData) {
+	const { code, error, error_description } = ctx.query;
+	if (!stateData) stateData = await parseState(ctx);
+	if (!stateData) {
+		const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+		throw ctx.redirect(`${errorURL}?error=invalid_state`);
+	}
+	const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
+	if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
+	let provider = null;
+	if (options?.defaultSSO?.length) {
+		const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
+		if (matchingDefault) provider = {
+			...matchingDefault,
+			issuer: matchingDefault.oidcConfig?.issuer || "",
+			userId: "default",
+			...options.domainVerification?.enabled ? { domainVerified: true } : {}
+		};
+	}
+	if (!provider) provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return {
+			...res,
+			oidcConfig: safeJsonParse(res.oidcConfig) || void 0
+		};
+	});
+	if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
+	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+	let config = provider.oidcConfig;
+	if (!config) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
+	const discovery = await betterFetch(config.discoveryEndpoint);
+	if (discovery.data) config = {
+		tokenEndpoint: discovery.data.token_endpoint,
+		tokenEndpointAuthentication: discovery.data.token_endpoint_auth_method,
+		userInfoEndpoint: discovery.data.userinfo_endpoint,
+		scopes: [
+			"openid",
+			"email",
+			"profile",
+			"offline_access"
+		],
+		...config
+	};
+	if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
+	const tokenResponse = await validateAuthorizationCode({
+		code,
+		codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
+		redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
+		options: {
+			clientId: config.clientId,
+			clientSecret: config.clientSecret
+		},
+		tokenEndpoint: config.tokenEndpoint,
+		authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
+	}).catch((e) => {
+		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
+		return null;
+	});
+	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
+	let userInfo = null;
+	if (tokenResponse.idToken) {
+		const idToken = decodeJwt(tokenResponse.idToken);
+		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
+		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
+			audience: config.clientId,
+			issuer: provider.issuer
+		}).catch((e) => {
+			ctx.context.logger.error(e);
+			return null;
+		});
+		if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
+		const mapping = config.mapping || {};
+		userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
+			id: idToken[mapping.id || "sub"],
+			email: idToken[mapping.email || "email"],
+			emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+			name: idToken[mapping.name || "name"],
+			image: idToken[mapping.image || "picture"]
+		};
+	}
+	if (!userInfo) {
+		if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+		userInfo = userInfoResponse.data;
+	}
+	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
+	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
+	const linked = await handleOAuthUserInfo(ctx, {
+		userInfo: {
+			email: userInfo.email,
+			name: userInfo.name || "",
+			id: userInfo.id,
+			image: userInfo.image,
+			emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+		},
+		account: {
+			idToken: tokenResponse.idToken,
+			accessToken: tokenResponse.accessToken,
+			refreshToken: tokenResponse.refreshToken,
+			accountId: userInfo.id,
+			providerId: provider.providerId,
+			accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
+			refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
+			scope: tokenResponse.scopes?.join(",")
+		},
+		callbackURL,
+		disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+		overrideUserInfo: config.overrideUserInfo,
+		isTrustedProvider
+	});
+	if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
+	const { session, user } = linked.data;
+	if (options?.provisionUser && linked.isRegister) await options.provisionUser({
+		user,
+		userInfo,
+		token: tokenResponse,
+		provider
+	});
+	await assignOrganizationFromProvider(ctx, {
+		user,
+		profile: {
+			providerType: "oidc",
+			providerId: provider.providerId,
+			accountId: userInfo.id,
+			email: userInfo.email,
+			emailVerified: Boolean(userInfo.emailVerified),
+			rawAttributes: userInfo
+		},
+		provider,
+		token: tokenResponse,
+		provisioningOptions: options?.organizationProvisioning
+	});
+	await setSessionCookie(ctx, {
+		session,
+		user
+	});
+	let toRedirectTo;
+	try {
+		toRedirectTo = (linked.isRegister ? newUserURL || callbackURL : callbackURL).toString();
+	} catch {
+		toRedirectTo = linked.isRegister ? newUserURL || callbackURL : callbackURL;
+	}
+	throw ctx.redirect(toRedirectTo);
+}
+const callbackSSOEndpointConfig = {
+	method: "GET",
+	query: callbackSSOQuerySchema,
+	allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+	metadata: {
+		...HIDE_METADATA,
+		openapi: {
+			operationId: "handleSSOCallback",
+			summary: "Callback URL for SSO provider",
+			description: "This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
+			responses: { "302": { description: "Redirects to the callback URL" } }
+		}
+	}
+};
 const callbackSSO = (options) => {
-	return createAuthEndpoint("/sso/callback/:providerId", {
-		method: "GET",
-		query: callbackSSOQuerySchema,
-		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+	return createAuthEndpoint("/sso/callback/:providerId", callbackSSOEndpointConfig, async (ctx) => {
+		return handleOIDCCallback(ctx, options, ctx.params.providerId);
+	});
+};
+/**
+* Shared OIDC callback endpoint (no `:providerId` in path).
+* Used when `options.redirectURI` is set — the `providerId` is read from
+* the OAuth state instead of the URL path.
+*/
+const callbackSSOShared = (options) => {
+	return createAuthEndpoint("/sso/callback", {
+		...callbackSSOEndpointConfig,
 		metadata: {
-			...HIDE_METADATA,
+			...callbackSSOEndpointConfig.metadata,
 			openapi: {
-				operationId: "handleSSOCallback",
-				summary: "Callback URL for SSO provider",
-				description: "This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
-				responses: { "302": { description: "Redirects to the callback URL" } }
+				...callbackSSOEndpointConfig.metadata.openapi,
+				operationId: "handleSSOCallbackShared",
+				summary: "Shared callback URL for all SSO providers",
+				description: "This endpoint is used as a shared callback URL for all SSO providers when `redirectURI` is configured. The provider is identified via the OAuth state parameter."
 			}
 		}
 	}, async (ctx) => {
-		const { code, error, error_description } = ctx.query;
 		const stateData = await parseState(ctx);
 		if (!stateData) {
 			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 			throw ctx.redirect(`${errorURL}?error=invalid_state`);
 		}
-		const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
-		if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
-		let provider = null;
-		if (options?.defaultSSO?.length) {
-			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === ctx.params.providerId);
-			if (matchingDefault) provider = {
-				...matchingDefault,
-				issuer: matchingDefault.oidcConfig?.issuer || "",
-				userId: "default",
-				...options.domainVerification?.enabled ? { domainVerified: true } : {}
-			};
-		}
-		if (!provider) provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: ctx.params.providerId
-			}]
-		}).then((res) => {
-			if (!res) return null;
-			return {
-				...res,
-				oidcConfig: safeJsonParse(res.oidcConfig) || void 0
-			};
-		});
-		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
-		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
-		let config = provider.oidcConfig;
-		if (!config) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
-		const discovery = await betterFetch(config.discoveryEndpoint);
-		if (discovery.data) config = {
-			tokenEndpoint: discovery.data.token_endpoint,
-			tokenEndpointAuthentication: discovery.data.token_endpoint_auth_method,
-			userInfoEndpoint: discovery.data.userinfo_endpoint,
-			scopes: [
-				"openid",
-				"email",
-				"profile",
-				"offline_access"
-			],
-			...config
-		};
-		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
-		const tokenResponse = await validateAuthorizationCode({
-			code,
-			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
-			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
-			options: {
-				clientId: config.clientId,
-				clientSecret: config.clientSecret
-			},
-			tokenEndpoint: config.tokenEndpoint,
-			authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
-		}).catch((e) => {
-			if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
-			return null;
-		});
-		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
-		let userInfo = null;
-		if (tokenResponse.idToken) {
-			const idToken = decodeJwt(tokenResponse.idToken);
-			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
-			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
-				audience: config.clientId,
-				issuer: provider.issuer
-			}).catch((e) => {
-				ctx.context.logger.error(e);
-				return null;
-			});
-			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
-			const mapping = config.mapping || {};
-			userInfo = {
-				...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
-				id: idToken[mapping.id || "sub"],
-				email: idToken[mapping.email || "email"],
-				emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
-				name: idToken[mapping.name || "name"],
-				image: idToken[mapping.image || "picture"]
-			};
-		}
-		if (!userInfo) {
-			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
-			const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
-			userInfo = userInfoResponse.data;
+		const providerId = stateData.ssoProviderId;
+		if (!providerId) {
+			const errorURL = stateData.errorURL || stateData.callbackURL;
+			throw ctx.redirect(`${errorURL}?error=invalid_state&error_description=missing_provider_id`);
 		}
-		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
-		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
-		const linked = await handleOAuthUserInfo(ctx, {
-			userInfo: {
-				email: userInfo.email,
-				name: userInfo.name || userInfo.email,
-				id: userInfo.id,
-				image: userInfo.image,
-				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-			},
-			account: {
-				idToken: tokenResponse.idToken,
-				accessToken: tokenResponse.accessToken,
-				refreshToken: tokenResponse.refreshToken,
-				accountId: userInfo.id,
-				providerId: provider.providerId,
-				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-				scope: tokenResponse.scopes?.join(",")
-			},
-			callbackURL,
-			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
-		});
-		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
-		const { session, user } = linked.data;
-		if (options?.provisionUser) await options.provisionUser({
-			user,
-			userInfo,
-			token: tokenResponse,
-			provider
-		});
-		await assignOrganizationFromProvider(ctx, {
-			user,
-			profile: {
-				providerType: "oidc",
-				providerId: provider.providerId,
-				accountId: userInfo.id,
-				email: userInfo.email,
-				emailVerified: Boolean(userInfo.emailVerified),
-				rawAttributes: userInfo
-			},
-			provider,
-			token: tokenResponse,
-			provisioningOptions: options?.organizationProvisioning
-		});
-		await setSessionCookie(ctx, {
-			session,
-			user
-		});
-		let toRedirectTo;
-		try {
-			toRedirectTo = (linked.isRegister ? newUserURL || callbackURL : callbackURL).toString();
-		} catch {
-			toRedirectTo = linked.isRegister ? newUserURL || callbackURL : callbackURL;
-		}
-		throw ctx.redirect(toRedirectTo);
+		return handleOIDCCallback(ctx, options, providerId, stateData);
 	});
 };
 const callbackSSOSAMLBodySchema = z.object({
@@ -2563,7 +2742,7 @@ const callbackSSOSAML = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const isTrustedProvider = ctx.context.trustedProviders.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
@@ -2606,6 +2785,25 @@ const callbackSSOSAML = (options) => {
 			session,
 			user
 		});
+		if (options?.saml?.enableSingleLogout && extract.nameID) {
+			const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${provider.providerId}:${extract.nameID}`;
+			const samlSessionData = {
+				sessionId: session.id,
+				providerId: provider.providerId,
+				nameID: extract.nameID,
+				sessionIndex: extract.sessionIndex
+			};
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: samlSessionKey,
+				value: JSON.stringify(samlSessionData),
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session record", { error: e }));
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${SAML_SESSION_BY_ID_PREFIX}${session.id}`,
+				value: samlSessionKey,
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
+		}
 		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 		throw ctx.redirect(safeRedirectUrl);
 	});
@@ -2815,7 +3013,7 @@ const acsEndpoint = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const isTrustedProvider = ctx.context.trustedProviders.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
@@ -2858,10 +3056,186 @@ const acsEndpoint = (options) => {
 			session,
 			user
 		});
+		if (options?.saml?.enableSingleLogout && extract.nameID) {
+			const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${providerId}:${extract.nameID}`;
+			const samlSessionData = {
+				sessionId: session.id,
+				providerId,
+				nameID: extract.nameID,
+				sessionIndex: extract.sessionIndex
+			};
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: samlSessionKey,
+				value: JSON.stringify(samlSessionData),
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session record", { error: e }));
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${SAML_SESSION_BY_ID_PREFIX}${session.id}`,
+				value: samlSessionKey,
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
+		}
 		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 		throw ctx.redirect(safeRedirectUrl);
 	});
 };
+const sloSchema = z.object({
+	SAMLRequest: z.string().optional(),
+	SAMLResponse: z.string().optional(),
+	RelayState: z.string().optional(),
+	SigAlg: z.string().optional(),
+	Signature: z.string().optional()
+});
+const sloEndpoint = (options) => {
+	return createAuthEndpoint("/sso/saml2/sp/slo/:providerId", {
+		method: ["GET", "POST"],
+		body: sloSchema.optional(),
+		query: sloSchema.optional(),
+		metadata: {
+			...HIDE_METADATA,
+			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"]
+		}
+	}, async (ctx) => {
+		if (!options?.saml?.enableSingleLogout) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.SINGLE_LOGOUT_NOT_ENABLED);
+		const { providerId } = ctx.params;
+		const samlRequest = ctx.body?.SAMLRequest || ctx.query?.SAMLRequest;
+		const samlResponse = ctx.body?.SAMLResponse || ctx.query?.SAMLResponse;
+		const relayState = ctx.body?.RelayState || ctx.query?.RelayState;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
+		const safeErrorURL = getSafeRedirectUrl(relayState, `${appOrigin}/sso/saml2/sp/slo/${providerId}`, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+		if (!samlRequest && !samlResponse) throw ctx.redirect(`${safeErrorURL}?error=invalid_request&error_description=missing_logout_data`);
+		const provider = await findSAMLProvider(providerId, options, ctx.context.adapter);
+		if (!provider?.samlConfig) throw APIError.from("NOT_FOUND", SAML_ERROR_CODES.SAML_PROVIDER_NOT_FOUND);
+		const config = provider.samlConfig;
+		const sp = createSP(config, ctx.context.baseURL, providerId, {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		});
+		const idp = createIdP(config);
+		if (samlResponse) return handleLogoutResponse(ctx, sp, idp, relayState, providerId);
+		return handleLogoutRequest(ctx, sp, idp, relayState, providerId);
+	});
+};
+async function handleLogoutResponse(ctx, sp, idp, relayState, providerId) {
+	const binding = ctx.method === "POST" && ctx.body?.SAMLResponse ? "post" : "redirect";
+	let parsed;
+	try {
+		parsed = await sp.parseLogoutResponse(idp, binding, {
+			body: ctx.body,
+			query: ctx.query
+		});
+	} catch (error) {
+		ctx.context.logger.error("LogoutResponse validation failed", { error });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_RESPONSE);
+	}
+	const extract = parsed?.extract;
+	const statusCode = extract?.statusCode || extract?.status || parsed?.samlContent?.status?.statusCode;
+	if (statusCode && statusCode !== SAML_STATUS_SUCCESS) {
+		ctx.context.logger.warn("LogoutResponse indicates failure", { statusCode });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.LOGOUT_FAILED_AT_IDP);
+	}
+	const inResponseTo = extract?.response?.inResponseTo;
+	if (inResponseTo) {
+		const key = `${LOGOUT_REQUEST_KEY_PREFIX}${inResponseTo}`;
+		if (!await ctx.context.internalAdapter.findVerificationValue(key)) ctx.context.logger.warn("LogoutResponse references unknown or expired request", { inResponseTo });
+		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete logout request verification value", e));
+	}
+	deleteSessionCookie(ctx);
+	const appOrigin = new URL(ctx.context.baseURL).origin;
+	const safeRedirectUrl = getSafeRedirectUrl(relayState, `${appOrigin}/sso/saml2/sp/slo/${providerId}`, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	throw ctx.redirect(safeRedirectUrl);
+}
+async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
+	const binding = ctx.method === "POST" && ctx.body?.SAMLRequest ? "post" : "redirect";
+	let parsed;
+	try {
+		parsed = await sp.parseLogoutRequest(idp, binding, {
+			body: ctx.body,
+			query: ctx.query
+		});
+	} catch (error) {
+		ctx.context.logger.error("LogoutRequest validation failed", { error });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_REQUEST);
+	}
+	if (!parsed?.extract) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_REQUEST);
+	const { nameID } = parsed.extract;
+	const sessionIndex = parsed.extract.sessionIndex;
+	const key = `${SAML_SESSION_KEY_PREFIX}${providerId}:${nameID}`;
+	const stored = await ctx.context.internalAdapter.findVerificationValue(key);
+	if (stored) {
+		const data = safeJsonParse(stored.value);
+		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
+			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
+			await ctx.context.internalAdapter.deleteVerificationValue(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
+		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
+			providerId,
+			requestedSessionIndex: sessionIndex,
+			storedSessionIndex: data.sessionIndex
+		});
+		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
+	}
+	const currentSession = await getSessionFromCtx(ctx);
+	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
+	deleteSessionCookie(ctx);
+	const requestId = parsed.extract.request?.id || "";
+	const res = sp.createLogoutResponse(idp, null, binding, relayState || "", (template) => template.replace("{InResponseTo}", requestId).replace("{StatusCode}", SAML_STATUS_SUCCESS));
+	if (binding === "post" && res.entityEndpoint) return createSAMLPostForm(res.entityEndpoint, "SAMLResponse", res.context, relayState);
+	throw ctx.redirect(res.context);
+}
+const initiateSLO = (options) => {
+	return createAuthEndpoint("/sso/saml2/logout/:providerId", {
+		method: "POST",
+		body: z.object({ callbackURL: z.string().optional() }),
+		use: [sessionMiddleware],
+		metadata: HIDE_METADATA
+	}, async (ctx) => {
+		if (!options?.saml?.enableSingleLogout) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.SINGLE_LOGOUT_NOT_ENABLED);
+		const { providerId } = ctx.params;
+		const callbackURL = ctx.body.callbackURL || ctx.context.baseURL;
+		const provider = await findSAMLProvider(providerId, options, ctx.context.adapter);
+		if (!provider?.samlConfig) throw APIError.from("NOT_FOUND", SAML_ERROR_CODES.SAML_PROVIDER_NOT_FOUND);
+		const config = provider.samlConfig;
+		if (!(config.idpMetadata?.singleLogoutService?.length || config.idpMetadata?.metadata && config.idpMetadata.metadata.includes("SingleLogoutService"))) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.IDP_SLO_NOT_SUPPORTED);
+		const sp = createSP(config, ctx.context.baseURL, providerId, {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		});
+		const idp = createIdP(config);
+		const session = ctx.context.session;
+		const sessionLookupKey = `${SAML_SESSION_BY_ID_PREFIX}${session.session.id}`;
+		const sessionLookup = await ctx.context.internalAdapter.findVerificationValue(sessionLookupKey);
+		let nameID = session.user.email;
+		let sessionIndex;
+		let samlSessionKey;
+		if (sessionLookup) {
+			samlSessionKey = sessionLookup.value;
+			const stored = await ctx.context.internalAdapter.findVerificationValue(samlSessionKey);
+			if (stored) {
+				const data = safeJsonParse(stored.value);
+				if (data) {
+					nameID = data.nameID || nameID;
+					sessionIndex = data.sessionIndex;
+				}
+			}
+		}
+		const logoutRequest = sp.createLogoutRequest(idp, "redirect", {
+			logoutNameID: nameID,
+			sessionIndex,
+			relayState: callbackURL
+		});
+		const ttl = options?.saml?.logoutRequestTTL ?? DEFAULT_LOGOUT_REQUEST_TTL_MS;
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier: `${LOGOUT_REQUEST_KEY_PREFIX}${logoutRequest.id}`,
+			value: providerId,
+			expiresAt: new Date(Date.now() + ttl)
+		});
+		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationValue(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
+		await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
+		await ctx.context.internalAdapter.deleteSession(session.session.id);
+		deleteSessionCookie(ctx);
+		throw ctx.redirect(logoutRequest.context);
+	});
+};
 //#endregion
 //#region src/index.ts
@@ -2874,16 +3248,23 @@ saml.setSchemaValidator({ async validate(xml) {
 * These endpoints receive POST requests from external Identity Providers,
 * which won't have a matching Origin header.
 */
-const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/callback", "/sso/saml2/sp/acs"];
+const SAML_SKIP_ORIGIN_CHECK_PATHS = [
+	"/sso/saml2/callback",
+	"/sso/saml2/sp/acs",
+	"/sso/saml2/sp/slo"
+];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
-		spMetadata: spMetadata(),
+		spMetadata: spMetadata(optionsWithStore),
 		registerSSOProvider: registerSSOProvider(optionsWithStore),
 		signInSSO: signInSSO(optionsWithStore),
 		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOShared: callbackSSOShared(optionsWithStore),
 		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
 		acsEndpoint: acsEndpoint(optionsWithStore),
+		sloEndpoint: sloEndpoint(optionsWithStore),
+		initiateSLO: initiateSLO(optionsWithStore),
 		listSSOProviders: listSSOProviders(),
 		getSSOProvider: getSSOProvider(),
 		updateSSOProvider: updateSSOProvider(optionsWithStore),
@@ -2907,21 +3288,39 @@ function sso(options) {
 			return { context: { skipOriginCheck: [...Array.isArray(existing) ? existing : [], ...SAML_SKIP_ORIGIN_CHECK_PATHS] } };
 		},
 		endpoints,
-		hooks: { after: [{
-			matcher(context) {
-				return context.path?.startsWith("/callback/") ?? false;
-			},
-			handler: createAuthMiddleware(async (ctx) => {
-				const newSession = ctx.context.newSession;
-				if (!newSession?.user) return;
-				if (!ctx.context.hasPlugin("organization")) return;
-				await assignOrganizationByDomain(ctx, {
-					user: newSession.user,
-					provisioningOptions: options?.organizationProvisioning,
-					domainVerification: options?.domainVerification
-				});
-			})
-		}] },
+		hooks: {
+			before: [{
+				matcher(context) {
+					return context.path === "/sign-out";
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					if (!options?.saml?.enableSingleLogout) return;
+					const session = await getSessionFromCtx(ctx);
+					if (!session?.session?.id) return;
+					const sessionLookupKey = `${SAML_SESSION_BY_ID_PREFIX}${session.session.id}`;
+					const sessionLookup = await ctx.context.internalAdapter.findVerificationValue(sessionLookupKey);
+					if (sessionLookup?.value) {
+						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookup.value).catch(() => {});
+						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch(() => {});
+					}
+				})
+			}],
+			after: [{
+				matcher(context) {
+					return context.path?.startsWith("/callback/") ?? false;
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					const newSession = ctx.context.newSession;
+					if (!newSession?.user) return;
+					if (!ctx.context.hasPlugin("organization")) return;
+					await assignOrganizationByDomain(ctx, {
+						user: newSession.user,
+						provisioningOptions: options?.organizationProvisioning,
+						domainVerification: options?.domainVerification
+					});
+				})
+			}]
+		},
 		schema: { ssoProvider: {
 			modelName: options?.modelName ?? "ssoProvider",
 			fields: {