@better-auth/sso 1.5.0-beta.6 → 1.5.0-beta.8

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.5.0-beta.6 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.5.0-beta.8 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.19.0 powered by rolldown v1.0.0-beta.59
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             99.53 kB │ gzip: 19.50 kB
-ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/index.d.mts            1.67 kB │ gzip:  0.57 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
-ℹ dist/index-BLMoKtp1.d.mts  44.35 kB │ gzip:  9.16 kB
-ℹ 5 files, total: 146.19 kB
-✔ Build complete in 17523ms
+ℹ dist/index.mjs             104.03 kB │ gzip: 20.69 kB
+ℹ dist/client.mjs              0.15 kB │ gzip:  0.14 kB
+ℹ dist/index.d.mts             1.67 kB │ gzip:  0.57 kB
+ℹ dist/client.d.mts            0.49 kB │ gzip:  0.29 kB
+ℹ dist/index-BT0wtuq1.d.mts   44.48 kB │ gzip:  9.20 kB
+ℹ 5 files, total: 150.82 kB
+✔ Build complete in 17021ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-BLMoKtp1.mjs";
+import { t as SSOPlugin } from "./index-BT0wtuq1.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-BLMoKtp1.d.mts → index-BT0wtuq1.d.mts}

@@ -917,11 +917,14 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
-  method: "POST";
-  body: z.ZodObject<{
+  method: ("POST" | "GET")[];
+  body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
+  }, z.core.$strip>>;
+  query: z.ZodOptional<z.ZodObject<{
+    RelayState: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
   metadata: {
     allowedMediaTypes: string[];
     openapi: {

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-BLMoKtp1.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-BT0wtuq1.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -1,15 +1,16 @@
-import { APIError, createAuthEndpoint, createAuthMiddleware, sessionMiddleware } from "better-auth/api";
+import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
-import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 import { base64 } from "@better-auth/utils/base64";
+import { APIError as APIError$1 } from "better-call";
 
 //#region src/linking/org-assignment.ts
 /**
@@ -922,6 +923,49 @@ function validateSingleAssertion(samlResponse) {
 	});
 }
 
+//#endregion
+//#region src/saml-state.ts
+async function generateRelayState(c, link, additionalData) {
+	const callbackURL = c.body.callbackURL;
+	if (!callbackURL) throw new APIError$1("BAD_REQUEST", { message: "callbackURL is required" });
+	const codeVerifier = generateRandomString(128);
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body.errorCallbackURL,
+		newUserURL: c.body.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body.requestSignUp
+	};
+	try {
+		return generateGenericState(c, stateData, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to create verification for relay state", error);
+		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+			message: "State error: Unable to create verification for relay state",
+			cause: error
+		});
+	}
+}
+async function parseRelayState(c) {
+	const state = c.body.RelayState;
+	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	let parsedData;
+	try {
+		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to parse relay state", error);
+		throw new APIError$1("BAD_REQUEST", {
+			message: "State error: failed to validate relay state",
+			cause: error
+		});
+	}
+	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
+	return parsedData;
+}
+
 //#endregion
 //#region src/utils.ts
 /**
@@ -1628,6 +1672,7 @@ const signInSSO = (options) => {
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
+			const { state: relayState } = await generateRelayState(ctx, void 0, false);
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation) {
 				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
 				const record = {
@@ -1643,7 +1688,7 @@ const signInSSO = (options) => {
 				});
 			}
 			return ctx.json({
-				url: `${loginRequest.context}&RelayState=${encodeURIComponent(body.callbackURL)}`,
+				url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
 				redirect: true
 			});
 		}
@@ -1825,17 +1870,46 @@ const callbackSSOSAMLBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional()
 });
+/**
+* Validates and returns a safe redirect URL.
+* - Prevents open redirect attacks by validating against trusted origins
+* - Prevents redirect loops by checking if URL points to callback route
+* - Falls back to appOrigin if URL is invalid or unsafe
+*/
+const getSafeRedirectUrl = (url, callbackPath, appOrigin, isTrustedOrigin) => {
+	if (!url) return appOrigin;
+	if (url.startsWith("/") && !url.startsWith("//")) {
+		try {
+			const absoluteUrl = new URL(url, appOrigin);
+			if (absoluteUrl.origin !== appOrigin) return appOrigin;
+			const callbackPathname = new URL(callbackPath).pathname;
+			if (absoluteUrl.pathname === callbackPathname) return appOrigin;
+		} catch {
+			return appOrigin;
+		}
+		return url;
+	}
+	if (!isTrustedOrigin(url, { allowRelativePaths: false })) return appOrigin;
+	try {
+		const callbackPathname = new URL(callbackPath).pathname;
+		if (new URL(url).pathname === callbackPathname) return appOrigin;
+	} catch {
+		if (url === callbackPath || url.startsWith(`${callbackPath}?`)) return appOrigin;
+	}
+	return url;
+};
 const callbackSSOSAML = (options) => {
 	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
-		method: "POST",
-		body: callbackSSOSAMLBodySchema,
+		method: ["GET", "POST"],
+		body: callbackSSOSAMLBodySchema.optional(),
+		query: z.object({ RelayState: z.string().optional() }).optional(),
 		metadata: {
 			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
 				operationId: "handleSAMLCallback",
 				summary: "Callback URL for SAML provider",
-				description: "This endpoint is used as the callback URL for SAML providers.",
+				description: "This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
 				responses: {
 					"302": { description: "Redirects to the callback URL" },
 					"400": { description: "Invalid SAML response" },
@@ -1844,10 +1918,26 @@ const callbackSSOSAML = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse, RelayState } = ctx.body;
 		const { providerId } = ctx.params;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
+		const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
+		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
+			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			const relayState$1 = ctx.query?.RelayState;
+			const safeRedirectUrl$1 = getSafeRedirectUrl(relayState$1, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+			throw ctx.redirect(safeRedirectUrl$1);
+		}
+		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
+		const { SAMLResponse } = ctx.body;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
@@ -1918,7 +2008,7 @@ const callbackSSOSAML = (options) => {
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
 				SAMLResponse,
-				RelayState: RelayState || void 0
+				RelayState: ctx.body.RelayState || void 0
 			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
@@ -1955,7 +2045,7 @@ const callbackSSOSAML = (options) => {
 						inResponseTo,
 						providerId: provider.providerId
 					});
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== provider.providerId) {
@@ -1965,13 +2055,13 @@ const callbackSSOSAML = (options) => {
 						actualProvider: provider.providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
@@ -1998,7 +2088,7 @@ const callbackSSOSAML = (options) => {
 					issuer,
 					providerId: provider.providerId
 				});
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
@@ -2032,7 +2122,7 @@ const callbackSSOSAML = (options) => {
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
 		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2074,7 +2164,8 @@ const callbackSSOSAML = (options) => {
 			session,
 			user
 		});
-		throw ctx.redirect(callbackUrl);
+		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+		throw ctx.redirect(safeRedirectUrl);
 	});
 };
 const acsEndpointParamsSchema = z.object({ providerId: z.string().optional() });
@@ -2329,6 +2420,12 @@ saml.setSchemaValidator({ async validate(xml) {
 	if (XMLValidator.validate(xml, { allowBooleanAttributes: true }) === true) return "SUCCESS_VALIDATE_XML";
 	throw "ERR_INVALID_XML";
 } });
+/**
+* SAML endpoint paths that should skip origin check validation.
+* These endpoints receive POST requests from external Identity Providers,
+* which won't have a matching Origin header.
+*/
+const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/callback", "/sso/saml2/sp/acs"];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
@@ -2351,6 +2448,11 @@ function sso(options) {
 	}
 	return {
 		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) return {};
+			return { context: { skipOriginCheck: [...Array.isArray(existing) ? existing : [], ...SAML_SKIP_ORIGIN_CHECK_PATHS] } };
+		},
 		endpoints,
 		hooks: { after: [{
 			matcher(context) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.5.0-beta.6",
+  "version": "1.5.0-beta.8",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -67,13 +67,13 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.19.0",
-    "@better-auth/core": "1.5.0-beta.6",
-    "better-auth": "1.5.0-beta.6"
+    "better-auth": "1.5.0-beta.8",
+    "@better-auth/core": "1.5.0-beta.8"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
-    "@better-auth/core": "1.5.0-beta.6",
-    "better-auth": "1.5.0-beta.6"
+    "@better-auth/core": "1.5.0-beta.8",
+    "better-auth": "1.5.0-beta.8"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -103,6 +103,16 @@ export type SSOPlugin<O extends SSOOptions> = {
 			: {});
 };
 
+/**
+ * SAML endpoint paths that should skip origin check validation.
+ * These endpoints receive POST requests from external Identity Providers,
+ * which won't have a matching Origin header.
+ */
+const SAML_SKIP_ORIGIN_CHECK_PATHS = [
+	"/sso/saml2/callback", // SP-initiated SSO callback (prefix matches /callback/:providerId)
+	"/sso/saml2/sp/acs", // IdP-initiated SSO ACS (prefix matches /sp/acs/:providerId)
+];
+
 export function sso<
 	O extends SSOOptions & {
 		domainVerification?: { enabled: true };
@@ -148,6 +158,18 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 
 	return {
 		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) {
+				return {};
+			}
+			const existingPaths = Array.isArray(existing) ? existing : [];
+			return {
+				context: {
+					skipOriginCheck: [...existingPaths, ...SAML_SKIP_ORIGIN_CHECK_PATHS],
+				},
+			};
+		},
 		endpoints,
 		hooks: {
 			after: [

package/src/oidc.test.ts

@@ -7,7 +7,7 @@ import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import { sso } from ".";
 import { ssoClient } from "./client";
 
-let server = new OAuth2Server();
+const server = new OAuth2Server();
 
 describe("SSO", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =

package/src/routes/sso.ts

@@ -11,6 +11,7 @@ import {
 import {
 	APIError,
 	createAuthEndpoint,
+	getSessionFromCtx,
 	sessionMiddleware,
 } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
@@ -52,6 +53,7 @@ import {
 	validateSAMLAlgorithms,
 	validateSingleAssertion,
 } from "../saml";
+import { generateRelayState, parseRelayState } from "../saml-state";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
 import { safeJsonParse, validateEmailDomain } from "../utils";
 
@@ -165,6 +167,8 @@ const spMetadataQuerySchema = z.object({
 	format: z.enum(["xml", "json"]).default("xml"),
 });
 
+type RelayState = Awaited<ReturnType<typeof parseRelayState>>;
+
 export const spMetadata = () => {
 	return createAuthEndpoint(
 		"/sso/saml2/sp/metadata",
@@ -1293,6 +1297,12 @@ export const signInSSO = (options?: SSOOptions) => {
 					});
 				}
 
+				const { state: relayState } = await generateRelayState(
+					ctx,
+					undefined,
+					false,
+				);
+
 				const shouldSaveRequest =
 					loginRequest.id && options?.saml?.enableInResponseToValidation;
 				if (shouldSaveRequest) {
@@ -1311,9 +1321,7 @@ export const signInSSO = (options?: SSOOptions) => {
 				}
 
 				return ctx.json({
-					url: `${loginRequest.context}&RelayState=${encodeURIComponent(
-						body.callbackURL,
-					)}`,
+					url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
 					redirect: true,
 				});
 			}
@@ -1683,12 +1691,71 @@ const callbackSSOSAMLBodySchema = z.object({
 	RelayState: z.string().optional(),
 });
 
+/**
+ * Validates and returns a safe redirect URL.
+ * - Prevents open redirect attacks by validating against trusted origins
+ * - Prevents redirect loops by checking if URL points to callback route
+ * - Falls back to appOrigin if URL is invalid or unsafe
+ */
+const getSafeRedirectUrl = (
+	url: string | undefined,
+	callbackPath: string,
+	appOrigin: string,
+	isTrustedOrigin: (
+		url: string,
+		settings?: { allowRelativePaths: boolean },
+	) => boolean,
+): string => {
+	if (!url) {
+		return appOrigin;
+	}
+
+	if (url.startsWith("/") && !url.startsWith("//")) {
+		try {
+			const absoluteUrl = new URL(url, appOrigin);
+			if (absoluteUrl.origin !== appOrigin) {
+				return appOrigin;
+			}
+			const callbackPathname = new URL(callbackPath).pathname;
+			if (absoluteUrl.pathname === callbackPathname) {
+				return appOrigin;
+			}
+		} catch {
+			return appOrigin;
+		}
+		return url;
+	}
+
+	if (!isTrustedOrigin(url, { allowRelativePaths: false })) {
+		return appOrigin;
+	}
+
+	try {
+		const callbackPathname = new URL(callbackPath).pathname;
+		const urlPathname = new URL(url).pathname;
+		if (urlPathname === callbackPathname) {
+			return appOrigin;
+		}
+	} catch {
+		if (url === callbackPath || url.startsWith(`${callbackPath}?`)) {
+			return appOrigin;
+		}
+	}
+
+	return url;
+};
+
 export const callbackSSOSAML = (options?: SSOOptions) => {
 	return createAuthEndpoint(
 		"/sso/saml2/callback/:providerId",
 		{
-			method: "POST",
-			body: callbackSSOSAMLBodySchema,
+			method: ["GET", "POST"],
+			body: callbackSSOSAMLBodySchema.optional(),
+			query: z
+				.object({
+					RelayState: z.string().optional(),
+				})
+				.optional(),
 			metadata: {
 				...HIDE_METADATA,
 				allowedMediaTypes: [
@@ -1699,7 +1766,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					operationId: "handleSAMLCallback",
 					summary: "Callback URL for SAML provider",
 					description:
-						"This endpoint is used as the callback URL for SAML providers.",
+						"This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
 					responses: {
 						"302": {
 							description: "Redirects to the callback URL",
@@ -1715,8 +1782,41 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			},
 		},
 		async (ctx) => {
-			const { SAMLResponse, RelayState } = ctx.body;
 			const { providerId } = ctx.params;
+			const appOrigin = new URL(ctx.context.baseURL).origin;
+			const errorURL =
+				ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+			const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
+
+			// Determine if this is a GET request by checking both method AND body presence
+			// When called via auth.api.*, ctx.method may not be reliable, so we also check for body
+			const isGetRequest = ctx.method === "GET" && !ctx.body?.SAMLResponse;
+
+			if (isGetRequest) {
+				const session = await getSessionFromCtx(ctx);
+
+				if (!session?.session) {
+					throw ctx.redirect(`${errorURL}?error=invalid_request`);
+				}
+
+				const relayState = ctx.query?.RelayState as string | undefined;
+				const safeRedirectUrl = getSafeRedirectUrl(
+					relayState,
+					currentCallbackPath,
+					appOrigin,
+					(url, settings) => ctx.context.isTrustedOrigin(url, settings),
+				);
+
+				throw ctx.redirect(safeRedirectUrl);
+			}
+
+			if (!ctx.body?.SAMLResponse) {
+				throw new APIError("BAD_REQUEST", {
+					message: "SAMLResponse is required for POST requests",
+				});
+			}
+
+			const { SAMLResponse } = ctx.body;
 
 			const maxResponseSize =
 				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
@@ -1726,6 +1826,14 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 				});
 			}
 
+			let relayState: RelayState | null = null;
+			if (ctx.body.RelayState) {
+				try {
+					relayState = await parseRelayState(ctx);
+				} catch {
+					relayState = null;
+				}
+			}
 			let provider: SSOProvider<SSOOptions> | null = null;
 			if (options?.defaultSSO?.length) {
 				const matchingDefault = options.defaultSSO.find(
@@ -1846,7 +1954,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 				parsedResponse = await sp.parseLoginResponse(idp, "post", {
 					body: {
 						SAMLResponse,
-						RelayState: RelayState || undefined,
+						RelayState: ctx.body.RelayState || undefined,
 					},
 				});
 
@@ -1909,7 +2017,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							{ inResponseTo, providerId: provider.providerId },
 						);
 						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+							relayState?.callbackURL ||
+							parsedSamlConfig.callbackUrl ||
+							ctx.context.baseURL;
 						throw ctx.redirect(
 							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
 						);
@@ -1929,7 +2039,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
 						);
 						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+							relayState?.callbackURL ||
+							parsedSamlConfig.callbackUrl ||
+							ctx.context.baseURL;
 						throw ctx.redirect(
 							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
 						);
@@ -1944,7 +2056,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						{ providerId: provider.providerId },
 					);
 					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						relayState?.callbackURL ||
+						parsedSamlConfig.callbackUrl ||
+						ctx.context.baseURL;
 					throw ctx.redirect(
 						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
 					);
@@ -1997,7 +2111,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						},
 					);
 					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						relayState?.callbackURL ||
+						parsedSamlConfig.callbackUrl ||
+						ctx.context.baseURL;
 					throw ctx.redirect(
 						`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
 					);
@@ -2071,7 +2187,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					validateEmailDomain(userInfo.email as string, provider.domain));
 
 			const callbackUrl =
-				RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				relayState?.callbackURL ||
+				parsedSamlConfig.callbackUrl ||
+				ctx.context.baseURL;
 
 			const result = await handleOAuthUserInfo(ctx, {
 				userInfo: {
@@ -2122,7 +2240,14 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			});
 
 			await setSessionCookie(ctx, { session, user });
-			throw ctx.redirect(callbackUrl);
+
+			const safeRedirectUrl = getSafeRedirectUrl(
+				relayState?.callbackURL || parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				(url, settings) => ctx.context.isTrustedOrigin(url, settings),
+			);
+			throw ctx.redirect(safeRedirectUrl);
 		},
 	);
 };