@better-auth/sso 1.5.0-beta.8 → 1.5.0

package/dist/{index-BT0wtuq1.d.mts → index-BQp9TZiG.d.mts}

@@ -97,6 +97,10 @@ interface SAMLConfig {
       Binding: string;
       Location: string;
     }>;
+    singleLogoutService?: Array<{
+      Binding: string;
+      Location: string;
+    }>;
   } | undefined;
   spMetadata: {
     metadata?: string | undefined;
@@ -109,6 +113,7 @@ interface SAMLConfig {
     encPrivateKeyPass?: string | undefined;
   };
   wantAssertionsSigned?: boolean | undefined;
+  authnRequestsSigned?: boolean | undefined;
   signatureAlgorithm?: string | undefined;
   digestAlgorithm?: string | undefined;
   identifierFormat?: string | undefined;
@@ -278,12 +283,20 @@ interface SSOOptions {
      */
     enabled?: boolean;
     /**
-     * Prefix used to generate the domain verification token
+     * Prefix used to generate the domain verification token.
+     * An underscore is automatically prepended to follow DNS
+     * infrastructure subdomain conventions (RFC 8552), so do
+     * not include a leading underscore.
      *
-     * @default "better-auth-token-"
+     * @default "better-auth-token"
      */
     tokenPrefix?: string;
   };
+  /**
+   * A shared redirect URI used by all OIDC providers instead of
+   * per-provider callback URLs. Can be a path or a full URL.
+   */
+  redirectURI?: string;
   /**
    * SAML security options for AuthnRequest/InResponseTo validation.
    * This prevents unsolicited responses, replay attacks, and cross-provider injection.
@@ -379,6 +392,26 @@ interface SSOOptions {
      * @default 102400 (100KB)
      */
     maxMetadataSize?: number;
+    /**
+     * Enable SAML Single Logout
+     * @default false
+     */
+    enableSingleLogout?: boolean;
+    /**
+     * TTL for LogoutRequest records in milliseconds
+     * @default 300000 (5 minutes)
+     */
+    logoutRequestTTL?: number;
+    /**
+     * Require signed LogoutRequests from IdP
+     * @default false
+     */
+    wantLogoutRequestSigned?: boolean;
+    /**
+     * Require signed LogoutResponses from IdP
+     * @default false
+     */
+    wantLogoutResponseSigned?: boolean;
   };
 }
 //#endregion
@@ -481,6 +514,375 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
   }>)[];
 }, void>;
 //#endregion
+//#region src/routes/providers.d.ts
+declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/providers", {
+  method: "GET";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providers: {
+    providerId: string;
+    type: string;
+    issuer: string;
+    domain: string;
+    organizationId: string | null;
+    domainVerified: boolean;
+    oidcConfig: {
+      discoveryEndpoint: string;
+      clientIdLastFour: string;
+      pkce: boolean;
+      authorizationEndpoint: string | undefined;
+      tokenEndpoint: string | undefined;
+      userInfoEndpoint: string | undefined;
+      jwksEndpoint: string | undefined;
+      scopes: string[] | undefined;
+      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    } | undefined;
+    samlConfig: {
+      entryPoint: string;
+      callbackUrl: string;
+      audience: string | undefined;
+      wantAssertionsSigned: boolean | undefined;
+      authnRequestsSigned: boolean | undefined;
+      identifierFormat: string | undefined;
+      signatureAlgorithm: string | undefined;
+      digestAlgorithm: string | undefined;
+      certificate: {
+        fingerprintSha256: string;
+        notBefore: string;
+        notAfter: string;
+        publicKeyAlgorithm: string;
+      } | {
+        error: string;
+      };
+    } | undefined;
+    spMetadataUrl: string;
+  }[];
+}>;
+declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
+  method: "GET";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  query: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providerId: string;
+  type: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  domainVerified: boolean;
+  oidcConfig: {
+    discoveryEndpoint: string;
+    clientIdLastFour: string;
+    pkce: boolean;
+    authorizationEndpoint: string | undefined;
+    tokenEndpoint: string | undefined;
+    userInfoEndpoint: string | undefined;
+    jwksEndpoint: string | undefined;
+    scopes: string[] | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+  } | undefined;
+  samlConfig: {
+    entryPoint: string;
+    callbackUrl: string;
+    audience: string | undefined;
+    wantAssertionsSigned: boolean | undefined;
+    authnRequestsSigned: boolean | undefined;
+    identifierFormat: string | undefined;
+    signatureAlgorithm: string | undefined;
+    digestAlgorithm: string | undefined;
+    certificate: {
+      fingerprintSha256: string;
+      notBefore: string;
+      notAfter: string;
+      publicKeyAlgorithm: string;
+    } | {
+      error: string;
+    };
+  } | undefined;
+  spMetadataUrl: string;
+}>;
+declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/update-provider", {
+  method: "POST";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  body: z.ZodObject<{
+    issuer: z.ZodOptional<z.ZodString>;
+    domain: z.ZodOptional<z.ZodString>;
+    oidcConfig: z.ZodOptional<z.ZodObject<{
+      clientId: z.ZodOptional<z.ZodString>;
+      clientSecret: z.ZodOptional<z.ZodString>;
+      authorizationEndpoint: z.ZodOptional<z.ZodString>;
+      tokenEndpoint: z.ZodOptional<z.ZodString>;
+      userInfoEndpoint: z.ZodOptional<z.ZodString>;
+      tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
+        client_secret_post: "client_secret_post";
+        client_secret_basic: "client_secret_basic";
+      }>>;
+      jwksEndpoint: z.ZodOptional<z.ZodString>;
+      discoveryEndpoint: z.ZodOptional<z.ZodString>;
+      scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      pkce: z.ZodOptional<z.ZodBoolean>;
+      overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
+      mapping: z.ZodOptional<z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        emailVerified: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        image: z.ZodOptional<z.ZodString>;
+        extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    samlConfig: z.ZodOptional<z.ZodObject<{
+      entryPoint: z.ZodOptional<z.ZodString>;
+      cert: z.ZodOptional<z.ZodString>;
+      callbackUrl: z.ZodOptional<z.ZodString>;
+      audience: z.ZodOptional<z.ZodString>;
+      idpMetadata: z.ZodOptional<z.ZodObject<{
+        metadata: z.ZodOptional<z.ZodString>;
+        entityID: z.ZodOptional<z.ZodString>;
+        cert: z.ZodOptional<z.ZodString>;
+        privateKey: z.ZodOptional<z.ZodString>;
+        privateKeyPass: z.ZodOptional<z.ZodString>;
+        isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
+        encPrivateKey: z.ZodOptional<z.ZodString>;
+        encPrivateKeyPass: z.ZodOptional<z.ZodString>;
+        singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
+          Binding: z.ZodString;
+          Location: z.ZodString;
+        }, z.core.$strip>>>;
+      }, z.core.$strip>>;
+      spMetadata: z.ZodOptional<z.ZodObject<{
+        metadata: z.ZodOptional<z.ZodString>;
+        entityID: z.ZodOptional<z.ZodString>;
+        binding: z.ZodOptional<z.ZodString>;
+        privateKey: z.ZodOptional<z.ZodString>;
+        privateKeyPass: z.ZodOptional<z.ZodString>;
+        isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
+        encPrivateKey: z.ZodOptional<z.ZodString>;
+        encPrivateKeyPass: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>>;
+      wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
+      authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
+      signatureAlgorithm: z.ZodOptional<z.ZodString>;
+      digestAlgorithm: z.ZodOptional<z.ZodString>;
+      identifierFormat: z.ZodOptional<z.ZodString>;
+      privateKey: z.ZodOptional<z.ZodString>;
+      decryptionPvk: z.ZodOptional<z.ZodString>;
+      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      mapping: z.ZodOptional<z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        emailVerified: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        firstName: z.ZodOptional<z.ZodString>;
+        lastName: z.ZodOptional<z.ZodString>;
+        extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providerId: string;
+  type: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  domainVerified: boolean;
+  oidcConfig: {
+    discoveryEndpoint: string;
+    clientIdLastFour: string;
+    pkce: boolean;
+    authorizationEndpoint: string | undefined;
+    tokenEndpoint: string | undefined;
+    userInfoEndpoint: string | undefined;
+    jwksEndpoint: string | undefined;
+    scopes: string[] | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+  } | undefined;
+  samlConfig: {
+    entryPoint: string;
+    callbackUrl: string;
+    audience: string | undefined;
+    wantAssertionsSigned: boolean | undefined;
+    authnRequestsSigned: boolean | undefined;
+    identifierFormat: string | undefined;
+    signatureAlgorithm: string | undefined;
+    digestAlgorithm: string | undefined;
+    certificate: {
+      fingerprintSha256: string;
+      notBefore: string;
+      notAfter: string;
+      publicKeyAlgorithm: string;
+    } | {
+      error: string;
+    };
+  } | undefined;
+  spMetadataUrl: string;
+}>;
+declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/delete-provider", {
+  method: "POST";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  success: boolean;
+}>;
+//#endregion
 //#region src/routes/sso.d.ts
 interface TimestampValidationOptions {
   clockSkew?: number;
@@ -500,13 +902,13 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
     format: z.ZodDefault<z.ZodEnum<{
-      xml: "xml";
       json: "json";
+      xml: "xml";
     }>>;
   }, z.core.$strip>;
   metadata: {
@@ -582,6 +984,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
         encPrivateKeyPass: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
+      authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
       signatureAlgorithm: z.ZodOptional<z.ZodString>;
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
@@ -901,7 +1304,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     error: z.ZodOptional<z.ZodString>;
     error_description: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
-  allowedMediaTypes: string[];
+  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
   metadata: {
     openapi: {
       operationId: string;
@@ -915,7 +1318,35 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     };
     scope: "server";
   };
-}, never>;
+}, void>;
+/**
+ * Shared OIDC callback endpoint (no `:providerId` in path).
+ * Used when `options.redirectURI` is set — the `providerId` is read from
+ * the OAuth state instead of the URL path.
+ */
+declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback", {
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "302": {
+          description: string;
+        };
+      };
+    };
+    scope: "server";
+  };
+  method: "GET";
+  query: z.ZodObject<{
+    code: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
+    error: z.ZodOptional<z.ZodString>;
+    error_description: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
+}, void>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: ("POST" | "GET")[];
   body: z.ZodOptional<z.ZodObject<{
@@ -948,9 +1379,6 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
 }, never>;
 declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
-  params: z.ZodObject<{
-    providerId: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
@@ -970,6 +1398,59 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
     scope: "server";
   };
 }, never>;
+declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
+  method: ("POST" | "GET")[];
+  body: z.ZodOptional<z.ZodObject<{
+    SAMLRequest: z.ZodOptional<z.ZodString>;
+    SAMLResponse: z.ZodOptional<z.ZodString>;
+    RelayState: z.ZodOptional<z.ZodString>;
+    SigAlg: z.ZodOptional<z.ZodString>;
+    Signature: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  query: z.ZodOptional<z.ZodObject<{
+    SAMLRequest: z.ZodOptional<z.ZodString>;
+    SAMLResponse: z.ZodOptional<z.ZodString>;
+    RelayState: z.ZodOptional<z.ZodString>;
+    SigAlg: z.ZodOptional<z.ZodString>;
+    Signature: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  metadata: {
+    allowedMediaTypes: string[];
+    scope: "server";
+  };
+}, void | Response>;
+declare const initiateSLO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/logout/:providerId", {
+  method: "POST";
+  body: z.ZodObject<{
+    callbackURL: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  metadata: {
+    readonly scope: "server";
+  };
+}, never>;
 //#endregion
 //#region src/constants.d.ts
 /**
@@ -1068,16 +1549,7 @@ interface OIDCDiscoveryDocument {
 /**
  * Error codes for OIDC discovery operations.
  */
-type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
-"discovery_timeout"
-/** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
-/** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
-/** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
-/** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin"
-/** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
-/** Discovery document is missing required fields */ | "discovery_incomplete"
-/** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
-/** Catch-all for unexpected errors */ | "discovery_unexpected_error";
+type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** Discovery URL is invalid or malformed */ | "discovery_invalid_url" /** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
 /**
  * Custom error class for OIDC discovery failures.
  * Can be caught and mapped to APIError at the edge.
@@ -1242,56 +1714,12 @@ declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, exist
  * and validation. Specifically checks for:
  * - `tokenEndpoint` - required for exchanging authorization code for tokens
  * - `jwksEndpoint` - required for validating ID token signatures
- *
- * Note: `authorizationEndpoint` is handled separately in the sign-in flow,
- * so it's not checked here.
+ * - `authorizationEndpoint` - required for redirecting users to the IdP for login
  *
  * @param config - Partial OIDC config from the provider
  * @returns true if runtime discovery should be performed
  */
 declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
 //#endregion
-//#region src/index.d.ts
-declare module "@better-auth/core" {
-  interface BetterAuthPluginRegistry<Auth, Context> {
-    sso: {
-      creator: typeof sso;
-    };
-  }
-}
-type DomainVerificationEndpoints = {
-  requestDomainVerification: ReturnType<typeof requestDomainVerification>;
-  verifyDomain: ReturnType<typeof verifyDomain>;
-};
-type SSOEndpoints<O extends SSOOptions> = {
-  spMetadata: ReturnType<typeof spMetadata>;
-  registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
-  signInSSO: ReturnType<typeof signInSSO>;
-  callbackSSO: ReturnType<typeof callbackSSO>;
-  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
-  acsEndpoint: ReturnType<typeof acsEndpoint>;
-};
-type SSOPlugin<O extends SSOOptions> = {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & (O extends {
-    domainVerification: {
-      enabled: true;
-    };
-  } ? DomainVerificationEndpoints : {});
-};
-declare function sso<O extends SSOOptions & {
-  domainVerification?: {
-    enabled: true;
-  };
-}>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-  schema: any;
-  options: O;
-};
-declare function sso<O extends SSOOptions>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O>;
-};
-//#endregion
-export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
+export { spMetadata as A, SSOOptions as B, callbackSSO as C, registerSSOProvider as D, initiateSLO as E, updateSSOProvider as F, DigestAlgorithm as G, AlgorithmValidationOptions as H, requestDomainVerification as I, KeyEncryptionAlgorithm as K, verifyDomain as L, deleteSSOProvider as M, getSSOProvider as N, signInSSO as O, listSSOProviders as P, OIDCConfig as R, acsEndpoint as S, callbackSSOShared as T, DataEncryptionAlgorithm as U, SSOProvider as V, DeprecatedAlgorithmBehavior as W, DEFAULT_CLOCK_SKEW_MS as _, normalizeDiscoveryUrls as a, SAMLConditions as b, validateDiscoveryDocument as c, DiscoveryError as d, DiscoveryErrorCode as f, RequiredDiscoveryField as g, REQUIRED_DISCOVERY_FIELDS as h, needsRuntimeDiscovery as i, validateSAMLTimestamp as j, sloEndpoint as k, validateDiscoveryUrl as l, OIDCDiscoveryDocument as m, discoverOIDCConfig as n, normalizeUrl as o, HydratedOIDCConfig as p, SignatureAlgorithm as q, fetchDiscoveryDocument as r, selectTokenEndpointAuthMethod as s, computeDiscoveryUrl as t, DiscoverOIDCConfigParams as u, DEFAULT_MAX_SAML_METADATA_SIZE as v, callbackSSOSAML as w, TimestampValidationOptions as x, DEFAULT_MAX_SAML_RESPONSE_SIZE as y, SAMLConfig as z };
+//# sourceMappingURL=index-BQp9TZiG.d.mts.map