@better-auth/sso 1.5.0-beta.8 → 1.5.0

package/dist/index.mjs

@@ -1,17 +1,123 @@
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
-import * as saml from "samlify";
+import saml from "samlify";
+import { X509Certificate } from "node:crypto";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
-import { setSessionCookie } from "better-auth/cookies";
+import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
-import { base64 } from "@better-auth/utils/base64";
-import { APIError as APIError$1 } from "better-call";
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+
+//#region src/constants.ts
+/**
+* SAML Constants
+*
+* Centralized constants for SAML SSO functionality.
+*/
+/** Prefix for AuthnRequest IDs used in InResponseTo validation */
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+/** Prefix for used Assertion IDs used in replay protection */
+const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
+/** Prefix for SAML session data (NameID + SessionIndex) for SLO */
+const SAML_SESSION_KEY_PREFIX = "saml-session:";
+/** Prefix for reverse lookup of SAML session by Better Auth session ID */
+const SAML_SESSION_BY_ID_PREFIX = "saml-session-by-id:";
+/** Prefix for LogoutRequest IDs used in SP-initiated SLO validation */
+const LOGOUT_REQUEST_KEY_PREFIX = "saml-logout-request:";
+/**
+* Default TTL for AuthnRequest records (5 minutes).
+* This should be sufficient for most IdPs while protecting against stale requests.
+*/
+const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default TTL for used assertion records (15 minutes).
+* This should match the maximum expected NotOnOrAfter window plus clock skew.
+*/
+const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
+/**
+* Default TTL for LogoutRequest records (5 minutes).
+* Should be sufficient for IdP to process and respond.
+*/
+const DEFAULT_LOGOUT_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default clock skew tolerance (5 minutes).
+* Allows for minor time differences between IdP and SP servers.
+*
+* Accommodates:
+* - Network latency and processing time
+* - Clock synchronization differences (NTP drift)
+* - Distributed systems across timezones
+*/
+const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+/**
+* Default maximum size for SAML responses (256 KB).
+* Protects against memory exhaustion from oversized SAML payloads.
+*/
+const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+* Default maximum size for IdP metadata (100 KB).
+* Protects against oversized metadata documents.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
+
+//#endregion
+//#region src/utils.ts
+/**
+* Safely parses a value that might be a JSON string or already a parsed object.
+* This handles cases where ORMs like Drizzle might return already parsed objects
+* instead of JSON strings from TEXT/JSON columns.
+*
+* @param value - The value to parse (string, object, null, or undefined)
+* @returns The parsed object or null
+* @throws Error if string parsing fails
+*/
+function safeJsonParse(value) {
+	if (!value) return null;
+	if (typeof value === "object") return value;
+	if (typeof value === "string") try {
+		return JSON.parse(value);
+	} catch (error) {
+		throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+	return null;
+}
+/**
+* Checks if a domain matches any domain in a comma-separated list.
+*/
+const domainMatches = (searchDomain, domainList) => {
+	const search = searchDomain.toLowerCase();
+	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
+};
+/**
+* Validates email domain against allowed domain(s).
+* Supports comma-separated domains for multi-domain SSO.
+*/
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain || !domain) return false;
+	return domainMatches(emailDomain, domain);
+};
+function parseCertificate(certPem) {
+	const cert = new X509Certificate(certPem.includes("-----BEGIN") ? certPem : `-----BEGIN CERTIFICATE-----\n${certPem}\n-----END CERTIFICATE-----`);
+	return {
+		fingerprintSha256: cert.fingerprint256,
+		notBefore: cert.validFrom,
+		notAfter: cert.validTo,
+		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
+	};
+}
+function maskClientId(clientId) {
+	if (clientId.length <= 4) return "****";
+	return `****${clientId.slice(-4)}`;
+}
 
+//#endregion
 //#region src/linking/org-assignment.ts
 /**
 * Assigns a user to an organization based on the SSO provider's organizationId.
@@ -21,7 +127,7 @@ async function assignOrganizationFromProvider(ctx, options) {
 	const { user, profile, provider, token, provisioningOptions } = options;
 	if (!provider.organizationId) return;
 	if (provisioningOptions?.disabled) return;
-	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	if (!ctx.context.hasPlugin("organization")) return;
 	if (await ctx.context.adapter.findOne({
 		model: "member",
 		where: [{
@@ -59,7 +165,7 @@ async function assignOrganizationFromProvider(ctx, options) {
 async function assignOrganizationByDomain(ctx, options) {
 	const { user, provisioningOptions, domainVerification } = options;
 	if (provisioningOptions?.disabled) return;
-	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
+	if (!ctx.context.hasPlugin("organization")) return;
 	const domain = user.email.split("@")[1];
 	if (!domain) return;
 	const whereClause = [{
@@ -70,10 +176,17 @@ async function assignOrganizationByDomain(ctx, options) {
 		field: "domainVerified",
 		value: true
 	});
-	const ssoProvider = await ctx.context.adapter.findOne({
+	let ssoProvider = await ctx.context.adapter.findOne({
 		model: "ssoProvider",
 		where: whereClause
 	});
+	if (!ssoProvider) ssoProvider = (await ctx.context.adapter.findMany({
+		model: "ssoProvider",
+		where: domainVerification?.enabled ? [{
+			field: "domainVerified",
+			value: true
+		}] : []
+	})).find((p) => domainMatches(domain, p.domain)) ?? null;
 	if (!ssoProvider || !ssoProvider.organizationId) return;
 	if (await ctx.context.adapter.findOne({
 		model: "member",
@@ -103,7 +216,12 @@ async function assignOrganizationByDomain(ctx, options) {
 
 //#endregion
 //#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
 const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
@@ -151,11 +269,12 @@ const requestDomainVerification = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -170,7 +289,7 @@ const requestDomainVerification = (options) => {
 		await ctx.context.adapter.create({
 			model: "verification",
 			data: {
-				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				identifier,
 				createdAt: /* @__PURE__ */ new Date(),
 				updatedAt: /* @__PURE__ */ new Date(),
 				value: domainVerificationToken,
@@ -229,11 +348,16 @@ const verifyDomain = (options) => {
 			message: "Domain has already been verified",
 			code: "DOMAIN_VERIFIED"
 		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
 		const activeVerification = await ctx.context.adapter.findOne({
 			model: "verification",
 			where: [{
 				field: "identifier",
-				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+				value: identifier
 			}, {
 				field: "expiresAt",
 				value: /* @__PURE__ */ new Date(),
@@ -256,7 +380,8 @@ const verifyDomain = (options) => {
 			});
 		}
 		try {
-			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+			const hostname = new URL(provider.domain).hostname;
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
 		} catch (error) {
 			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
 		}
@@ -277,110 +402,699 @@ const verifyDomain = (options) => {
 };
 
 //#endregion
-//#region src/constants.ts
-/**
-* SAML Constants
-*
-* Centralized constants for SAML SSO functionality.
-*/
-/** Prefix for AuthnRequest IDs used in InResponseTo validation */
-const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Prefix for used Assertion IDs used in replay protection */
-const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
-/**
-* Default TTL for AuthnRequest records (5 minutes).
-* This should be sufficient for most IdPs while protecting against stale requests.
-*/
-const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
-/**
-* Default TTL for used assertion records (15 minutes).
-* This should match the maximum expected NotOnOrAfter window plus clock skew.
-*/
-const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
-/**
-* Default clock skew tolerance (5 minutes).
-* Allows for minor time differences between IdP and SP servers.
-*
-* Accommodates:
-* - Network latency and processing time
-* - Clock synchronization differences (NTP drift)
-* - Distributed systems across timezones
-*/
-const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
-/**
-* Default maximum size for SAML responses (256 KB).
-* Protects against memory exhaustion from oversized SAML payloads.
-*/
-const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
-/**
-* Default maximum size for IdP metadata (100 KB).
-* Protects against oversized metadata documents.
-*/
-const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
 
 //#endregion
-//#region src/oidc/types.ts
-/**
-* Custom error class for OIDC discovery failures.
-* Can be caught and mapped to APIError at the edge.
-*/
-var DiscoveryError = class DiscoveryError extends Error {
-	code;
-	details;
-	constructor(code, message, details, options) {
-		super(message, options);
-		this.name = "DiscoveryError";
-		this.code = code;
-		this.details = details;
-		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
-	}
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
 };
-/**
-* Required fields that must be present in a valid discovery document.
-*/
-const REQUIRED_DISCOVERY_FIELDS = [
-	"issuer",
-	"authorization_endpoint",
-	"token_endpoint",
-	"jwks_uri"
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
 ];
-
-//#endregion
-//#region src/oidc/discovery.ts
-/**
-* OIDC Discovery Pipeline
-*
-* Implements OIDC discovery document fetching, validation, and hydration.
-* This module is used both at provider registration time (to persist validated config)
-* and at runtime (to hydrate legacy providers that are missing metadata).
-*
-* @see https://openid.net/specs/openid-connect-discovery-1_0.html
-*/
-/** Default timeout for discovery requests (10 seconds) */
-const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
-/**
-* Main entry point: Discover and hydrate OIDC configuration from an issuer.
-*
-* This function:
-* 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL
-* 3. Fetches the discovery document
-* 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs
-* 6. Selects token endpoint auth method
-* 7. Merges with existing config (existing values take precedence)
-*
-* @param params - Discovery parameters
-* @param isTrustedOrigin - Origin verification tester function
-* @returns Hydrated OIDC configuration ready for persistence
-* @throws DiscoveryError on any failure
-*/
-async function discoverOIDCConfig(params) {
-	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
-	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
-	validateDiscoveryDocument(discoveryDoc, issuer);
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function extractEncryptionAlgorithms(xml) {
+	try {
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
+}
+function hasEncryptedAssertion(xml) {
+	try {
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
+		});
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
+	});
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
+
+//#endregion
+//#region src/saml/assertions.ts
+/** @lintignore used in tests */
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
+	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+
+//#endregion
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	image: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	firstName: z.string().optional(),
+	lastName: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const oidcConfigSchema = z.object({
+	clientId: z.string().optional(),
+	clientSecret: z.string().optional(),
+	authorizationEndpoint: z.string().url().optional(),
+	tokenEndpoint: z.string().url().optional(),
+	userInfoEndpoint: z.string().url().optional(),
+	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	jwksEndpoint: z.string().url().optional(),
+	discoveryEndpoint: z.string().url().optional(),
+	scopes: z.array(z.string()).optional(),
+	pkce: z.boolean().optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().optional(),
+	cert: z.string().optional(),
+	callbackUrl: z.string().url().optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	authnRequestsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	decryptionPvk: z.string().optional(),
+	additionalParams: z.record(z.string(), z.any()).optional(),
+	mapping: samlMappingSchema
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional()
+});
+
+//#endregion
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
+	});
+	if (!member) return false;
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
+}
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
+	});
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
+}
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
+	try {
+		oidcConfig = safeJsonParse(provider.oidcConfig);
+	} catch {
+		oidcConfig = null;
+	}
+	try {
+		samlConfig = safeJsonParse(provider.samlConfig);
+	} catch {
+		samlConfig = null;
+	}
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			callbackUrl: samlConfig.callbackUrl,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			authnRequestsSigned: samlConfig.authnRequestsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: (() => {
+				try {
+					return parseCertificate(samlConfig.cert);
+				} catch {
+					return { error: "Failed to parse certificate" };
+				}
+			})()
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
+}
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers" } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.hasPlugin("organization");
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
+}
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/get-provider", {
+		method: "GET",
+		use: [sessionMiddleware],
+		query: getSSOProviderQuerySchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.query;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+	});
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
+	try {
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
+	}
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
+}
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
+	};
+}
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/update-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId, ...body } = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
+		});
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/delete-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.body;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		return ctx.json({ success: true });
+	});
+};
+
+//#endregion
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
+	}
+};
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
+];
+
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
 	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
 	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
 	return {
@@ -581,16 +1295,35 @@ function selectTokenEndpointAuthMethod(doc, existing) {
 * and validation. Specifically checks for:
 * - `tokenEndpoint` - required for exchanging authorization code for tokens
 * - `jwksEndpoint` - required for validating ID token signatures
-*
-* Note: `authorizationEndpoint` is handled separately in the sign-in flow,
-* so it's not checked here.
+* - `authorizationEndpoint` - required for redirecting users to the IdP for login
 *
 * @param config - Partial OIDC config from the provider
 * @returns true if runtime discovery should be performed
 */
 function needsRuntimeDiscovery(config) {
 	if (!config) return true;
-	return !config.tokenEndpoint || !config.jwksEndpoint;
+	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+}
+/**
+* Runs runtime OIDC discovery when the stored config is missing required
+* endpoints, and merges the hydrated fields back into the config.
+* Throws if discovery fails.
+*/
+async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
+	if (!needsRuntimeDiscovery(config)) return config;
+	const hydrated = await discoverOIDCConfig({
+		issuer,
+		existingConfig: config,
+		isTrustedOrigin
+	});
+	return {
+		...config,
+		authorizationEndpoint: hydrated.authorizationEndpoint,
+		tokenEndpoint: hydrated.tokenEndpoint,
+		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+		userInfoEndpoint: hydrated.userInfoEndpoint,
+		jwksEndpoint: hydrated.jwksEndpoint
+	};
 }
 
 //#endregion
@@ -663,271 +1396,23 @@ function mapDiscoveryErrorToAPIError(error) {
 			});
 	}
 }
-
-//#endregion
-//#region src/saml/parser.ts
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-	processEntities: false
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
-function countAllNodes(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return 0;
-	let count = 0;
-	const record = obj;
-	if (nodeName in record) {
-		const node = record[nodeName];
-		count += Array.isArray(node) ? node.length : 1;
-	}
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
-	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
-	return count;
-}
-
-//#endregion
-//#region src/saml/algorithms.ts
-const SignatureAlgorithm = {
-	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
-};
-const DigestAlgorithm = {
-	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
-	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
-};
-const KeyEncryptionAlgorithm = {
-	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
-	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
-	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
-};
-const DataEncryptionAlgorithm = {
-	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
-	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
-	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
-	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
-	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
-	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
-	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
-};
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
-const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
-const SECURE_SIGNATURE_ALGORITHMS = [
-	SignatureAlgorithm.RSA_SHA256,
-	SignatureAlgorithm.RSA_SHA384,
-	SignatureAlgorithm.RSA_SHA512,
-	SignatureAlgorithm.ECDSA_SHA256,
-	SignatureAlgorithm.ECDSA_SHA384,
-	SignatureAlgorithm.ECDSA_SHA512
-];
-const SECURE_DIGEST_ALGORITHMS = [
-	DigestAlgorithm.SHA256,
-	DigestAlgorithm.SHA384,
-	DigestAlgorithm.SHA512
-];
-const SHORT_FORM_SIGNATURE_TO_URI = {
-	sha1: SignatureAlgorithm.RSA_SHA1,
-	sha256: SignatureAlgorithm.RSA_SHA256,
-	sha384: SignatureAlgorithm.RSA_SHA384,
-	sha512: SignatureAlgorithm.RSA_SHA512,
-	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
-	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
-	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
-	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
-	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
-	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
-	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
-};
-const SHORT_FORM_DIGEST_TO_URI = {
-	sha1: DigestAlgorithm.SHA1,
-	sha256: DigestAlgorithm.SHA256,
-	sha384: DigestAlgorithm.SHA384,
-	sha512: DigestAlgorithm.SHA512
-};
-function normalizeSignatureAlgorithm(alg) {
-	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function normalizeDigestAlgorithm(alg) {
-	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function extractEncryptionAlgorithms(xml) {
-	try {
-		const parsed = xmlParser.parse(xml);
-		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
-		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
-		return {
-			keyEncryption: keyAlg || null,
-			dataEncryption: dataAlg || null
-		};
-	} catch {
-		return {
-			keyEncryption: null,
-			dataEncryption: null
-		};
-	}
-}
-function hasEncryptedAssertion(xml) {
-	try {
-		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
-	} catch {
-		return false;
-	}
-}
-function handleDeprecatedAlgorithm(message, behavior, errorCode) {
-	switch (behavior) {
-		case "reject": throw new APIError("BAD_REQUEST", {
-			message,
-			code: errorCode
-		});
-		case "warn":
-			console.warn(`[SAML Security Warning] ${message}`);
-			break;
-		case "allow": break;
-	}
-}
-function validateSignatureAlgorithm(algorithm, options = {}) {
-	if (!algorithm) return;
-	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
-	if (allowedSignatureAlgorithms) {
-		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
-			code: "SAML_ALGORITHM_NOT_ALLOWED"
-		});
-		return;
-	}
-	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
-		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-		return;
-	}
-	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-		message: `SAML signature algorithm not recognized: ${algorithm}`,
-		code: "SAML_UNKNOWN_ALGORITHM"
-	});
-}
-function validateEncryptionAlgorithms(algorithms, options = {}) {
-	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
-	const { keyEncryption, dataEncryption } = algorithms;
-	if (keyEncryption) {
-		if (allowedKeyEncryptionAlgorithms) {
-			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-	if (dataEncryption) {
-		if (allowedDataEncryptionAlgorithms) {
-			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-}
-function validateSAMLAlgorithms(response, options) {
-	validateSignatureAlgorithm(response.sigAlg, options);
-	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
-}
-function validateConfigAlgorithms(config, options = {}) {
-	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
-	if (config.signatureAlgorithm) {
-		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
-		if (allowedSignatureAlgorithms) {
-			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
-		});
-	}
-	if (config.digestAlgorithm) {
-		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
-		if (allowedDigestAlgorithms) {
-			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
-		});
-	}
-}
-
-//#endregion
-//#region src/saml/assertions.ts
-/** @lintignore used in tests */
-function countAssertions(xml) {
-	let parsed;
-	try {
-		parsed = xmlParser.parse(xml);
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Failed to parse SAML response XML",
-			code: "SAML_INVALID_XML"
-		});
-	}
-	const assertions = countAllNodes(parsed, "Assertion");
-	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
-	return {
-		assertions,
-		encryptedAssertions,
-		total: assertions + encryptedAssertions
-	};
-}
-function validateSingleAssertion(samlResponse) {
-	let xml;
-	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse));
-		if (!xml.includes("<")) throw new Error("Not XML");
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Invalid base64-encoded SAML response",
-			code: "SAML_INVALID_ENCODING"
-		});
-	}
-	const counts = countAssertions(xml);
-	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
-		message: "SAML response contains no assertions",
-		code: "SAML_NO_ASSERTION"
-	});
-	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
-		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
-		code: "SAML_MULTIPLE_ASSERTIONS"
-	});
-}
+
+//#endregion
+//#region src/saml/error-codes.ts
+const SAML_ERROR_CODES = defineErrorCodes({
+	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
+	INVALID_LOGOUT_RESPONSE: "Invalid LogoutResponse",
+	INVALID_LOGOUT_REQUEST: "Invalid LogoutRequest",
+	LOGOUT_FAILED_AT_IDP: "Logout failed at IdP",
+	IDP_SLO_NOT_SUPPORTED: "IdP does not support Single Logout Service",
+	SAML_PROVIDER_NOT_FOUND: "SAML provider not found"
+});
 
 //#endregion
 //#region src/saml-state.ts
 async function generateRelayState(c, link, additionalData) {
 	const callbackURL = c.body.callbackURL;
-	if (!callbackURL) throw new APIError$1("BAD_REQUEST", { message: "callbackURL is required" });
+	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
 	const codeVerifier = generateRandomString(128);
 	const stateData = {
 		...additionalData ? additionalData : {},
@@ -943,7 +1428,7 @@ async function generateRelayState(c, link, additionalData) {
 		return generateGenericState(c, stateData, { cookieName: "relay_state" });
 	} catch (error) {
 		c.context.logger.error("Failed to create verification for relay state", error);
-		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+		throw new APIError("INTERNAL_SERVER_ERROR", {
 			message: "State error: Unable to create verification for relay state",
 			cause: error
 		});
@@ -957,7 +1442,7 @@ async function parseRelayState(c) {
 		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
 	} catch (error) {
 		c.context.logger.error("Failed to parse relay state", error);
-		throw new APIError$1("BAD_REQUEST", {
+		throw new APIError("BAD_REQUEST", {
 			message: "State error: failed to validate relay state",
 			cause: error
 		});
@@ -967,36 +1452,101 @@ async function parseRelayState(c) {
 }
 
 //#endregion
-//#region src/utils.ts
-/**
-* Safely parses a value that might be a JSON string or already a parsed object.
-* This handles cases where ORMs like Drizzle might return already parsed objects
-* instead of JSON strings from TEXT/JSON columns.
-*
-* @param value - The value to parse (string, object, null, or undefined)
-* @returns The parsed object or null
-* @throws Error if string parsing fails
-*/
-function safeJsonParse(value) {
-	if (!value) return null;
-	if (typeof value === "object") return value;
-	if (typeof value === "string") try {
-		return JSON.parse(value);
-	} catch (error) {
-		throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
+//#region src/routes/helpers.ts
+async function findSAMLProvider(providerId, options, adapter) {
+	if (options?.defaultSSO?.length) {
+		const match = options.defaultSSO.find((p) => p.providerId === providerId);
+		if (match) return {
+			...match,
+			userId: "default",
+			issuer: match.samlConfig?.issuer || "",
+			...options.domainVerification?.enabled ? { domainVerified: true } : {}
+		};
 	}
-	return null;
+	const res = await adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!res) return null;
+	return {
+		...res,
+		samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+	};
+}
+function createSP(config, baseURL, providerId, sloOptions) {
+	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
+	return saml.ServiceProvider({
+		entityID: config.spMetadata?.entityID || config.issuer,
+		assertionConsumerService: [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`
+		}],
+		singleLogoutService: [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: sloLocation
+		}, {
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: sloLocation
+		}],
+		wantMessageSigned: config.wantAssertionsSigned || false,
+		wantLogoutRequestSigned: sloOptions?.wantLogoutRequestSigned ?? false,
+		wantLogoutResponseSigned: sloOptions?.wantLogoutResponseSigned ?? false,
+		metadata: config.spMetadata?.metadata,
+		privateKey: config.spMetadata?.privateKey || config.privateKey,
+		privateKeyPass: config.spMetadata?.privateKeyPass
+	});
+}
+function createIdP(config) {
+	const idpData = config.idpMetadata;
+	if (idpData?.metadata) return saml.IdentityProvider({
+		metadata: idpData.metadata,
+		privateKey: idpData.privateKey,
+		privateKeyPass: idpData.privateKeyPass,
+		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKeyPass: idpData.encPrivateKeyPass
+	});
+	return saml.IdentityProvider({
+		entityID: idpData?.entityID || config.issuer,
+		singleSignOnService: idpData?.singleSignOnService || [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: config.entryPoint
+		}],
+		singleLogoutService: idpData?.singleLogoutService,
+		signingCert: idpData?.cert || config.cert
+	});
+}
+function escapeHtml(str) {
+	if (!str) return "";
+	return String(str).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function createSAMLPostForm(action, samlParam, samlValue, relayState) {
+	const safeAction = escapeHtml(action);
+	const safeSamlParam = escapeHtml(samlParam);
+	const safeSamlValue = escapeHtml(samlValue);
+	const safeRelayState = relayState ? escapeHtml(relayState) : void 0;
+	const html = `<!DOCTYPE html><html><body onload="document.forms[0].submit();"><form method="POST" action="${safeAction}"><input type="hidden" name="${safeSamlParam}" value="${safeSamlValue}" />${safeRelayState ? `<input type="hidden" name="RelayState" value="${safeRelayState}" />` : ""}<noscript><input type="submit" value="Continue" /></noscript></form></body></html>`;
+	return new Response(html, { headers: { "Content-Type": "text/html" } });
 }
-const validateEmailDomain = (email, domain) => {
-	const emailDomain = email.split("@")[1]?.toLowerCase();
-	const providerDomain = domain.toLowerCase();
-	if (!emailDomain || !providerDomain) return false;
-	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
-};
 
 //#endregion
 //#region src/routes/sso.ts
 /**
+* Builds the OIDC redirect URI. Uses the shared `redirectURI` option
+* when set, otherwise falls back to `/sso/callback/:providerId`.
+*/
+function getOIDCRedirectURI(baseURL, providerId, options) {
+	if (options?.redirectURI?.trim()) try {
+		new URL(options.redirectURI);
+		return options.redirectURI;
+	} catch {
+		return `${baseURL}${options.redirectURI.startsWith("/") ? options.redirectURI : `/${options.redirectURI}`}`;
+	}
+	return `${baseURL}/sso/callback/${providerId}`;
+}
+/**
 * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
 * Prevents acceptance of expired or future-dated assertions.
 * @throws {APIError} If timestamps are invalid, expired, or not yet valid
@@ -1060,7 +1610,7 @@ const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml")
 });
-const spMetadata = () => {
+const spMetadata = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/metadata", {
 		method: "GET",
 		query: spMetadataQuerySchema,
@@ -1081,13 +1631,23 @@ const spMetadata = () => {
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const sloLocation = `${ctx.context.baseURL}/sso/saml2/sp/slo/${ctx.query.providerId}`;
+		const singleLogoutService = options?.saml?.enableSingleLogout ? [{
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+			Location: sloLocation
+		}, {
+			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+			Location: sloLocation
+		}] : void 0;
 		const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({ metadata: parsedSamlConfig.spMetadata.metadata }) : saml.SPMetadata({
 			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
 			assertionConsumerService: [{
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
 			}],
+			singleLogoutService,
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 		});
 		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
@@ -1096,7 +1656,7 @@ const spMetadata = () => {
 const ssoProviderBodySchema = z.object({
 	providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
 	issuer: z.string({}).meta({ description: "The issuer of the provider" }),
-	domain: z.string({}).meta({ description: "The domain of the provider. This is used for email matching" }),
+	domain: z.string({}).meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
 	oidcConfig: z.object({
 		clientId: z.string({}).meta({ description: "The client ID" }),
 		clientSecret: z.string({}).meta({ description: "The client secret" }),
@@ -1148,6 +1708,7 @@ const ssoProviderBodySchema = z.object({
 			encPrivateKeyPass: z.string().optional()
 		}),
 		wantAssertionsSigned: z.boolean().optional(),
+		authnRequestsSigned: z.boolean().optional(),
 		signatureAlgorithm: z.string().optional(),
 		digestAlgorithm: z.string().optional(),
 		identifierFormat: z.string().optional(),
@@ -1450,6 +2011,7 @@ const registerSSOProvider = (options) => {
 					idpMetadata: body.samlConfig.idpMetadata,
 					spMetadata: body.samlConfig.spMetadata,
 					wantAssertionsSigned: body.samlConfig.wantAssertionsSigned,
+					authnRequestsSigned: body.samlConfig.authnRequestsSigned,
 					signatureAlgorithm: body.samlConfig.signatureAlgorithm,
 					digestAlgorithm: body.samlConfig.digestAlgorithm,
 					identifierFormat: body.samlConfig.identifierFormat,
@@ -1471,7 +2033,7 @@ const registerSSOProvider = (options) => {
 			await ctx.context.adapter.create({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					identifier: getVerificationIdentifier(options, provider.providerId),
 					createdAt: /* @__PURE__ */ new Date(),
 					updatedAt: /* @__PURE__ */ new Date(),
 					value: domainVerificationToken,
@@ -1483,7 +2045,7 @@ const registerSSOProvider = (options) => {
 			...provider,
 			oidcConfig: safeJsonParse(provider.oidcConfig),
 			samlConfig: safeJsonParse(provider.samlConfig),
-			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
+			redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
 		};
@@ -1595,20 +2157,33 @@ const signInSSO = (options) => {
 			};
 		}
 		if (!providerId && !orgId && !domain) throw new APIError("BAD_REQUEST", { message: "providerId, orgId or domain is required" });
-		if (!provider) provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: providerId ? "providerId" : orgId ? "organizationId" : "domain",
-				value: providerId || orgId || domain
-			}]
-		}).then((res) => {
-			if (!res) return null;
-			return {
-				...res,
-				oidcConfig: res.oidcConfig ? safeJsonParse(res.oidcConfig) || void 0 : void 0,
-				samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+		if (!provider) {
+			const parseProvider = (res) => {
+				if (!res) return null;
+				return {
+					...res,
+					oidcConfig: res.oidcConfig ? safeJsonParse(res.oidcConfig) || void 0 : void 0,
+					samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+				};
 			};
-		});
+			if (providerId || orgId) provider = parseProvider(await ctx.context.adapter.findOne({
+				model: "ssoProvider",
+				where: [{
+					field: providerId ? "providerId" : "organizationId",
+					value: providerId || orgId
+				}]
+			}));
+			else if (domain) {
+				provider = parseProvider(await ctx.context.adapter.findOne({
+					model: "ssoProvider",
+					where: [{
+						field: "domain",
+						value: domain
+					}]
+				}));
+				if (!provider) provider = parseProvider((await ctx.context.adapter.findMany({ model: "ssoProvider" })).find((p) => domainMatches(domain, p.domain)) ?? null);
+			}
+		}
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the issuer" });
 		if (body.providerType) {
 			if (body.providerType === "oidc" && !provider.oidcConfig) throw new APIError("BAD_REQUEST", { message: "OIDC provider is not configured" });
@@ -1616,31 +2191,33 @@ const signInSSO = (options) => {
 		}
 		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		if (provider.oidcConfig && body.providerType !== "saml") {
-			let finalAuthUrl = provider.oidcConfig.authorizationEndpoint;
-			if (!finalAuthUrl && provider.oidcConfig.discoveryEndpoint) {
-				const discovery = await betterFetch(provider.oidcConfig.discoveryEndpoint, { method: "GET" });
-				if (discovery.data) finalAuthUrl = discovery.data.authorization_endpoint;
+			let config = provider.oidcConfig;
+			try {
+				config = await ensureRuntimeDiscovery(provider.oidcConfig, provider.issuer, (url) => ctx.context.isTrustedOrigin(url));
+			} catch (error) {
+				if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+				throw error;
 			}
-			if (!finalAuthUrl) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
-			const state = await generateState(ctx, void 0, false);
-			const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
+			if (!config.authorizationEndpoint) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
+			const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+			const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
 			const authorizationURL = await createAuthorizationURL({
 				id: provider.issuer,
 				options: {
-					clientId: provider.oidcConfig.clientId,
-					clientSecret: provider.oidcConfig.clientSecret
+					clientId: config.clientId,
+					clientSecret: config.clientSecret
 				},
 				redirectURI,
 				state: state.state,
-				codeVerifier: provider.oidcConfig.pkce ? state.codeVerifier : void 0,
-				scopes: ctx.body.scopes || provider.oidcConfig.scopes || [
+				codeVerifier: config.pkce ? state.codeVerifier : void 0,
+				scopes: ctx.body.scopes || config.scopes || [
 					"openid",
 					"email",
 					"profile",
 					"offline_access"
 				],
 				loginHint: ctx.body.loginHint || email,
-				authorizationEndpoint: finalAuthUrl
+				authorizationEndpoint: config.authorizationEndpoint
 			});
 			return ctx.json({
 				url: authorizationURL.toString(),
@@ -1650,6 +2227,7 @@ const signInSSO = (options) => {
 		if (provider.samlConfig) {
 			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) ctx.context.logger.warn("authnRequestsSigned is enabled but no privateKey provided - AuthnRequests will not be signed", { providerId: provider.providerId });
 			let metadata = parsedSamlConfig.spMetadata.metadata;
 			if (!metadata) metadata = saml.SPMetadata({
 				entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
@@ -1658,17 +2236,36 @@ const signInSSO = (options) => {
 					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
 				}],
 				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 			}).getMetadata() || "";
 			const sp = saml.ServiceProvider({
 				metadata,
-				allowCreate: true
+				allowCreate: true,
+				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+			});
+			const idpData = parsedSamlConfig.idpMetadata;
+			let idp;
+			if (!idpData?.metadata) idp = saml.IdentityProvider({
+				entityID: idpData?.entityID || parsedSamlConfig.issuer,
+				singleSignOnService: idpData?.singleSignOnService || [{
+					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+					Location: parsedSamlConfig.entryPoint
+				}],
+				signingCert: idpData?.cert || parsedSamlConfig.cert,
+				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
+				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+				encPrivateKey: idpData?.encPrivateKey,
+				encPrivateKeyPass: idpData?.encPrivateKeyPass
 			});
-			const idp = saml.IdentityProvider({
-				metadata: parsedSamlConfig.idpMetadata?.metadata,
-				entityID: parsedSamlConfig.idpMetadata?.entityID,
-				encryptCert: parsedSamlConfig.idpMetadata?.cert,
-				singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
+			else idp = saml.IdentityProvider({
+				metadata: idpData.metadata,
+				privateKey: idpData.privateKey,
+				privateKeyPass: idpData.privateKeyPass,
+				isAssertionEncrypted: idpData.isAssertionEncrypted,
+				encPrivateKey: idpData.encPrivateKey,
+				encPrivateKeyPass: idpData.encPrivateKeyPass
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
@@ -1701,169 +2298,216 @@ const callbackSSOQuerySchema = z.object({
 	error: z.string().optional(),
 	error_description: z.string().optional()
 });
+/**
+* Core OIDC callback handler logic, shared between the per-provider and
+* shared callback endpoints. Resolves the provider, exchanges the
+* authorization code for tokens, and creates a session.
+*
+* @param stateData - Pre-parsed state data. If not provided, it will be
+*   parsed from the request context.
+*/
+async function handleOIDCCallback(ctx, options, providerId, stateData) {
+	const { code, error, error_description } = ctx.query;
+	if (!stateData) stateData = await parseState(ctx);
+	if (!stateData) {
+		const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+		throw ctx.redirect(`${errorURL}?error=invalid_state`);
+	}
+	const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
+	if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
+	let provider = null;
+	if (options?.defaultSSO?.length) {
+		const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
+		if (matchingDefault) provider = {
+			...matchingDefault,
+			issuer: matchingDefault.oidcConfig?.issuer || "",
+			userId: "default",
+			...options.domainVerification?.enabled ? { domainVerified: true } : {}
+		};
+	}
+	if (!provider) provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return {
+			...res,
+			oidcConfig: safeJsonParse(res.oidcConfig) || void 0
+		};
+	});
+	if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
+	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+	let config = provider.oidcConfig;
+	if (!config) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
+	try {
+		config = await ensureRuntimeDiscovery(config, provider.issuer, (url) => ctx.context.isTrustedOrigin(url));
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw ctx.redirect(`${errorURL || callbackURL}?error=discovery_failed&error_description=${encodeURIComponent(error.message)}`);
+		throw ctx.redirect(`${errorURL || callbackURL}?error=discovery_failed&error_description=unexpected_discovery_error`);
+	}
+	if (!config.scopes) config = {
+		...config,
+		scopes: [
+			"openid",
+			"email",
+			"profile",
+			"offline_access"
+		]
+	};
+	if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
+	const tokenResponse = await validateAuthorizationCode({
+		code,
+		codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
+		redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
+		options: {
+			clientId: config.clientId,
+			clientSecret: config.clientSecret
+		},
+		tokenEndpoint: config.tokenEndpoint,
+		authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
+	}).catch((e) => {
+		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
+		return null;
+	});
+	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
+	let userInfo = null;
+	if (tokenResponse.idToken) {
+		const idToken = decodeJwt(tokenResponse.idToken);
+		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
+		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
+			audience: config.clientId,
+			issuer: provider.issuer
+		}).catch((e) => {
+			ctx.context.logger.error(e);
+			return null;
+		});
+		if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
+		const mapping = config.mapping || {};
+		userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
+			id: idToken[mapping.id || "sub"],
+			email: idToken[mapping.email || "email"],
+			emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+			name: idToken[mapping.name || "name"],
+			image: idToken[mapping.image || "picture"]
+		};
+	}
+	if (!userInfo) {
+		if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+		userInfo = userInfoResponse.data;
+	}
+	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
+	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
+	const linked = await handleOAuthUserInfo(ctx, {
+		userInfo: {
+			email: userInfo.email,
+			name: userInfo.name || "",
+			id: userInfo.id,
+			image: userInfo.image,
+			emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+		},
+		account: {
+			idToken: tokenResponse.idToken,
+			accessToken: tokenResponse.accessToken,
+			refreshToken: tokenResponse.refreshToken,
+			accountId: userInfo.id,
+			providerId: provider.providerId,
+			accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
+			refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
+			scope: tokenResponse.scopes?.join(",")
+		},
+		callbackURL,
+		disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+		overrideUserInfo: config.overrideUserInfo,
+		isTrustedProvider
+	});
+	if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
+	const { session, user } = linked.data;
+	if (options?.provisionUser && linked.isRegister) await options.provisionUser({
+		user,
+		userInfo,
+		token: tokenResponse,
+		provider
+	});
+	await assignOrganizationFromProvider(ctx, {
+		user,
+		profile: {
+			providerType: "oidc",
+			providerId: provider.providerId,
+			accountId: userInfo.id,
+			email: userInfo.email,
+			emailVerified: Boolean(userInfo.emailVerified),
+			rawAttributes: userInfo
+		},
+		provider,
+		token: tokenResponse,
+		provisioningOptions: options?.organizationProvisioning
+	});
+	await setSessionCookie(ctx, {
+		session,
+		user
+	});
+	let toRedirectTo;
+	try {
+		toRedirectTo = (linked.isRegister ? newUserURL || callbackURL : callbackURL).toString();
+	} catch {
+		toRedirectTo = linked.isRegister ? newUserURL || callbackURL : callbackURL;
+	}
+	throw ctx.redirect(toRedirectTo);
+}
+const callbackSSOEndpointConfig = {
+	method: "GET",
+	query: callbackSSOQuerySchema,
+	allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+	metadata: {
+		...HIDE_METADATA,
+		openapi: {
+			operationId: "handleSSOCallback",
+			summary: "Callback URL for SSO provider",
+			description: "This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
+			responses: { "302": { description: "Redirects to the callback URL" } }
+		}
+	}
+};
 const callbackSSO = (options) => {
-	return createAuthEndpoint("/sso/callback/:providerId", {
-		method: "GET",
-		query: callbackSSOQuerySchema,
-		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+	return createAuthEndpoint("/sso/callback/:providerId", callbackSSOEndpointConfig, async (ctx) => {
+		return handleOIDCCallback(ctx, options, ctx.params.providerId);
+	});
+};
+/**
+* Shared OIDC callback endpoint (no `:providerId` in path).
+* Used when `options.redirectURI` is set — the `providerId` is read from
+* the OAuth state instead of the URL path.
+*/
+const callbackSSOShared = (options) => {
+	return createAuthEndpoint("/sso/callback", {
+		...callbackSSOEndpointConfig,
 		metadata: {
-			...HIDE_METADATA,
+			...callbackSSOEndpointConfig.metadata,
 			openapi: {
-				operationId: "handleSSOCallback",
-				summary: "Callback URL for SSO provider",
-				description: "This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
-				responses: { "302": { description: "Redirects to the callback URL" } }
+				...callbackSSOEndpointConfig.metadata.openapi,
+				operationId: "handleSSOCallbackShared",
+				summary: "Shared callback URL for all SSO providers",
+				description: "This endpoint is used as a shared callback URL for all SSO providers when `redirectURI` is configured. The provider is identified via the OAuth state parameter."
 			}
 		}
 	}, async (ctx) => {
-		const { code, error, error_description } = ctx.query;
 		const stateData = await parseState(ctx);
 		if (!stateData) {
-			const errorURL$1 = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-			throw ctx.redirect(`${errorURL$1}?error=invalid_state`);
-		}
-		const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
-		if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
-		let provider = null;
-		if (options?.defaultSSO?.length) {
-			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === ctx.params.providerId);
-			if (matchingDefault) provider = {
-				...matchingDefault,
-				issuer: matchingDefault.oidcConfig?.issuer || "",
-				userId: "default",
-				...options.domainVerification?.enabled ? { domainVerified: true } : {}
-			};
-		}
-		if (!provider) provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: ctx.params.providerId
-			}]
-		}).then((res) => {
-			if (!res) return null;
-			return {
-				...res,
-				oidcConfig: safeJsonParse(res.oidcConfig) || void 0
-			};
-		});
-		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
-		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
-		let config = provider.oidcConfig;
-		if (!config) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
-		const discovery = await betterFetch(config.discoveryEndpoint);
-		if (discovery.data) config = {
-			tokenEndpoint: discovery.data.token_endpoint,
-			tokenEndpointAuthentication: discovery.data.token_endpoint_auth_method,
-			userInfoEndpoint: discovery.data.userinfo_endpoint,
-			scopes: [
-				"openid",
-				"email",
-				"profile",
-				"offline_access"
-			],
-			...config
-		};
-		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_endpoint_not_found`);
-		const tokenResponse = await validateAuthorizationCode({
-			code,
-			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
-			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
-			options: {
-				clientId: config.clientId,
-				clientSecret: config.clientSecret
-			},
-			tokenEndpoint: config.tokenEndpoint,
-			authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
-		}).catch((e) => {
-			if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
-			return null;
-		});
-		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_response_not_found`);
-		let userInfo = null;
-		if (tokenResponse.idToken) {
-			const idToken = decodeJwt(tokenResponse.idToken);
-			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=jwks_endpoint_not_found`);
-			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint).catch((e) => {
-				ctx.context.logger.error(e);
-				return null;
-			});
-			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_not_verified`);
-			if (verified.payload.iss !== provider.issuer) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=issuer_mismatch`);
-			const mapping = config.mapping || {};
-			userInfo = {
-				...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
-				id: idToken[mapping.id || "sub"],
-				email: idToken[mapping.email || "email"],
-				emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
-				name: idToken[mapping.name || "name"],
-				image: idToken[mapping.image || "picture"]
-			};
+			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+			throw ctx.redirect(`${errorURL}?error=invalid_state`);
 		}
-		if (!userInfo) {
-			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=user_info_endpoint_not_found`);
-			const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
-			userInfo = userInfoResponse.data;
-		}
-		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
-		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
-		const linked = await handleOAuthUserInfo(ctx, {
-			userInfo: {
-				email: userInfo.email,
-				name: userInfo.name || userInfo.email,
-				id: userInfo.id,
-				image: userInfo.image,
-				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-			},
-			account: {
-				idToken: tokenResponse.idToken,
-				accessToken: tokenResponse.accessToken,
-				refreshToken: tokenResponse.refreshToken,
-				accountId: userInfo.id,
-				providerId: provider.providerId,
-				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-				scope: tokenResponse.scopes?.join(",")
-			},
-			callbackURL,
-			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
-		});
-		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
-		const { session, user } = linked.data;
-		if (options?.provisionUser) await options.provisionUser({
-			user,
-			userInfo,
-			token: tokenResponse,
-			provider
-		});
-		await assignOrganizationFromProvider(ctx, {
-			user,
-			profile: {
-				providerType: "oidc",
-				providerId: provider.providerId,
-				accountId: userInfo.id,
-				email: userInfo.email,
-				emailVerified: Boolean(userInfo.emailVerified),
-				rawAttributes: userInfo
-			},
-			provider,
-			token: tokenResponse,
-			provisioningOptions: options?.organizationProvisioning
-		});
-		await setSessionCookie(ctx, {
-			session,
-			user
-		});
-		let toRedirectTo;
-		try {
-			toRedirectTo = (linked.isRegister ? newUserURL || callbackURL : callbackURL).toString();
-		} catch {
-			toRedirectTo = linked.isRegister ? newUserURL || callbackURL : callbackURL;
+		const providerId = stateData.ssoProviderId;
+		if (!providerId) {
+			const errorURL = stateData.errorURL || stateData.callbackURL;
+			throw ctx.redirect(`${errorURL}?error=invalid_state&error_description=missing_provider_id`);
 		}
-		throw ctx.redirect(toRedirectTo);
+		return handleOIDCCallback(ctx, options, providerId, stateData);
 	});
 };
 const callbackSSOSAMLBodySchema = z.object({
@@ -1924,9 +2568,9 @@ const callbackSSOSAML = (options) => {
 		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
 		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
 			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
-			const relayState$1 = ctx.query?.RelayState;
-			const safeRedirectUrl$1 = getSafeRedirectUrl(relayState$1, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
-			throw ctx.redirect(safeRedirectUrl$1);
+			const relayState = ctx.query?.RelayState;
+			const safeRedirectUrl = getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+			throw ctx.redirect(safeRedirectUrl);
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
 		const { SAMLResponse } = ctx.body;
@@ -1969,12 +2613,12 @@ const callbackSSOSAML = (options) => {
 		let idp = null;
 		if (!idpData?.metadata) idp = saml.IdentityProvider({
 			entityID: idpData?.entityID || parsedSamlConfig.issuer,
-			singleSignOnService: [{
+			singleSignOnService: idpData?.singleSignOnService || [{
 				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 				Location: parsedSamlConfig.entryPoint
 			}],
 			signingCert: idpData?.cert || parsedSamlConfig.cert,
-			wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 			isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
 			encPrivateKey: idpData?.encPrivateKey,
 			encPrivateKeyPass: idpData?.encPrivateKeyPass
@@ -2108,7 +2752,7 @@ const callbackSSOSAML = (options) => {
 		const userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
 			id: attributes[mapping.id || "nameID"] || extract.nameID,
-			email: attributes[mapping.email || "email"] || extract.nameID,
+			email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
 			name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
 			emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
 		};
@@ -2121,7 +2765,7 @@ const callbackSSOSAML = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const isTrustedProvider = ctx.context.trustedProviders.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
@@ -2164,11 +2808,29 @@ const callbackSSOSAML = (options) => {
 			session,
 			user
 		});
+		if (options?.saml?.enableSingleLogout && extract.nameID) {
+			const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${provider.providerId}:${extract.nameID}`;
+			const samlSessionData = {
+				sessionId: session.id,
+				providerId: provider.providerId,
+				nameID: extract.nameID,
+				sessionIndex: extract.sessionIndex
+			};
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: samlSessionKey,
+				value: JSON.stringify(samlSessionData),
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session record", { error: e }));
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${SAML_SESSION_BY_ID_PREFIX}${session.id}`,
+				value: samlSessionKey,
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
+		}
 		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 		throw ctx.redirect(safeRedirectUrl);
 	});
 };
-const acsEndpointParamsSchema = z.object({ providerId: z.string().optional() });
 const acsEndpointBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional()
@@ -2176,7 +2838,6 @@ const acsEndpointBodySchema = z.object({
 const acsEndpoint = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
 		method: "POST",
-		params: acsEndpointParamsSchema,
 		body: acsEndpointBodySchema,
 		metadata: {
 			...HIDE_METADATA,
@@ -2189,10 +2850,18 @@ const acsEndpoint = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse, RelayState = "" } = ctx.body;
+		const { SAMLResponse } = ctx.body;
 		const { providerId } = ctx.params;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
@@ -2208,7 +2877,7 @@ const acsEndpoint = (options) => {
 			model: "ssoProvider",
 			where: [{
 				field: "providerId",
-				value: providerId ?? "sso"
+				value: providerId
 			}]
 		}).then((res) => {
 			if (!res) return null;
@@ -2245,7 +2914,7 @@ const acsEndpoint = (options) => {
 			validateSingleAssertion(SAMLResponse);
 		} catch (error) {
 			if (error instanceof APIError) {
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
 				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
 			}
@@ -2255,7 +2924,7 @@ const acsEndpoint = (options) => {
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
 				SAMLResponse,
-				RelayState: RelayState || void 0
+				RelayState: ctx.body.RelayState || void 0
 			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
@@ -2292,7 +2961,7 @@ const acsEndpoint = (options) => {
 						inResponseTo: inResponseToAcs,
 						providerId
 					});
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
 				}
 				if (storedRequest.providerId !== providerId) {
@@ -2302,13 +2971,13 @@ const acsEndpoint = (options) => {
 						actualProvider: providerId
 					});
 					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
-					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 				}
 				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
 			} else if (!allowIdpInitiated) {
 				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
@@ -2334,7 +3003,7 @@ const acsEndpoint = (options) => {
 					issuer,
 					providerId
 				});
-				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
 			}
 			await ctx.context.internalAdapter.createVerificationValue({
@@ -2354,7 +3023,7 @@ const acsEndpoint = (options) => {
 		const userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
 			id: attributes[mapping.id || "nameID"] || extract.nameID,
-			email: attributes[mapping.email || "email"] || extract.nameID,
+			email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
 			name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
 			emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
 		};
@@ -2367,8 +3036,8 @@ const acsEndpoint = (options) => {
 			});
 			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 		}
-		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const isTrustedProvider = ctx.context.trustedProviders.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 		const result = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -2410,7 +3079,184 @@ const acsEndpoint = (options) => {
 			session,
 			user
 		});
-		throw ctx.redirect(callbackUrl);
+		if (options?.saml?.enableSingleLogout && extract.nameID) {
+			const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${providerId}:${extract.nameID}`;
+			const samlSessionData = {
+				sessionId: session.id,
+				providerId,
+				nameID: extract.nameID,
+				sessionIndex: extract.sessionIndex
+			};
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: samlSessionKey,
+				value: JSON.stringify(samlSessionData),
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session record", { error: e }));
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${SAML_SESSION_BY_ID_PREFIX}${session.id}`,
+				value: samlSessionKey,
+				expiresAt: session.expiresAt
+			}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
+		}
+		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+		throw ctx.redirect(safeRedirectUrl);
+	});
+};
+const sloSchema = z.object({
+	SAMLRequest: z.string().optional(),
+	SAMLResponse: z.string().optional(),
+	RelayState: z.string().optional(),
+	SigAlg: z.string().optional(),
+	Signature: z.string().optional()
+});
+const sloEndpoint = (options) => {
+	return createAuthEndpoint("/sso/saml2/sp/slo/:providerId", {
+		method: ["GET", "POST"],
+		body: sloSchema.optional(),
+		query: sloSchema.optional(),
+		metadata: {
+			...HIDE_METADATA,
+			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"]
+		}
+	}, async (ctx) => {
+		if (!options?.saml?.enableSingleLogout) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.SINGLE_LOGOUT_NOT_ENABLED);
+		const { providerId } = ctx.params;
+		const samlRequest = ctx.body?.SAMLRequest || ctx.query?.SAMLRequest;
+		const samlResponse = ctx.body?.SAMLResponse || ctx.query?.SAMLResponse;
+		const relayState = ctx.body?.RelayState || ctx.query?.RelayState;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
+		const safeErrorURL = getSafeRedirectUrl(relayState, `${appOrigin}/sso/saml2/sp/slo/${providerId}`, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+		if (!samlRequest && !samlResponse) throw ctx.redirect(`${safeErrorURL}?error=invalid_request&error_description=missing_logout_data`);
+		const provider = await findSAMLProvider(providerId, options, ctx.context.adapter);
+		if (!provider?.samlConfig) throw APIError.from("NOT_FOUND", SAML_ERROR_CODES.SAML_PROVIDER_NOT_FOUND);
+		const config = provider.samlConfig;
+		const sp = createSP(config, ctx.context.baseURL, providerId, {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		});
+		const idp = createIdP(config);
+		if (samlResponse) return handleLogoutResponse(ctx, sp, idp, relayState, providerId);
+		return handleLogoutRequest(ctx, sp, idp, relayState, providerId);
+	});
+};
+async function handleLogoutResponse(ctx, sp, idp, relayState, providerId) {
+	const binding = ctx.method === "POST" && ctx.body?.SAMLResponse ? "post" : "redirect";
+	let parsed;
+	try {
+		parsed = await sp.parseLogoutResponse(idp, binding, {
+			body: ctx.body,
+			query: ctx.query
+		});
+	} catch (error) {
+		ctx.context.logger.error("LogoutResponse validation failed", { error });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_RESPONSE);
+	}
+	const extract = parsed?.extract;
+	const statusCode = extract?.statusCode || extract?.status || parsed?.samlContent?.status?.statusCode;
+	if (statusCode && statusCode !== SAML_STATUS_SUCCESS) {
+		ctx.context.logger.warn("LogoutResponse indicates failure", { statusCode });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.LOGOUT_FAILED_AT_IDP);
+	}
+	const inResponseTo = extract?.response?.inResponseTo;
+	if (inResponseTo) {
+		const key = `${LOGOUT_REQUEST_KEY_PREFIX}${inResponseTo}`;
+		if (!await ctx.context.internalAdapter.findVerificationValue(key)) ctx.context.logger.warn("LogoutResponse references unknown or expired request", { inResponseTo });
+		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete logout request verification value", e));
+	}
+	deleteSessionCookie(ctx);
+	const appOrigin = new URL(ctx.context.baseURL).origin;
+	const safeRedirectUrl = getSafeRedirectUrl(relayState, `${appOrigin}/sso/saml2/sp/slo/${providerId}`, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	throw ctx.redirect(safeRedirectUrl);
+}
+async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
+	const binding = ctx.method === "POST" && ctx.body?.SAMLRequest ? "post" : "redirect";
+	let parsed;
+	try {
+		parsed = await sp.parseLogoutRequest(idp, binding, {
+			body: ctx.body,
+			query: ctx.query
+		});
+	} catch (error) {
+		ctx.context.logger.error("LogoutRequest validation failed", { error });
+		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_REQUEST);
+	}
+	if (!parsed?.extract) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.INVALID_LOGOUT_REQUEST);
+	const { nameID } = parsed.extract;
+	const sessionIndex = parsed.extract.sessionIndex;
+	const key = `${SAML_SESSION_KEY_PREFIX}${providerId}:${nameID}`;
+	const stored = await ctx.context.internalAdapter.findVerificationValue(key);
+	if (stored) {
+		const data = safeJsonParse(stored.value);
+		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
+			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
+			await ctx.context.internalAdapter.deleteVerificationValue(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
+		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
+			providerId,
+			requestedSessionIndex: sessionIndex,
+			storedSessionIndex: data.sessionIndex
+		});
+		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
+	}
+	const currentSession = await getSessionFromCtx(ctx);
+	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
+	deleteSessionCookie(ctx);
+	const requestId = parsed.extract.request?.id || "";
+	const res = sp.createLogoutResponse(idp, null, binding, relayState || "", (template) => template.replace("{InResponseTo}", requestId).replace("{StatusCode}", SAML_STATUS_SUCCESS));
+	if (binding === "post" && res.entityEndpoint) return createSAMLPostForm(res.entityEndpoint, "SAMLResponse", res.context, relayState);
+	throw ctx.redirect(res.context);
+}
+const initiateSLO = (options) => {
+	return createAuthEndpoint("/sso/saml2/logout/:providerId", {
+		method: "POST",
+		body: z.object({ callbackURL: z.string().optional() }),
+		use: [sessionMiddleware],
+		metadata: HIDE_METADATA
+	}, async (ctx) => {
+		if (!options?.saml?.enableSingleLogout) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.SINGLE_LOGOUT_NOT_ENABLED);
+		const { providerId } = ctx.params;
+		const callbackURL = ctx.body.callbackURL || ctx.context.baseURL;
+		const provider = await findSAMLProvider(providerId, options, ctx.context.adapter);
+		if (!provider?.samlConfig) throw APIError.from("NOT_FOUND", SAML_ERROR_CODES.SAML_PROVIDER_NOT_FOUND);
+		const config = provider.samlConfig;
+		if (!(config.idpMetadata?.singleLogoutService?.length || config.idpMetadata?.metadata && config.idpMetadata.metadata.includes("SingleLogoutService"))) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.IDP_SLO_NOT_SUPPORTED);
+		const sp = createSP(config, ctx.context.baseURL, providerId, {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		});
+		const idp = createIdP(config);
+		const session = ctx.context.session;
+		const sessionLookupKey = `${SAML_SESSION_BY_ID_PREFIX}${session.session.id}`;
+		const sessionLookup = await ctx.context.internalAdapter.findVerificationValue(sessionLookupKey);
+		let nameID = session.user.email;
+		let sessionIndex;
+		let samlSessionKey;
+		if (sessionLookup) {
+			samlSessionKey = sessionLookup.value;
+			const stored = await ctx.context.internalAdapter.findVerificationValue(samlSessionKey);
+			if (stored) {
+				const data = safeJsonParse(stored.value);
+				if (data) {
+					nameID = data.nameID || nameID;
+					sessionIndex = data.sessionIndex;
+				}
+			}
+		}
+		const logoutRequest = sp.createLogoutRequest(idp, "redirect", {
+			logoutNameID: nameID,
+			sessionIndex,
+			relayState: callbackURL
+		});
+		const ttl = options?.saml?.logoutRequestTTL ?? DEFAULT_LOGOUT_REQUEST_TTL_MS;
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier: `${LOGOUT_REQUEST_KEY_PREFIX}${logoutRequest.id}`,
+			value: providerId,
+			expiresAt: new Date(Date.now() + ttl)
+		});
+		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationValue(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
+		await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
+		await ctx.context.internalAdapter.deleteSession(session.session.id);
+		deleteSessionCookie(ctx);
+		throw ctx.redirect(logoutRequest.context);
 	});
 };
 
@@ -2425,16 +3271,27 @@ saml.setSchemaValidator({ async validate(xml) {
 * These endpoints receive POST requests from external Identity Providers,
 * which won't have a matching Origin header.
 */
-const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/callback", "/sso/saml2/sp/acs"];
+const SAML_SKIP_ORIGIN_CHECK_PATHS = [
+	"/sso/saml2/callback",
+	"/sso/saml2/sp/acs",
+	"/sso/saml2/sp/slo"
+];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
-		spMetadata: spMetadata(),
+		spMetadata: spMetadata(optionsWithStore),
 		registerSSOProvider: registerSSOProvider(optionsWithStore),
 		signInSSO: signInSSO(optionsWithStore),
 		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOShared: callbackSSOShared(optionsWithStore),
 		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
-		acsEndpoint: acsEndpoint(optionsWithStore)
+		acsEndpoint: acsEndpoint(optionsWithStore),
+		sloEndpoint: sloEndpoint(optionsWithStore),
+		initiateSLO: initiateSLO(optionsWithStore),
+		listSSOProviders: listSSOProviders(),
+		getSSOProvider: getSSOProvider(),
+		updateSSOProvider: updateSSOProvider(optionsWithStore),
+		deleteSSOProvider: deleteSSOProvider()
 	};
 	if (options?.domainVerification?.enabled) {
 		const domainVerificationEndpoints = {
@@ -2454,21 +3311,39 @@ function sso(options) {
 			return { context: { skipOriginCheck: [...Array.isArray(existing) ? existing : [], ...SAML_SKIP_ORIGIN_CHECK_PATHS] } };
 		},
 		endpoints,
-		hooks: { after: [{
-			matcher(context) {
-				return context.path?.startsWith("/callback/") ?? false;
-			},
-			handler: createAuthMiddleware(async (ctx) => {
-				const newSession = ctx.context.newSession;
-				if (!newSession?.user) return;
-				if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
-				await assignOrganizationByDomain(ctx, {
-					user: newSession.user,
-					provisioningOptions: options?.organizationProvisioning,
-					domainVerification: options?.domainVerification
-				});
-			})
-		}] },
+		hooks: {
+			before: [{
+				matcher(context) {
+					return context.path === "/sign-out";
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					if (!options?.saml?.enableSingleLogout) return;
+					const session = await getSessionFromCtx(ctx);
+					if (!session?.session?.id) return;
+					const sessionLookupKey = `${SAML_SESSION_BY_ID_PREFIX}${session.session.id}`;
+					const sessionLookup = await ctx.context.internalAdapter.findVerificationValue(sessionLookupKey);
+					if (sessionLookup?.value) {
+						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookup.value).catch(() => {});
+						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch(() => {});
+					}
+				})
+			}],
+			after: [{
+				matcher(context) {
+					return context.path?.startsWith("/callback/") ?? false;
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					const newSession = ctx.context.newSession;
+					if (!newSession?.user) return;
+					if (!ctx.context.hasPlugin("organization")) return;
+					await assignOrganizationByDomain(ctx, {
+						user: newSession.user,
+						provisioningOptions: options?.organizationProvisioning,
+						domainVerification: options?.domainVerification
+					});
+				})
+			}]
+		},
 		schema: { ssoProvider: {
 			modelName: options?.modelName ?? "ssoProvider",
 			fields: {
@@ -2522,4 +3397,5 @@ function sso(options) {
 }
 
 //#endregion
-export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+//# sourceMappingURL=index.mjs.map