@better-auth/sso 1.7.0-beta.0 → 1.7.0-beta.2

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DVg_iWRX.mjs";
+import { t as SSOPlugin } from "./index-CagV4mMx.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CzfTSPRz.mjs";
+import { t as PACKAGE_VERSION } from "./version-BVHIqaH7.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-DVg_iWRX.d.mts → index-CagV4mMx.d.mts}

@@ -81,16 +81,29 @@ interface OIDCConfig {
   mapping?: OIDCMapping | undefined;
 }
 interface SAMLConfig {
+  /**
+   * SP Entity ID. Used as the `entityID` in SP metadata when
+   * `spMetadata.entityID` is not set. Also used as the expected
+   * audience for SAML assertion validation when `audience` is not set.
+   */
   issuer: string;
+  /**
+   * IdP SSO URL. Used as the redirect destination when
+   * `idpMetadata.metadata` is not provided. Ignored when
+   * IdP metadata XML is set (the SSO URL is extracted from the XML).
+   */
   entryPoint: string;
+  /**
+   * IdP signing certificate. Used to verify SAML response signatures
+   * when `idpMetadata.metadata` is not provided. Ignored when IdP
+   * metadata XML is set (the certificate is extracted from the XML).
+   * When both this and `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence.
+   */
   cert: string;
-  callbackUrl: string;
   audience?: string | undefined;
   idpMetadata?: {
     metadata?: string;
     entityID?: string;
-    entityURL?: string;
-    redirectURL?: string;
     cert?: string;
     privateKey?: string;
     privateKeyPass?: string;
@@ -106,7 +119,12 @@ interface SAMLConfig {
       Location: string;
     }>;
   } | undefined;
-  spMetadata: {
+  /**
+   * SP metadata configuration. All fields are optional; when omitted,
+   * SP metadata is auto-generated from `issuer`, `wantAssertionsSigned`,
+   * `authnRequestsSigned`, and `identifierFormat`.
+   */
+  spMetadata?: {
     metadata?: string | undefined;
     entityID?: string | undefined;
     binding?: string | undefined;
@@ -116,14 +134,17 @@ interface SAMLConfig {
     encPrivateKey?: string | undefined;
     encPrivateKeyPass?: string | undefined;
   };
+  /**
+   * Request signed assertions from the IdP. When true, the SP metadata
+   * advertises `WantAssertionsSigned="true"` and samlify will reject
+   * unsigned assertions.
+   */
   wantAssertionsSigned?: boolean | undefined;
   authnRequestsSigned?: boolean | undefined;
   signatureAlgorithm?: string | undefined;
   digestAlgorithm?: string | undefined;
   identifierFormat?: string | undefined;
   privateKey?: string | undefined;
-  decryptionPvk?: string | undefined;
-  additionalParams?: Record<string, any> | undefined;
   mapping?: SAMLMapping | undefined;
 }
 type BaseSSOProvider = {
@@ -614,7 +635,6 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
     } | undefined;
     samlConfig: {
       entryPoint: string;
-      callbackUrl: string;
       audience: string | undefined;
       wantAssertionsSigned: boolean | undefined;
       authnRequestsSigned: boolean | undefined;
@@ -699,7 +719,6 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
   } | undefined;
   samlConfig: {
     entryPoint: string;
-    callbackUrl: string;
     audience: string | undefined;
     wantAssertionsSigned: boolean | undefined;
     authnRequestsSigned: boolean | undefined;
@@ -775,7 +794,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodOptional<z.ZodString>;
       cert: z.ZodOptional<z.ZodString>;
-      callbackUrl: z.ZodOptional<z.ZodString>;
       audience: z.ZodOptional<z.ZodString>;
       idpMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
@@ -807,8 +825,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
       privateKey: z.ZodOptional<z.ZodString>;
-      decryptionPvk: z.ZodOptional<z.ZodString>;
-      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       mapping: z.ZodOptional<z.ZodObject<{
         id: z.ZodOptional<z.ZodString>;
         email: z.ZodOptional<z.ZodString>;
@@ -859,7 +875,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
   } | undefined;
   samlConfig: {
     entryPoint: string;
-    callbackUrl: string;
     audience: string | undefined;
     wantAssertionsSigned: boolean | undefined;
     authnRequestsSigned: boolean | undefined;
@@ -932,10 +947,6 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
-    format: z.ZodDefault<z.ZodEnum<{
-      json: "json";
-      xml: "xml";
-    }>>;
   }, z.core.$strip>;
   metadata: {
     openapi: {
@@ -986,7 +997,6 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodString;
       cert: z.ZodString;
-      callbackUrl: z.ZodString;
       audience: z.ZodOptional<z.ZodString>;
       idpMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
@@ -1002,7 +1012,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
           Location: z.ZodString;
         }, z.core.$strip>>>;
       }, z.core.$strip>>;
-      spMetadata: z.ZodObject<{
+      spMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
         entityID: z.ZodOptional<z.ZodString>;
         binding: z.ZodOptional<z.ZodString>;
@@ -1011,15 +1021,13 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
         isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
         encPrivateKey: z.ZodOptional<z.ZodString>;
         encPrivateKeyPass: z.ZodOptional<z.ZodString>;
-      }, z.core.$strip>;
+      }, z.core.$strip>>;
       wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
       authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
       signatureAlgorithm: z.ZodOptional<z.ZodString>;
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
       privateKey: z.ZodOptional<z.ZodString>;
-      decryptionPvk: z.ZodOptional<z.ZodString>;
-      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       mapping: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
         email: z.ZodString;
@@ -1376,7 +1384,7 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
   }, z.core.$strip>;
   allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
 }, void>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: ("POST" | "GET")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -1398,28 +1406,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
         "400": {
           description: string;
         };
-        "401": {
-          description: string;
-        };
-      };
-    };
-    scope: "server";
-  };
-}, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
-  method: "POST";
-  body: z.ZodObject<{
-    SAMLResponse: z.ZodString;
-    RelayState: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
-  metadata: {
-    allowedMediaTypes: string[];
-    openapi: {
-      operationId: string;
-      summary: string;
-      description: string;
-      responses: {
-        "302": {
+        "404": {
           description: string;
         };
       };
@@ -1788,7 +1775,6 @@ type SSOEndpoints<O extends SSOOptions> = {
   signInSSO: ReturnType<typeof signInSSO>;
   callbackSSO: ReturnType<typeof callbackSSO>;
   callbackSSOShared: ReturnType<typeof callbackSSOShared>;
-  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
   acsEndpoint: ReturnType<typeof acsEndpoint>;
   sloEndpoint: ReturnType<typeof sloEndpoint>;
   initiateSLO: ReturnType<typeof initiateSLO>;

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DVg_iWRX.mjs";
+import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CagV4mMx.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -1,7 +1,6 @@
-import { t as PACKAGE_VERSION } from "./version-CzfTSPRz.mjs";
+import { t as PACKAGE_VERSION } from "./version-BVHIqaH7.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
-import * as saml from "samlify";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
@@ -13,6 +12,8 @@ import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+import * as samlifyNamespace from "samlify";
+import samlifyDefault from "samlify";
 //#region src/constants.ts
 /**
 * SAML Constants
@@ -693,7 +694,10 @@ async function validateInResponseTo(c, ctx) {
 * could be accepted.
 */
 function validateAudience(c, ctx) {
-	if (!ctx.expectedAudience) return;
+	if (!ctx.expectedAudience) {
+		c.context.logger.warn("Could not determine SP entity ID for audience validation; skipping", { providerId: ctx.providerId });
+		return;
+	}
 	const audience = ctx.extract.audience;
 	if (!audience) {
 		c.context.logger.error("SAML assertion missing AudienceRestriction but audience is configured — rejecting", { providerId: ctx.providerId });
@@ -751,7 +755,6 @@ const oidcConfigSchema = z.object({
 const samlConfigSchema = z.object({
 	entryPoint: z.string().url().optional(),
 	cert: z.string().optional(),
-	callbackUrl: z.string().url().optional(),
 	audience: z.string().optional(),
 	idpMetadata: z.object({
 		metadata: z.string().optional(),
@@ -783,8 +786,6 @@ const samlConfigSchema = z.object({
 	digestAlgorithm: z.string().optional(),
 	identifierFormat: z.string().optional(),
 	privateKey: z.string().optional(),
-	decryptionPvk: z.string().optional(),
-	additionalParams: z.record(z.string(), z.any()).optional(),
 	mapping: samlMappingSchema
 });
 const updateSSOProviderBodySchema = z.object({
@@ -861,7 +862,6 @@ function sanitizeProvider(provider, baseURL) {
 		} : void 0,
 		samlConfig: samlConfig ? {
 			entryPoint: samlConfig.entryPoint,
-			callbackUrl: samlConfig.callbackUrl,
 			audience: samlConfig.audience,
 			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
 			authnRequestsSigned: samlConfig.authnRequestsSigned,
@@ -964,7 +964,6 @@ function mergeSAMLConfig(current, updates, issuer) {
 		issuer,
 		entryPoint: updates.entryPoint ?? current.entryPoint,
 		cert: updates.cert ?? current.cert,
-		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
 		spMetadata: updates.spMetadata ?? current.spMetadata,
 		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
 		mapping: updates.mapping ?? current.mapping,
@@ -1508,8 +1507,19 @@ async function parseRelayState(c) {
 	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
 	return parsedData;
 }
+const saml = typeof samlifyNamespace.SPMetadata === "function" && typeof samlifyNamespace.setSchemaValidator === "function" ? samlifyNamespace : samlifyDefault ?? samlifyNamespace;
 //#endregion
 //#region src/routes/helpers.ts
+/**
+* Normalizes a PEM string by trimming leading/trailing whitespace from each
+* line. Native `crypto.createPrivateKey` (used by samlify 2.12+) rejects PEM
+* blocks with leading whitespace, which is common when keys are stored in
+* indented config files, environment variables, or JSON.
+*/
+function normalizePem(pem) {
+	if (!pem) return pem;
+	return pem.split("\n").map((line) => line.trim()).join("\n");
+}
 async function findSAMLProvider(providerId, options, adapter) {
 	if (options?.defaultSSO?.length) {
 		const match = options.defaultSSO.find((p) => p.providerId === providerId);
@@ -1536,30 +1546,35 @@ async function findSAMLProvider(providerId, options, adapter) {
 function createSP(config, baseURL, providerId, opts) {
 	const spData = config.spMetadata;
 	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
-	const acsUrl = config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`;
-	return saml.ServiceProvider({
+	const acsUrl = `${baseURL}/sso/saml2/sp/acs/${providerId}`;
+	let metadata = spData?.metadata;
+	if (!metadata) metadata = saml.SPMetadata({
 		entityID: spData?.entityID || config.issuer,
-		assertionConsumerService: spData?.metadata ? void 0 : [{
+		assertionConsumerService: [{
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 			Location: acsUrl
 		}],
-		singleLogoutService: [{
+		singleLogoutService: opts?.sloOptions ? [{
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 			Location: sloLocation
 		}, {
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 			Location: sloLocation
-		}],
+		}] : void 0,
 		wantMessageSigned: config.wantAssertionsSigned || false,
+		authnRequestsSigned: config.authnRequestsSigned || false,
+		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0
+	}).getMetadata() || "";
+	return saml.ServiceProvider({
+		metadata,
+		allowCreate: true,
 		wantLogoutRequestSigned: opts?.sloOptions?.wantLogoutRequestSigned ?? false,
 		wantLogoutResponseSigned: opts?.sloOptions?.wantLogoutResponseSigned ?? false,
-		metadata: spData?.metadata,
-		privateKey: spData?.privateKey || config.privateKey,
+		privateKey: normalizePem(spData?.privateKey || config.privateKey),
 		privateKeyPass: spData?.privateKeyPass,
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
-		encPrivateKey: spData?.encPrivateKey,
+		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
-		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0,
 		relayState: opts?.relayState
 	});
 }
@@ -1567,10 +1582,10 @@ function createIdP(config) {
 	const idpData = config.idpMetadata;
 	if (idpData?.metadata) return saml.IdentityProvider({
 		metadata: idpData.metadata,
-		privateKey: idpData.privateKey,
+		privateKey: normalizePem(idpData.privateKey),
 		privateKeyPass: idpData.privateKeyPass,
 		isAssertionEncrypted: idpData.isAssertionEncrypted,
-		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKey: normalizePem(idpData.encPrivateKey),
 		encPrivateKeyPass: idpData.encPrivateKeyPass
 	});
 	return saml.IdentityProvider({
@@ -1580,10 +1595,10 @@ function createIdP(config) {
 			Location: config.entryPoint
 		}],
 		singleLogoutService: idpData?.singleLogoutService,
-		signingCert: idpData?.cert || config.cert,
+		signingCert: normalizePem(idpData?.cert || config.cert),
 		wantAuthnRequestsSigned: config.authnRequestsSigned || false,
 		isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-		encPrivateKey: idpData?.encPrivateKey,
+		encPrivateKey: normalizePem(idpData?.encPrivateKey),
 		encPrivateKeyPass: idpData?.encPrivateKeyPass
 	});
 }
@@ -1694,8 +1709,8 @@ function extractAssertionId(samlContent) {
 /**
 * Unified SAML response processing pipeline.
 *
-* Both `/sso/saml2/callback/:providerId` (POST) and `/sso/saml2/sp/acs/:providerId`
-* delegate to this function. It handles the full lifecycle: provider lookup,
+* The `/sso/saml2/sp/acs/:providerId` endpoint delegates to this function.
+* It handles the full lifecycle: provider lookup,
 * SP/IdP construction, response validation, session creation, and redirect
 * URL computation.
 */
@@ -1718,7 +1733,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
 	const idp = createIdP(parsedSamlConfig);
-	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
 	let parsedResponse;
 	try {
@@ -1755,7 +1770,7 @@ async function processSAMLResponse(ctx, params, options) {
 	});
 	validateAudience(ctx, {
 		extract,
-		expectedAudience: parsedSamlConfig.audience,
+		expectedAudience: parsedSamlConfig.audience || sp.entityMeta.getEntityID(),
 		providerId,
 		redirectUrl: samlRedirectUrl
 	});
@@ -1815,7 +1830,7 @@ async function processSAMLResponse(ctx, params, options) {
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
 	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+	const postAuthRedirect = relayState?.callbackURL || ctx.context.baseURL;
 	const result = await handleOAuthUserInfo(ctx, {
 		userInfo: {
 			email: userInfo.email,
@@ -1829,7 +1844,7 @@ async function processSAMLResponse(ctx, params, options) {
 			accessToken: "",
 			refreshToken: ""
 		},
-		callbackURL: callbackUrl,
+		callbackURL: postAuthRedirect,
 		disableSignUp: options?.disableImplicitSignUp,
 		isTrustedProvider
 	});
@@ -1876,7 +1891,7 @@ async function processSAMLResponse(ctx, params, options) {
 			expiresAt: session.expiresAt
 		}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
 	}
-	return getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	return getSafeRedirectUrl(relayState?.callbackURL, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 }
 //#endregion
 //#region src/routes/sso.ts
@@ -1893,10 +1908,7 @@ function getOIDCRedirectURI(baseURL, providerId, options) {
 	}
 	return `${baseURL}/sso/callback/${providerId}`;
 }
-const spMetadataQuerySchema = z.object({
-	providerId: z.string(),
-	format: z.enum(["xml", "json"]).default("xml")
-});
+const spMetadataQuerySchema = z.object({ providerId: z.string() });
 const spMetadata = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/metadata", {
 		method: "GET",
@@ -1918,25 +1930,10 @@ const spMetadata = (options) => {
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-		const sloLocation = `${ctx.context.baseURL}/sso/saml2/sp/slo/${ctx.query.providerId}`;
-		const singleLogoutService = options?.saml?.enableSingleLogout ? [{
-			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-			Location: sloLocation
-		}, {
-			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-			Location: sloLocation
-		}] : void 0;
-		const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({ metadata: parsedSamlConfig.spMetadata.metadata }) : saml.SPMetadata({
-			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
-			assertionConsumerService: [{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${ctx.query.providerId}`
-			}],
-			singleLogoutService,
-			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
-			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
-		});
+		const sp = createSP(parsedSamlConfig, ctx.context.baseURL, ctx.query.providerId, options?.saml?.enableSingleLogout ? { sloOptions: {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		} } : void 0);
 		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
 	});
 };
@@ -1974,7 +1971,6 @@ const ssoProviderBodySchema = z.object({
 	samlConfig: z.object({
 		entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
 		cert: z.string({}).meta({ description: "The certificate of the provider" }),
-		callbackUrl: z.string({}).meta({ description: "The callback URL of the provider" }),
 		audience: z.string().optional(),
 		idpMetadata: z.object({
 			metadata: z.string().optional(),
@@ -1999,15 +1995,13 @@ const ssoProviderBodySchema = z.object({
 			isAssertionEncrypted: z.boolean().optional(),
 			encPrivateKey: z.string().optional(),
 			encPrivateKeyPass: z.string().optional()
-		}),
+		}).optional(),
 		wantAssertionsSigned: z.boolean().optional(),
 		authnRequestsSigned: z.boolean().optional(),
 		signatureAlgorithm: z.string().optional(),
 		digestAlgorithm: z.string().optional(),
 		identifierFormat: z.string().optional(),
 		privateKey: z.string().optional(),
-		decryptionPvk: z.string().optional(),
-		additionalParams: z.record(z.string(), z.any()).optional(),
 		mapping: z.object({
 			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
 			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
@@ -2321,7 +2315,6 @@ const registerSSOProvider = (options) => {
 					issuer: body.issuer,
 					entryPoint: body.samlConfig.entryPoint,
 					cert: body.samlConfig.cert,
-					callbackUrl: body.samlConfig.callbackUrl,
 					audience: body.samlConfig.audience,
 					idpMetadata: body.samlConfig.idpMetadata,
 					spMetadata: body.samlConfig.spMetadata,
@@ -2331,8 +2324,6 @@ const registerSSOProvider = (options) => {
 					digestAlgorithm: body.samlConfig.digestAlgorithm,
 					identifierFormat: body.samlConfig.identifierFormat,
 					privateKey: body.samlConfig.privateKey,
-					decryptionPvk: body.samlConfig.decryptionPvk,
-					additionalParams: body.samlConfig.additionalParams,
 					mapping: body.samlConfig.mapping
 				}) : null,
 				organizationId: body.organizationId,
@@ -2539,46 +2530,8 @@ const signInSSO = (options) => {
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
 			const { state: relayState } = await generateRelayState(ctx, void 0, false);
-			let metadata = parsedSamlConfig.spMetadata.metadata;
-			if (!metadata) metadata = saml.SPMetadata({
-				entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
-				assertionConsumerService: [{
-					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
-				}],
-				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
-				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
-			}).getMetadata() || "";
-			const sp = saml.ServiceProvider({
-				metadata,
-				allowCreate: true,
-				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
-				relayState
-			});
-			const idpData = parsedSamlConfig.idpMetadata;
-			let idp;
-			if (!idpData?.metadata) idp = saml.IdentityProvider({
-				entityID: idpData?.entityID || parsedSamlConfig.issuer,
-				singleSignOnService: idpData?.singleSignOnService || [{
-					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-					Location: parsedSamlConfig.entryPoint
-				}],
-				signingCert: idpData?.cert || parsedSamlConfig.cert,
-				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-				encPrivateKey: idpData?.encPrivateKey,
-				encPrivateKeyPass: idpData?.encPrivateKeyPass
-			});
-			else idp = saml.IdentityProvider({
-				metadata: idpData.metadata,
-				privateKey: idpData.privateKey,
-				privateKeyPass: idpData.privateKeyPass,
-				isAssertionEncrypted: idpData.isAssertionEncrypted,
-				encPrivateKey: idpData.encPrivateKey,
-				encPrivateKeyPass: idpData.encPrivateKeyPass
-			});
+			const sp = createSP(parsedSamlConfig, ctx.context.baseURL, provider.providerId, { relayState });
+			const idp = createIdP(parsedSamlConfig);
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation !== false) {
@@ -2853,72 +2806,42 @@ const callbackSSOShared = (options) => {
 		return handleOIDCCallback(ctx, options, providerId, stateData);
 	});
 };
-const callbackSSOSAMLBodySchema = z.object({
+const acsEndpointBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional()
 });
-const callbackSSOSAML = (options) => {
-	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
+const acsEndpoint = (options) => {
+	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
 		method: ["GET", "POST"],
-		body: callbackSSOSAMLBodySchema.optional(),
+		body: acsEndpointBodySchema.optional(),
 		query: z.object({ RelayState: z.string().optional() }).optional(),
 		metadata: {
 			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
-				operationId: "handleSAMLCallback",
-				summary: "Callback URL for SAML provider",
-				description: "This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
+				operationId: "handleSAMLAssertionConsumerService",
+				summary: "SAML Assertion Consumer Service",
+				description: "Handles SAML responses from IdP after successful authentication. Supports GET for post-auth redirects and POST for SAML response processing.",
 				responses: {
-					"302": { description: "Redirects to the callback URL" },
-					"400": { description: "Invalid SAML response" },
-					"401": { description: "Unauthorized - SAML authentication failed" }
+					"302": { description: "Redirects after authentication (success or error with query params)" },
+					"400": { description: "Missing SAMLResponse in POST body" },
+					"404": { description: "SAML provider not found" }
 				}
 			}
 		}
 	}, async (ctx) => {
 		const { providerId } = ctx.params;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
 		const appOrigin = new URL(ctx.context.baseURL).origin;
-		const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
-		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
 		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
-			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			if (!(await getSessionFromCtx(ctx))?.session) {
+				const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+				throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			}
 			const relayState = ctx.query?.RelayState;
-			const safeRedirectUrl = getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
-			throw ctx.redirect(safeRedirectUrl);
+			throw ctx.redirect(getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings)));
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
-		const safeRedirectUrl = await processSAMLResponse(ctx, {
-			SAMLResponse: ctx.body.SAMLResponse,
-			RelayState: ctx.body.RelayState,
-			providerId,
-			currentCallbackPath
-		}, options);
-		throw ctx.redirect(safeRedirectUrl);
-	});
-};
-const acsEndpointBodySchema = z.object({
-	SAMLResponse: z.string(),
-	RelayState: z.string().optional()
-});
-const acsEndpoint = (options) => {
-	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
-		method: "POST",
-		body: acsEndpointBodySchema,
-		metadata: {
-			...HIDE_METADATA,
-			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
-			openapi: {
-				operationId: "handleSAMLAssertionConsumerService",
-				summary: "SAML Assertion Consumer Service",
-				description: "Handles SAML responses from IdP after successful authentication",
-				responses: { "302": { description: "Redirects to the callback URL after successful authentication" } }
-			}
-		}
-	}, async (ctx) => {
-		const { providerId } = ctx.params;
-		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
-		const appOrigin = new URL(ctx.context.baseURL).origin;
 		try {
 			const safeRedirectUrl = await processSAMLResponse(ctx, {
 				SAMLResponse: ctx.body.SAMLResponse,
@@ -2930,9 +2853,8 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			if (error instanceof Response || error && typeof error === "object" && "status" in error && error.status === 302) throw error;
 			if (error instanceof APIError && error.statusCode === 400) {
-				const internalCode = error.body?.code || "";
-				const errorCode = internalCode === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : internalCode === "SAML_NO_ASSERTION" ? "no_assertion" : internalCode.toLowerCase() || "saml_error";
-				const redirectUrl = getSafeRedirectUrl(ctx.body.RelayState || void 0, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+				const errorCode = (error.body?.code || "saml_error").toLowerCase();
+				const redirectUrl = getSafeRedirectUrl(ctx.body?.RelayState || void 0, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 				throw ctx.redirect(`${redirectUrl}${redirectUrl.includes("?") ? "&" : "?"}error=${encodeURIComponent(errorCode)}&error_description=${encodeURIComponent(error.message)}`);
 			}
 			throw error;
@@ -3107,11 +3029,7 @@ saml.setSchemaValidator({ async validate(xml) {
 * These endpoints receive POST requests from external Identity Providers,
 * which won't have a matching Origin header.
 */
-const SAML_SKIP_ORIGIN_CHECK_PATHS = [
-	"/sso/saml2/callback",
-	"/sso/saml2/sp/acs",
-	"/sso/saml2/sp/slo"
-];
+const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/sp/acs", "/sso/saml2/sp/slo"];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
@@ -3120,7 +3038,6 @@ function sso(options) {
 		signInSSO: signInSSO(optionsWithStore),
 		callbackSSO: callbackSSO(optionsWithStore),
 		callbackSSOShared: callbackSSOShared(optionsWithStore),
-		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
 		acsEndpoint: acsEndpoint(optionsWithStore),
 		sloEndpoint: sloEndpoint(optionsWithStore),
 		initiateSLO: initiateSLO(optionsWithStore),

package/dist/{version-CzfTSPRz.mjs → version-BVHIqaH7.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.0";
+const PACKAGE_VERSION = "1.7.0-beta.2";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.7.0-beta.0",
+  "version": "1.7.0-beta.2",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -58,7 +58,7 @@
   "dependencies": {
     "fast-xml-parser": "^5.5.7",
     "jose": "^6.1.3",
-    "samlify": "~2.10.2",
+    "samlify": "~2.12.0",
     "tldts": "^6.1.0",
     "zod": "^4.3.6"
   },
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.0",
-    "better-auth": "1.7.0-beta.0"
+    "@better-auth/core": "1.7.0-beta.2",
+    "better-auth": "1.7.0-beta.2"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.0",
-    "better-auth": "^1.7.0-beta.0"
+    "@better-auth/core": "^1.7.0-beta.2",
+    "better-auth": "^1.7.0-beta.2"
   },
   "scripts": {
     "build": "tsdown",