@better-auth/sso 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/index.mjs

@@ -1,17 +1,19 @@
-import { t as PACKAGE_VERSION } from "./version-CLqkeI3u.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { t as PACKAGE_VERSION } from "./version-DzWb5tB_.mjs";
+import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { base64 } from "@better-auth/utils/base64";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
-import { ASSERTION_SIGNING_ALGORITHMS, HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { base64 } from "@better-auth/utils/base64";
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
+import { HIDE_METADATA, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, createAuthorizationURL, createPrivateKeyJwtClientAssertionGetter, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
-import { handleOAuthUserInfo } from "better-auth/oauth2";
+import { additionalAuthorizationParamsSchema, signInWithOAuthIdentity } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
-import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 import * as samlifyNamespace from "samlify";
 import samlifyDefault from "samlify";
 //#region src/constants.ts
@@ -55,7 +57,6 @@ const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
 * Protects against oversized metadata documents.
 */
 const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
-const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
 //#endregion
 //#region src/utils.ts
 /**
@@ -102,6 +103,10 @@ function parseCertificate(certPem) {
 		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
 	};
 }
+function normalizePem(key) {
+	if (!key) return key;
+	return `${key.split("\n").map((line) => line.trim()).join("\n").trim()}\n`;
+}
 function getHostnameFromDomain(domain) {
 	return getHostname(domain) || null;
 }
@@ -371,1107 +376,1297 @@ const verifyDomain = (options) => {
 	});
 };
 //#endregion
-//#region src/saml/parser.ts
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-	processEntities: false
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
-function countAllNodes(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return 0;
-	let count = 0;
-	const record = obj;
-	if (nodeName in record) {
-		const node = record[nodeName];
-		count += Array.isArray(node) ? node.length : 1;
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
 	}
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
-	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
-	return count;
-}
-//#endregion
-//#region src/saml/algorithms.ts
-const SignatureAlgorithm = {
-	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
-};
-const DigestAlgorithm = {
-	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
-	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
-};
-const KeyEncryptionAlgorithm = {
-	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
-	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
-	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
-};
-const DataEncryptionAlgorithm = {
-	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
-	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
-	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
-	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
-	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
-	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
-	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
 };
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
-const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
-const SECURE_SIGNATURE_ALGORITHMS = [
-	SignatureAlgorithm.RSA_SHA256,
-	SignatureAlgorithm.RSA_SHA384,
-	SignatureAlgorithm.RSA_SHA512,
-	SignatureAlgorithm.ECDSA_SHA256,
-	SignatureAlgorithm.ECDSA_SHA384,
-	SignatureAlgorithm.ECDSA_SHA512
-];
-const SECURE_DIGEST_ALGORITHMS = [
-	DigestAlgorithm.SHA256,
-	DigestAlgorithm.SHA384,
-	DigestAlgorithm.SHA512
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
 ];
-const SHORT_FORM_SIGNATURE_TO_URI = {
-	sha1: SignatureAlgorithm.RSA_SHA1,
-	sha256: SignatureAlgorithm.RSA_SHA256,
-	sha384: SignatureAlgorithm.RSA_SHA384,
-	sha512: SignatureAlgorithm.RSA_SHA512,
-	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
-	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
-	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
-	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
-	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
-	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
-	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
-};
-const SHORT_FORM_DIGEST_TO_URI = {
-	sha1: DigestAlgorithm.SHA1,
-	sha256: DigestAlgorithm.SHA256,
-	sha384: DigestAlgorithm.SHA384,
-	sha512: DigestAlgorithm.SHA512
-};
-function normalizeSignatureAlgorithm(alg) {
-	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
+	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+	return {
+		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
+		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
+		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
+		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
+		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
+		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
+		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
+		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+	};
 }
-function normalizeDigestAlgorithm(alg) {
-	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+/**
+* Compute the discovery URL from an issuer URL.
+*
+* Per OIDC Discovery spec, the discovery document is located at:
+* <issuer>/.well-known/openid-configuration
+*
+* Handles trailing slashes correctly.
+*/
+function computeDiscoveryUrl(issuer) {
+	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
 }
-function extractEncryptionAlgorithms(xml) {
+/**
+* Validate a discovery URL before fetching.
+*
+* @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
+* @throws DiscoveryError if URL is invalid
+*/
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+}
+/**
+* Validate that a user-supplied OIDC endpoint URL is safe to fetch.
+*
+* Layered checks (in order):
+*   1. URL parsing + http(s) scheme            → discovery_invalid_url
+*   2. Public-routable host (RFC 6890)         → allowed
+*   3. Operator-allowlisted via trustedOrigins → allowed (opt-in for internal IdPs)
+*   4. Otherwise                               → discovery_private_host
+*
+* Step 2 rejects loopback, RFC 1918, link-local, ULA, shared-address,
+* cloud-metadata FQDNs (e.g. `169.254.169.254`, `metadata.google.internal`),
+* multicast, and reserved ranges. See `isPublicRoutableHost` in
+* `@better-auth/core/utils/host`.
+*
+* Step 3 is the documented escape hatch for customers whose IdP runs on a
+* private network or behind a corporate VPN: they add the IdP origin to their
+* `trustedOrigins` configuration.
+*
+* @param name - The endpoint field name, used in error messages
+* @param endpoint - The URL to validate
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError(discovery_invalid_url)  — malformed URL or non-http(s) scheme
+* @throws DiscoveryError(discovery_private_host) — host is not publicly routable and not allowlisted
+*/
+function validateSkipDiscoveryEndpoint(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isPublicRoutableHost(parsed.hostname)) return;
+	if (isTrustedOrigin(parsed.toString())) return;
+	throw new DiscoveryError("discovery_private_host", `The ${name} URL (${parsed.toString()}) is not publicly routable: ${parsed.hostname}. If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: parsed.hostname
+	});
+}
+/**
+* Validate every present OIDC endpoint URL in a registration or update body.
+*
+* Each provided URL is checked with {@link validateSkipDiscoveryEndpoint}.
+* Omitted (undefined / null / empty) fields are skipped.
+*
+* @param config - OIDC endpoint URLs from the request body
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError on the first invalid endpoint
+*/
+function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
+	const fields = [
+		["authorizationEndpoint", config.authorizationEndpoint],
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint],
+		["discoveryEndpoint", config.discoveryEndpoint]
+	];
+	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+}
+/**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateSkipDiscoveryEndpoint} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
 	try {
-		const parsed = xmlParser.parse(xml);
-		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
-		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
-		return {
-			keyEncryption: keyAlg || null,
-			dataEncryption: dataAlg || null
-		};
+		dns = await import("node:dns/promises");
 	} catch {
-		return {
-			keyEncryption: null,
-			dataEncryption: null
-		};
+		return;
 	}
-}
-function hasEncryptedAssertion(xml) {
+	let resolved;
 	try {
-		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+		resolved = await dns.lookup(host, { all: true });
 	} catch {
-		return false;
+		return;
 	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
 }
-function handleDeprecatedAlgorithm(message, behavior, errorCode) {
-	switch (behavior) {
-		case "reject": throw new APIError("BAD_REQUEST", {
-			message,
-			code: errorCode
-		});
-		case "warn":
-			console.warn(`[SAML Security Warning] ${message}`);
-			break;
-		case "allow": break;
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). Runs the synchronous host classification plus the
+* best-effort DNS resolution check. `authorizationEndpoint` is intentionally
+* excluded — it is a browser redirect target, not a server-side fetch, so these
+* checks don't apply to it.
+*/
+async function assertOIDCEndpointsResolvePublic(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+		await assertEndpointResolvesPublic(name, url, isTrustedOrigin);
 	}
 }
-function validateSignatureAlgorithm(algorithm, options = {}) {
-	if (!algorithm) return;
-	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
-	if (allowedSignatureAlgorithms) {
-		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
-			code: "SAML_ALGORITHM_NOT_ALLOWED"
+/**
+* Fetch the OIDC discovery document from the IdP.
+*
+* @param url - The discovery endpoint URL
+* @param timeout - Request timeout in milliseconds
+* @returns The parsed discovery document
+* @throws DiscoveryError on network errors, timeouts, or invalid responses
+*/
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+	try {
+		const response = await betterFetch(url, {
+			method: "GET",
+			timeout,
+			redirect: "error"
 		});
-		return;
-	}
-	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
-		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-		return;
-	}
-	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-		message: `SAML signature algorithm not recognized: ${algorithm}`,
-		code: "SAML_UNKNOWN_ALGORITHM"
-	});
-}
-function validateEncryptionAlgorithms(algorithms, options = {}) {
-	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
-	const { keyEncryption, dataEncryption } = algorithms;
-	if (keyEncryption) {
-		if (allowedKeyEncryptionAlgorithms) {
-			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-	if (dataEncryption) {
-		if (allowedDataEncryptionAlgorithms) {
-			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+		if (response.error) {
+			const { status } = response.error;
+			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
+				url,
+				status
 			});
-		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-}
-function validateSAMLAlgorithms(response, options) {
-	validateSignatureAlgorithm(response.sigAlg, options);
-	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
-}
-function validateConfigAlgorithms(config, options = {}) {
-	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
-	if (config.signatureAlgorithm) {
-		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
-		if (allowedSignatureAlgorithms) {
-			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+				url,
+				timeout
 			});
-		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
-		});
-	}
-	if (config.digestAlgorithm) {
-		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
-		if (allowedDigestAlgorithms) {
-			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
+				url,
+				...response.error
 			});
-		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		}
+		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
+		const data = response.data;
+		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
+			url,
+			bodyPreview: data.slice(0, 200)
 		});
-	}
-}
-//#endregion
-//#region src/saml/assertions.ts
-function countAssertions(xml) {
-	let parsed;
-	try {
-		parsed = xmlParser.parse(xml);
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Failed to parse SAML response XML",
-			code: "SAML_INVALID_XML"
+		return data;
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw error;
+		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+			url,
+			timeout
 		});
+		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
 	}
-	const assertions = countAllNodes(parsed, "Assertion");
-	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
-	return {
-		assertions,
-		encryptedAssertions,
-		total: assertions + encryptedAssertions
-	};
 }
-function validateSingleAssertion(samlResponse) {
-	let xml;
-	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
-		if (!xml.includes("<")) throw new Error("Not XML");
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Invalid base64-encoded SAML response",
-			code: "SAML_INVALID_ENCODING"
-		});
-	}
-	const counts = countAssertions(xml);
-	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
-		message: "SAML response contains no assertions",
-		code: "SAML_NO_ASSERTION"
+/**
+* Validate a discovery document.
+*
+* Checks:
+* 1. All required fields are present
+* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+*
+* Invariant: If this function returns without throwing, the document is safe
+* to use for hydrating OIDC config (required fields present, issuer matches
+* configured value, basic structural sanity verified).
+*
+* @param doc - The discovery document to validate
+* @param configuredIssuer - The expected issuer value
+* @throws DiscoveryError if validation fails
+*/
+function validateDiscoveryDocument(doc, configuredIssuer) {
+	const missingFields = [];
+	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
+	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
+	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
+		discovered: doc.issuer,
+		configured: configuredIssuer
 	});
-	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
-		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
-		code: "SAML_MULTIPLE_ASSERTIONS"
+}
+/**
+* Normalize URLs in the discovery document.
+*
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
+* @returns The normalized discovery document
+*/
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
+	return doc;
+}
+/**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
 	});
+	return url;
 }
-//#endregion
-//#region src/saml/response-validation.ts
-function errorRedirectUrl(base, error, description) {
+/**
+* Normalize a single URL endpoint.
+*
+* @param name - The endpoint name (e.g token_endpoint)
+* @param endpoint - The endpoint URL to normalize
+* @param issuer - The base issuer URL
+* @returns The normalized endpoint URL
+*/
+function normalizeUrl(name, endpoint, issuer) {
 	try {
-		const url = new URL(base);
-		url.searchParams.set("error", error);
-		url.searchParams.set("error_description", description);
-		return url.toString();
+		return parseURL(name, endpoint).toString();
 	} catch {
-		const hashIdx = base.indexOf("#");
-		const path = hashIdx >= 0 ? base.slice(0, hashIdx) : base;
-		const hash = hashIdx >= 0 ? base.slice(hashIdx + 1) : void 0;
-		return `${path}${path.includes("?") ? "&" : "?"}${`error=${encodeURIComponent(error)}&error_description=${encodeURIComponent(description)}`}${hash ? `#${hash}` : ""}`;
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
 	}
 }
 /**
-* Validates the InResponseTo attribute of a SAML Response.
+* Parses the given URL or throws in case of invalid or unsupported protocols
 *
-* This binds the IdP's Response to a specific SP-initiated AuthnRequest,
-* preventing replay attacks, unsolicited response injection, and
-* cross-provider assertion swaps.
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+	}
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
+	});
+}
+/**
+* Select the token endpoint authentication method.
 *
-* The InResponseTo value lives at `extract.response.inResponseTo` in
-* samlify's parsed output (not at the top level).
+* @param doc - The discovery document
+* @param existing - Existing authentication method from config
+* @returns The selected authentication method
 */
-async function validateInResponseTo(c, ctx) {
-	if (ctx.options.enableInResponseToValidation === false) return;
-	const inResponseTo = ctx.extract.response?.inResponseTo;
-	const allowIdpInitiated = ctx.options.allowIdpInitiated ?? false;
-	if (inResponseTo) {
-		let storedRequest = null;
-		const verification = await c.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-		if (verification) try {
-			storedRequest = JSON.parse(verification.value);
-			if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
-		} catch {
-			storedRequest = null;
-		}
-		if (!storedRequest) {
-			c.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
-				inResponseTo,
-				providerId: ctx.providerId
-			});
-			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Unknown or expired request ID"));
-		}
-		if (storedRequest.providerId !== ctx.providerId) {
-			c.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
-				inResponseTo,
-				expectedProvider: storedRequest.providerId,
-				actualProvider: ctx.providerId
-			});
-			await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Provider mismatch"));
-		}
-		await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-	} else if (!allowIdpInitiated) {
-		c.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: ctx.providerId });
-		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "unsolicited_response", "IdP-initiated SSO not allowed"));
-	}
+function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing === "private_key_jwt") return existing;
+	if (existing) return existing;
+	const supported = doc.token_endpoint_auth_methods_supported;
+	if (!supported || supported.length === 0) return "client_secret_basic";
+	if (supported.includes("client_secret_basic")) return "client_secret_basic";
+	if (supported.includes("client_secret_post")) return "client_secret_post";
+	if (supported.includes("private_key_jwt")) return "private_key_jwt";
+	return "client_secret_basic";
 }
 /**
-* Validates the AudienceRestriction of a SAML assertion.
+* Check if a provider configuration needs runtime discovery.
 *
-* Per SAML 2.0 Core §2.5.1, an assertion's Audience element specifies
-* the intended recipient SP. Without this check, an assertion issued
-* for a different SP (e.g., another application sharing the same IdP)
-* could be accepted.
+* Returns true if we need discovery at runtime to complete the token exchange
+* and validation. Specifically checks for:
+* - `tokenEndpoint` - required for exchanging authorization code for tokens
+* - `jwksEndpoint` - required for validating ID token signatures
+* - `authorizationEndpoint` - required for redirecting users to the IdP for login
+*
+* @param config - Partial OIDC config from the provider
+* @returns true if runtime discovery should be performed
 */
-function validateAudience(c, ctx) {
-	if (!ctx.expectedAudience) {
-		c.context.logger.warn("Could not determine SP entity ID for audience validation; skipping", { providerId: ctx.providerId });
-		return;
-	}
-	const audience = ctx.extract.audience;
-	if (!audience) {
-		c.context.logger.error("SAML assertion missing AudienceRestriction but audience is configured — rejecting", { providerId: ctx.providerId });
-		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience restriction missing"));
+function needsRuntimeDiscovery(config) {
+	if (!config) return true;
+	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+}
+/**
+* Runs runtime OIDC discovery when the stored config is missing required
+* endpoints, and merges the hydrated fields back into the config.
+* Throws if discovery fails.
+*/
+async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
 	}
-	const audiences = Array.isArray(audience) ? audience : [audience];
-	if (!audiences.includes(ctx.expectedAudience)) {
-		c.context.logger.error("SAML audience mismatch: assertion was issued for a different service provider", {
-			expected: ctx.expectedAudience,
-			received: audiences,
-			providerId: ctx.providerId
+	await assertOIDCEndpointsResolvePublic(resolved, isTrustedOrigin);
+	return resolved;
+}
+//#endregion
+//#region src/oidc/errors.ts
+/**
+* OIDC Discovery Error Mapping
+*
+* Maps DiscoveryError codes to appropriate APIError responses.
+* Used at the boundary between the discovery pipeline and HTTP handlers.
+*/
+/**
+* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
+*
+* Error code mapping:
+* - discovery_invalid_url        → 400 BAD_REQUEST
+* - discovery_not_found          → 400 BAD_REQUEST
+* - discovery_untrusted_origin   → 400 BAD_REQUEST
+* - discovery_private_host       → 400 BAD_REQUEST
+* - discovery_invalid_json       → 400 BAD_REQUEST
+* - discovery_incomplete         → 400 BAD_REQUEST
+* - issuer_mismatch              → 400 BAD_REQUEST
+* - unsupported_token_auth_method → 400 BAD_REQUEST
+* - discovery_timeout            → 502 BAD_GATEWAY
+* - discovery_unexpected_error   → 502 BAD_GATEWAY
+*
+* @param error - The DiscoveryError to map
+* @returns An APIError with appropriate status and message
+*/
+function mapDiscoveryErrorToAPIError(error) {
+	switch (error.code) {
+		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery timed out: ${error.message}`,
+			code: error.code
 		});
-		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience mismatch"));
+		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery failed: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_not_found": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
+			message: `Invalid OIDC endpoint URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_private_host": return new APIError("BAD_REQUEST", {
+			message: error.message,
+			code: error.code
+		});
+		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery returned invalid data: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery document is missing required fields: ${error.message}`,
+			code: error.code
+		});
+		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
+			message: `OIDC issuer mismatch: ${error.message}`,
+			code: error.code
+		});
+		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
+			message: `Incompatible OIDC provider: ${error.message}`,
+			code: error.code
+		});
+		default:
+			error.code;
+			return new APIError("INTERNAL_SERVER_ERROR", {
+				message: `Unexpected discovery error: ${error.message}`,
+				code: "discovery_unexpected_error"
+			});
 	}
 }
 //#endregion
-//#region src/routes/schemas.ts
-const oidcMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	image: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const samlMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	firstName: z.string().optional(),
-	lastName: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const oidcConfigSchema = z.object({
-	clientId: z.string().optional(),
-	clientSecret: z.string().optional(),
-	authorizationEndpoint: z.string().url().optional(),
-	tokenEndpoint: z.string().url().optional(),
-	userInfoEndpoint: z.string().url().optional(),
-	tokenEndpointAuthentication: z.enum([
-		"client_secret_post",
-		"client_secret_basic",
-		"private_key_jwt"
-	]).optional(),
-	privateKeyId: z.string().optional(),
-	privateKeyAlgorithm: z.string().optional(),
-	jwksEndpoint: z.string().url().optional(),
-	discoveryEndpoint: z.string().url().optional(),
-	scopes: z.array(z.string()).optional(),
-	pkce: z.boolean().optional(),
-	overrideUserInfo: z.boolean().optional(),
-	mapping: oidcMappingSchema
-});
-const samlConfigSchema = z.object({
-	entryPoint: z.string().url().optional(),
-	cert: z.string().optional(),
-	audience: z.string().optional(),
-	idpMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		cert: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional(),
-		singleSignOnService: z.array(z.object({
-			Binding: z.string(),
-			Location: z.string().url()
-		})).optional()
-	}).optional(),
-	spMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		binding: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional()
-	}).optional(),
-	wantAssertionsSigned: z.boolean().optional(),
-	authnRequestsSigned: z.boolean().optional(),
-	signatureAlgorithm: z.string().optional(),
-	digestAlgorithm: z.string().optional(),
-	identifierFormat: z.string().optional(),
-	privateKey: z.string().optional(),
-	mapping: samlMappingSchema
-});
-const updateSSOProviderBodySchema = z.object({
-	issuer: z.string().url().optional(),
-	domain: z.string().optional(),
-	oidcConfig: oidcConfigSchema.optional(),
-	samlConfig: samlConfigSchema.optional()
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
 });
-//#endregion
-//#region src/routes/providers.ts
-const ADMIN_ROLES = ["owner", "admin"];
-async function isOrgAdmin(ctx, userId, organizationId) {
-	const member = await ctx.context.adapter.findOne({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationId
-		}]
-	});
-	if (!member) return false;
-	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
-}
-async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
-	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
-	const members = await ctx.context.adapter.findMany({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationIds,
-			operator: "in"
-		}]
-	});
-	const adminOrgIds = /* @__PURE__ */ new Set();
-	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
-	return adminOrgIds;
-}
-function sanitizeProvider(provider, baseURL) {
-	let oidcConfig = null;
-	let samlConfig = null;
-	try {
-		oidcConfig = safeJsonParse(provider.oidcConfig);
-	} catch {
-		oidcConfig = null;
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
 	}
-	try {
-		samlConfig = safeJsonParse(provider.samlConfig);
-	} catch {
-		samlConfig = null;
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
 	}
-	const type = samlConfig ? "saml" : "oidc";
-	return {
-		providerId: provider.providerId,
-		type,
-		issuer: provider.issuer,
-		domain: provider.domain,
-		organizationId: provider.organizationId || null,
-		domainVerified: provider.domainVerified ?? false,
-		oidcConfig: oidcConfig ? {
-			discoveryEndpoint: oidcConfig.discoveryEndpoint,
-			clientIdLastFour: maskClientId(oidcConfig.clientId),
-			pkce: oidcConfig.pkce,
-			authorizationEndpoint: oidcConfig.authorizationEndpoint,
-			tokenEndpoint: oidcConfig.tokenEndpoint,
-			userInfoEndpoint: oidcConfig.userInfoEndpoint,
-			jwksEndpoint: oidcConfig.jwksEndpoint,
-			scopes: oidcConfig.scopes,
-			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
-		} : void 0,
-		samlConfig: samlConfig ? {
-			entryPoint: samlConfig.entryPoint,
-			audience: samlConfig.audience,
-			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
-			authnRequestsSigned: samlConfig.authnRequestsSigned,
-			identifierFormat: samlConfig.identifierFormat,
-			signatureAlgorithm: samlConfig.signatureAlgorithm,
-			digestAlgorithm: samlConfig.digestAlgorithm,
-			certificate: (() => {
-				try {
-					return parseCertificate(samlConfig.cert);
-				} catch {
-					return { error: "Failed to parse certificate" };
-				}
-			})()
-		} : void 0,
-		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
-	};
+	return null;
 }
-const listSSOProviders = () => {
-	return createAuthEndpoint("/sso/providers", {
-		method: "GET",
-		use: [sessionMiddleware],
-		metadata: { openapi: {
-			operationId: "listSSOProviders",
-			summary: "List SSO providers",
-			description: "Returns a list of SSO providers the user has access to",
-			responses: { "200": { description: "List of SSO providers" } }
-		} }
-	}, async (ctx) => {
-		const userId = ctx.context.session.user.id;
-		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
-		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
-		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
-		const orgPluginEnabled = ctx.context.hasPlugin("organization");
-		let accessibleProviders = [...userOwnedProviders];
-		if (orgPluginEnabled && orgProviders.length > 0) {
-			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
-			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
-			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
-		} else if (!orgPluginEnabled) {
-			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
-			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
-		}
-		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
-		return ctx.json({ providers });
-	});
-};
-const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
-async function checkProviderAccess(ctx, providerId) {
-	const userId = ctx.context.session.user.id;
-	const provider = await ctx.context.adapter.findOne({
-		model: "ssoProvider",
-		where: [{
-			field: "providerId",
-			value: providerId
-		}]
-	});
-	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
-	let hasAccess = false;
-	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
-	else hasAccess = provider.userId === userId;
-	else hasAccess = provider.userId === userId;
-	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
-	return provider;
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
 }
-const getSSOProvider = () => {
-	return createAuthEndpoint("/sso/get-provider", {
-		method: "GET",
-		use: [sessionMiddleware],
-		query: getSSOProviderQuerySchema,
-		metadata: { openapi: {
-			operationId: "getSSOProvider",
-			summary: "Get SSO provider details",
-			description: "Returns sanitized details for a specific SSO provider",
-			responses: {
-				"200": { description: "SSO provider details" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.query;
-		const provider = await checkProviderAccess(ctx, providerId);
-		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
-	});
+//#endregion
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
 };
-function parseAndValidateConfig(configString, configType) {
-	let config = null;
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function extractEncryptionAlgorithms(xml) {
 	try {
-		config = safeJsonParse(configString);
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
 	} catch {
-		config = null;
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
 	}
-	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
-	return config;
-}
-function mergeSAMLConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		entryPoint: updates.entryPoint ?? current.entryPoint,
-		cert: updates.cert ?? current.cert,
-		spMetadata: updates.spMetadata ?? current.spMetadata,
-		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
-		mapping: updates.mapping ?? current.mapping,
-		audience: updates.audience ?? current.audience,
-		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
-		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
-		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
-		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
-		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
-	};
 }
-function mergeOIDCConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		pkce: updates.pkce ?? current.pkce ?? true,
-		clientId: updates.clientId ?? current.clientId,
-		clientSecret: updates.clientSecret ?? current.clientSecret,
-		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
-		mapping: updates.mapping ?? current.mapping,
-		scopes: updates.scopes ?? current.scopes,
-		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
-		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
-		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
-		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
-		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication,
-		privateKeyId: updates.privateKeyId ?? current.privateKeyId,
-		privateKeyAlgorithm: updates.privateKeyAlgorithm ?? current.privateKeyAlgorithm
-	};
+function hasEncryptedAssertion(xml) {
+	try {
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
 }
-const updateSSOProvider = (options) => {
-	return createAuthEndpoint("/sso/update-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "updateSSOProvider",
-			summary: "Update SSO provider",
-			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
-			responses: {
-				"200": { description: "SSO provider updated successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId, ...body } = ctx.body;
-		const { issuer, domain, samlConfig, oidcConfig } = body;
-		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
-		const existingProvider = await checkProviderAccess(ctx, providerId);
-		const updateData = {};
-		if (body.issuer !== void 0) updateData.issuer = body.issuer;
-		if (body.domain !== void 0) {
-			updateData.domain = body.domain;
-			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
-		}
-		if (body.samlConfig) {
-			if (body.samlConfig.idpMetadata?.metadata) {
-				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
-				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
-			}
-			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
-				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
-				digestAlgorithm: body.samlConfig.digestAlgorithm
-			}, options?.saml?.algorithms);
-			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
-			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
-			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
-		}
-		if (body.oidcConfig) {
-			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
-			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
-			if (updatedOidcConfig.tokenEndpointAuthentication !== "private_key_jwt" && !updatedOidcConfig.clientSecret) throw new APIError("BAD_REQUEST", { message: "clientSecret is required when using client_secret_basic or client_secret_post authentication" });
-			if (updatedOidcConfig.tokenEndpointAuthentication === "private_key_jwt" && !options?.resolvePrivateKey && !options?.defaultSSO?.some((p) => p.providerId === providerId && "privateKey" in p && p.privateKey)) throw new APIError("BAD_REQUEST", { message: "private_key_jwt authentication requires either a resolvePrivateKey callback or a privateKey in defaultSSO" });
-			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
-		}
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}],
-			update: updateData
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
 		});
-		const fullProvider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
 		});
-		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
-		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
 	});
-};
-const deleteSSOProvider = () => {
-	return createAuthEndpoint("/sso/delete-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: z.object({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "deleteSSOProvider",
-			summary: "Delete SSO provider",
-			description: "Deletes an SSO provider",
-			responses: {
-				"200": { description: "SSO provider deleted successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.body;
-		await checkProviderAccess(ctx, providerId);
-		await ctx.context.adapter.delete({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
 		});
-		return ctx.json({ success: true });
-	});
-};
-//#endregion
-//#region src/oidc/types.ts
-/**
-* Custom error class for OIDC discovery failures.
-* Can be caught and mapped to APIError at the edge.
-*/
-var DiscoveryError = class DiscoveryError extends Error {
-	code;
-	details;
-	constructor(code, message, details, options) {
-		super(message, options);
-		this.name = "DiscoveryError";
-		this.code = code;
-		this.details = details;
-		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
 	}
-};
-/**
-* Required fields that must be present in a valid discovery document.
-*/
-const REQUIRED_DISCOVERY_FIELDS = [
-	"issuer",
-	"authorization_endpoint",
-	"token_endpoint",
-	"jwks_uri"
-];
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
 //#endregion
-//#region src/oidc/discovery.ts
-/**
-* OIDC Discovery Pipeline
-*
-* Implements OIDC discovery document fetching, validation, and hydration.
-* This module is used both at provider registration time (to persist validated config)
-* and at runtime (to hydrate legacy providers that are missing metadata).
-*
-* @see https://openid.net/specs/openid-connect-discovery-1_0.html
-*/
-/** Default timeout for discovery requests (10 seconds) */
-const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
-/**
-* Main entry point: Discover and hydrate OIDC configuration from an issuer.
-*
-* This function:
-* 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL
-* 3. Fetches the discovery document
-* 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs
-* 6. Selects token endpoint auth method
-* 7. Merges with existing config (existing values take precedence)
-*
-* @param params - Discovery parameters
-* @param isTrustedOrigin - Origin verification tester function
-* @returns Hydrated OIDC configuration ready for persistence
-* @throws DiscoveryError on any failure
-*/
-async function discoverOIDCConfig(params) {
-	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
-	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
-	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
-	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+//#region src/saml/assertions.ts
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
 	return {
-		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
-		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
-		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
-		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
-		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
-		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
-		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
-		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
 	};
 }
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
+	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+//#endregion
+//#region src/saml/error-codes.ts
+const SAML_ERROR_CODES = defineErrorCodes({
+	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
+	INVALID_LOGOUT_RESPONSE: "Invalid LogoutResponse",
+	INVALID_LOGOUT_REQUEST: "Invalid LogoutRequest",
+	LOGOUT_FAILED_AT_IDP: "Logout failed at IdP",
+	IDP_SLO_NOT_SUPPORTED: "IdP does not support Single Logout Service",
+	SAML_PROVIDER_NOT_FOUND: "SAML provider not found",
+	CERT_SOURCE_MISSING: "samlConfig requires either a signing certificate (cert or idpMetadata.cert) or an idpMetadata.metadata XML document."
+});
+//#endregion
+//#region src/saml/cert.ts
 /**
-* Compute the discovery URL from an issuer URL.
-*
-* Per OIDC Discovery spec, the discovery document is located at:
-* <issuer>/.well-known/openid-configuration
-*
-* Handles trailing slashes correctly.
+* IdP signing-certificate rules for SAML configs. Centralized so the runtime
+* verification path (`createIdP`), the sanitizer (`getSSOProvider` and
+* friends), and the registration validator agree on precedence and the
+* "exactly one cert source" contract.
 */
-function computeDiscoveryUrl(issuer) {
-	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
-}
 /**
-* Validate a discovery URL before fetching.
-*
-* @param url - The discovery URL to validate
-* @param isTrustedOrigin - Origin verification tester function
-* @throws DiscoveryError if URL is invalid
+* Returns the IdP signing certificates Better Auth trusts for this provider
+* as a list. `idpMetadata.cert` wins when both are set; the top-level `cert`
+* is the fallback. Returns `undefined` when neither is set (the certs come
+* from `idpMetadata.metadata` XML instead).
 */
-function validateDiscoveryUrl(url, isTrustedOrigin) {
-	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
-	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+function resolveSigningCerts(config) {
+	const cert = config.idpMetadata?.cert ?? config.cert;
+	if (cert === void 0) return void 0;
+	return Array.isArray(cert) ? cert : [cert];
 }
 /**
-* Fetch the OIDC discovery document from the IdP.
-*
-* @param url - The discovery endpoint URL
-* @param timeout - Request timeout in milliseconds
-* @returns The parsed discovery document
-* @throws DiscoveryError on network errors, timeouts, or invalid responses
+* Reject SAML configs with no signing-cert source. samlify needs either an
+* `idpMetadata.metadata` XML document (which embeds the certs) or an explicit
+* PEM under `cert` or `idpMetadata.cert`; without one of those it has nothing
+* to verify responses against.
 */
-async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+function validateCertSources(config) {
+	const hasMetadataXml = !!config.idpMetadata?.metadata;
+	const hasExplicitCert = config.idpMetadata?.cert !== void 0 || config.cert !== void 0;
+	if (!hasMetadataXml && !hasExplicitCert) throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.CERT_SOURCE_MISSING);
+}
+//#endregion
+//#region src/saml/response-validation.ts
+function errorRedirectUrl(base, error, description) {
 	try {
-		const response = await betterFetch(url, {
-			method: "GET",
-			timeout
-		});
-		if (response.error) {
-			const { status } = response.error;
-			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
-				url,
-				status
-			});
-			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-				url,
-				timeout
-			});
-			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
-				url,
-				...response.error
-			});
-		}
-		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
-		const data = response.data;
-		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
-			url,
-			bodyPreview: data.slice(0, 200)
-		});
-		return data;
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-			url,
-			timeout
-		});
-		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
+		const url = new URL(base);
+		url.searchParams.set("error", error);
+		url.searchParams.set("error_description", description);
+		return url.toString();
+	} catch {
+		const hashIdx = base.indexOf("#");
+		const path = hashIdx >= 0 ? base.slice(0, hashIdx) : base;
+		const hash = hashIdx >= 0 ? base.slice(hashIdx + 1) : void 0;
+		return `${path}${path.includes("?") ? "&" : "?"}${`error=${encodeURIComponent(error)}&error_description=${encodeURIComponent(description)}`}${hash ? `#${hash}` : ""}`;
 	}
 }
 /**
-* Validate a discovery document.
-*
-* Checks:
-* 1. All required fields are present
-* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+* Validates the InResponseTo attribute of a SAML Response.
 *
-* Invariant: If this function returns without throwing, the document is safe
-* to use for hydrating OIDC config (required fields present, issuer matches
-* configured value, basic structural sanity verified).
+* This binds the IdP's Response to a specific SP-initiated AuthnRequest,
+* preventing replay attacks, unsolicited response injection, and
+* cross-provider assertion swaps.
 *
-* @param doc - The discovery document to validate
-* @param configuredIssuer - The expected issuer value
-* @throws DiscoveryError if validation fails
+* The InResponseTo value lives at `extract.response.inResponseTo` in
+* samlify's parsed output (not at the top level).
 */
-function validateDiscoveryDocument(doc, configuredIssuer) {
-	const missingFields = [];
-	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
-	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
-	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
-		discovered: doc.issuer,
-		configured: configuredIssuer
-	});
+async function validateInResponseTo(c, ctx) {
+	if (ctx.options.enableInResponseToValidation === false) return;
+	const inResponseTo = ctx.extract.response?.inResponseTo;
+	const allowIdpInitiated = ctx.options.allowIdpInitiated ?? false;
+	if (inResponseTo) {
+		const consumed = await c.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+		let storedRequest = null;
+		if (consumed) try {
+			storedRequest = JSON.parse(consumed.value);
+		} catch {
+			storedRequest = null;
+		}
+		if (!storedRequest) {
+			c.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+				inResponseTo,
+				providerId: ctx.providerId
+			});
+			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Unknown or expired request ID"));
+		}
+		if (storedRequest.providerId !== ctx.providerId) {
+			c.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+				inResponseTo,
+				expectedProvider: storedRequest.providerId,
+				actualProvider: ctx.providerId
+			});
+			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Provider mismatch"));
+		}
+	} else if (!allowIdpInitiated) {
+		c.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: ctx.providerId });
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "unsolicited_response", "IdP-initiated SSO not allowed"));
+	}
 }
 /**
-* Normalize URLs in the discovery document.
+* Validates the AudienceRestriction of a SAML assertion.
 *
-* @param document - The discovery document
-* @param issuer - The base issuer URL
-* @param isTrustedOrigin - Origin verification tester function
-* @returns The normalized discovery document
+* Per SAML 2.0 Core §2.5.1, an assertion's Audience element specifies
+* the intended recipient SP. Without this check, an assertion issued
+* for a different SP (e.g., another application sharing the same IdP)
+* could be accepted.
 */
-function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
-	const doc = { ...document };
-	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
-	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
-	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
-	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
-	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
-	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
-	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
-	return doc;
+function validateAudience(c, ctx) {
+	if (!ctx.expectedAudience) {
+		c.context.logger.warn("Could not determine SP entity ID for audience validation; skipping", { providerId: ctx.providerId });
+		return;
+	}
+	const audience = ctx.extract.audience;
+	if (!audience) {
+		c.context.logger.error("SAML assertion missing AudienceRestriction but audience is configured — rejecting", { providerId: ctx.providerId });
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience restriction missing"));
+	}
+	const audiences = Array.isArray(audience) ? audience : [audience];
+	if (!audiences.includes(ctx.expectedAudience)) {
+		c.context.logger.error("SAML audience mismatch: assertion was issued for a different service provider", {
+			expected: ctx.expectedAudience,
+			received: audiences,
+			providerId: ctx.providerId
+		});
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience mismatch"));
+	}
 }
-/**
-* Normalizes and validates a single URL endpoint
-* @param name The url name
-* @param endpoint The url to validate
-* @param issuer The issuer base url
-* @param isTrustedOrigin - Origin verification tester function
-* @returns
-*/
-function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
-	const url = normalizeUrl(name, endpoint, issuer);
-	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
-		endpoint: name,
-		url
+//#endregion
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
+	email: z.string().meta({ description: "Field mapping for email (defaults to 'email')" }),
+	emailVerified: z.string().meta({ description: "Field mapping for email verification (defaults to 'email_verified')" }).optional(),
+	name: z.string().meta({ description: "Field mapping for name (defaults to 'name')" }),
+	image: z.string().meta({ description: "Field mapping for image (defaults to 'picture')" }).optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
+	email: z.string().meta({ description: "Field mapping for email (defaults to 'email')" }),
+	emailVerified: z.string().meta({ description: "Field mapping for email verification" }).optional(),
+	name: z.string().meta({ description: "Field mapping for name (defaults to 'displayName')" }),
+	firstName: z.string().meta({ description: "Field mapping for first name (defaults to 'givenName')" }).optional(),
+	lastName: z.string().meta({ description: "Field mapping for last name (defaults to 'surname')" }).optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const signingCertSchema = z.union([z.string(), z.array(z.string()).nonempty()]).meta({ description: "IdP signing certificate(s). Pass a single PEM string or an array for rolling rotation." });
+const oidcConfigSchema = z.object({
+	clientId: z.string().meta({ description: "The client ID" }),
+	clientSecret: z.string().meta({ description: "The client secret. Required for client_secret_basic/client_secret_post. Optional for private_key_jwt." }).optional(),
+	authorizationEndpoint: z.string().url().meta({ description: "The authorization endpoint" }).optional(),
+	tokenEndpoint: z.string().url().meta({ description: "The token endpoint" }).optional(),
+	userInfoEndpoint: z.string().url().meta({ description: "The user info endpoint" }).optional(),
+	tokenEndpointAuthentication: z.enum([
+		"client_secret_post",
+		"client_secret_basic",
+		"private_key_jwt"
+	]).optional(),
+	privateKeyId: z.string().optional(),
+	privateKeyAlgorithm: z.string().optional(),
+	jwksEndpoint: z.string().url().meta({ description: "The JWKS endpoint" }).optional(),
+	discoveryEndpoint: z.string().url().optional(),
+	skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
+	scopes: z.array(z.string()).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
+	pkce: z.boolean().meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().meta({ description: "The IdP SSO URL (entry point)" }),
+	cert: signingCertSchema.meta({ description: "IdP signing certificate(s). Pass a single PEM string or an array for rolling rotation. Omit when `idpMetadata.metadata` XML carries the certs. When both this and `idpMetadata.cert` are set, `idpMetadata.cert` wins." }).optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: signingCertSchema.meta({ description: "IdP signing certificate(s). Pass a single PEM string or an array for rolling rotation. Takes precedence over the top-level `cert`." }).optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string().meta({ description: "The binding type for the SSO service" }),
+			Location: z.string().url().meta({ description: "The URL for the SSO service" })
+		})).meta({ description: "Single Sign-On service configuration" }).optional(),
+		singleLogoutService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	authnRequestsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	mapping: samlMappingSchema
+});
+const registerSSOProviderBodySchema = z.object({
+	providerId: z.string().meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
+	issuer: z.string().url().meta({ description: "The issuer URL of the provider" }),
+	domain: z.string().meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional(),
+	organizationId: z.string().meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
+	overrideUserInfo: z.boolean().meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.partial().optional(),
+	samlConfig: samlConfigSchema.partial().optional()
+});
+//#endregion
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+function hasOrgAdminRole(member) {
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
+}
+function parseCertOrError(cert) {
+	try {
+		return parseCertificate(cert);
+	} catch {
+		return { error: "Failed to parse certificate" };
+	}
+}
+function sanitizeSigningCerts(config) {
+	const certs = resolveSigningCerts(config);
+	if (certs === void 0) return void 0;
+	return certs.map(parseCertOrError);
+}
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
 	});
-	return url;
+	return member ? hasOrgAdminRole(member) : false;
 }
-/**
-* Normalize a single URL endpoint.
-*
-* @param name - The endpoint name (e.g token_endpoint)
-* @param endpoint - The endpoint URL to normalize
-* @param issuer - The base issuer URL
-* @returns The normalized endpoint URL
-*/
-function normalizeUrl(name, endpoint, issuer) {
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
+	});
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (hasOrgAdminRole(member)) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
+}
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
 	try {
-		return parseURL(name, endpoint).toString();
+		oidcConfig = safeJsonParse(provider.oidcConfig);
 	} catch {
-		const issuerURL = parseURL(name, issuer);
-		const basePath = issuerURL.pathname.replace(/\/+$/, "");
-		const endpointPath = endpoint.replace(/^\/+/, "");
-		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+		oidcConfig = null;
 	}
-}
-/**
-* Parses the given URL or throws in case of invalid or unsupported protocols
-*
-* @param name the url name
-* @param endpoint the endpoint url
-* @param [base] optional base path
-* @returns
-*/
-function parseURL(name, endpoint, base) {
-	let endpointURL;
 	try {
-		endpointURL = new URL(endpoint, base);
-		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
-	} catch (error) {
-		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+		samlConfig = safeJsonParse(provider.samlConfig);
+	} catch {
+		samlConfig = null;
 	}
-	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
-		url: endpoint,
-		protocol: endpointURL.protocol
-	});
-}
-/**
-* Select the token endpoint authentication method.
-*
-* @param doc - The discovery document
-* @param existing - Existing authentication method from config
-* @returns The selected authentication method
-*/
-function selectTokenEndpointAuthMethod(doc, existing) {
-	if (existing === "private_key_jwt") return existing;
-	if (existing) return existing;
-	const supported = doc.token_endpoint_auth_methods_supported;
-	if (!supported || supported.length === 0) return "client_secret_basic";
-	if (supported.includes("client_secret_basic")) return "client_secret_basic";
-	if (supported.includes("client_secret_post")) return "client_secret_post";
-	if (supported.includes("private_key_jwt")) return "private_key_jwt";
-	return "client_secret_basic";
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			authnRequestsSigned: samlConfig.authnRequestsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: sanitizeSigningCerts(samlConfig)
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
 }
-/**
-* Check if a provider configuration needs runtime discovery.
-*
-* Returns true if we need discovery at runtime to complete the token exchange
-* and validation. Specifically checks for:
-* - `tokenEndpoint` - required for exchanging authorization code for tokens
-* - `jwksEndpoint` - required for validating ID token signatures
-* - `authorizationEndpoint` - required for redirecting users to the IdP for login
-*
-* @param config - Partial OIDC config from the provider
-* @returns true if runtime discovery should be performed
-*/
-function needsRuntimeDiscovery(config) {
-	if (!config) return true;
-	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers. The `certificate` field is an array of parsed certificates for SAML providers, or absent when certs live inside `idpMetadata.metadata`." } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.hasPlugin("organization");
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
 }
-/**
-* Runs runtime OIDC discovery when the stored config is missing required
-* endpoints, and merges the hydrated fields back into the config.
-* Throws if discovery fails.
-*/
-async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/get-provider", {
+		method: "GET",
+		use: [sessionMiddleware],
+		query: getSSOProviderQuerySchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details. The `certificate` field is an array of parsed certificates for SAML providers, or absent when certs live inside `idpMetadata.metadata`." },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.query;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
 	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
+	try {
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
+	}
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
 }
-//#endregion
-//#region src/oidc/errors.ts
-/**
-* OIDC Discovery Error Mapping
-*
-* Maps DiscoveryError codes to appropriate APIError responses.
-* Used at the boundary between the discovery pipeline and HTTP handlers.
-*/
-/**
-* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
-*
-* Error code mapping:
-* - discovery_invalid_url       → 400 BAD_REQUEST
-* - discovery_not_found         → 400 BAD_REQUEST
-* - discovery_invalid_json      → 400 BAD_REQUEST
-* - discovery_incomplete        → 400 BAD_REQUEST
-* - issuer_mismatch             → 400 BAD_REQUEST
-* - unsupported_token_auth_method → 400 BAD_REQUEST
-* - discovery_timeout           → 502 BAD_GATEWAY
-* - discovery_unexpected_error  → 502 BAD_GATEWAY
-*
-* @param error - The DiscoveryError to map
-* @returns An APIError with appropriate status and message
-*/
-function mapDiscoveryErrorToAPIError(error) {
-	switch (error.code) {
-		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery timed out: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery failed: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_not_found": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
-			message: `Invalid OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
-			message: `Untrusted OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery returned invalid data: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery document is missing required fields: ${error.message}`,
-			code: error.code
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication,
+		privateKeyId: updates.privateKeyId ?? current.privateKeyId,
+		privateKeyAlgorithm: updates.privateKeyAlgorithm ?? current.privateKeyAlgorithm
+	};
+}
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/update-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully. The `certificate` field is an array of parsed certificates for SAML providers, or absent when certs live inside `idpMetadata.metadata`." },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId, ...body } = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			validateCertSources(updatedSamlConfig);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			try {
+				validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+			} catch (error) {
+				if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+				throw error;
+			}
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			if (updatedOidcConfig.tokenEndpointAuthentication !== "private_key_jwt" && !updatedOidcConfig.clientSecret) throw new APIError("BAD_REQUEST", { message: "clientSecret is required when using client_secret_basic or client_secret_post authentication" });
+			if (updatedOidcConfig.tokenEndpointAuthentication === "private_key_jwt" && !options?.resolvePrivateKey && !options?.defaultSSO?.some((p) => p.providerId === providerId && "privateKey" in p && p.privateKey)) throw new APIError("BAD_REQUEST", { message: "private_key_jwt authentication requires either a resolvePrivateKey callback or a privateKey in defaultSSO" });
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
 		});
-		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
-			message: `OIDC issuer mismatch: ${error.message}`,
-			code: error.code
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
-			message: `Incompatible OIDC provider: ${error.message}`,
-			code: error.code
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/delete-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.body;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		default:
-			error.code;
-			return new APIError("INTERNAL_SERVER_ERROR", {
-				message: `Unexpected discovery error: ${error.message}`,
-				code: "discovery_unexpected_error"
-			});
-	}
-}
-//#endregion
-//#region src/saml/error-codes.ts
-const SAML_ERROR_CODES = defineErrorCodes({
-	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
-	INVALID_LOGOUT_RESPONSE: "Invalid LogoutResponse",
-	INVALID_LOGOUT_REQUEST: "Invalid LogoutRequest",
-	LOGOUT_FAILED_AT_IDP: "Logout failed at IdP",
-	IDP_SLO_NOT_SUPPORTED: "IdP does not support Single Logout Service",
-	SAML_PROVIDER_NOT_FOUND: "SAML provider not found"
-});
+		return ctx.json({ success: true });
+	});
+};
 //#endregion
 //#region src/saml-state.ts
-async function generateRelayState(c, link, additionalData) {
+async function generateRelayState(c, link) {
 	const callbackURL = c.body.callbackURL;
 	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
-	const codeVerifier = generateRandomString(128);
 	const stateData = {
-		...additionalData ? additionalData : {},
 		callbackURL,
-		codeVerifier,
+		codeVerifier: generateRandomString(128),
 		errorURL: c.body.errorCallbackURL,
 		newUserURL: c.body.newUserCallbackURL,
 		link,
@@ -1511,14 +1706,12 @@ const saml = typeof samlifyNamespace.SPMetadata === "function" && typeof samlify
 //#endregion
 //#region src/routes/helpers.ts
 /**
-* Normalizes a PEM string by trimming leading/trailing whitespace from each
-* line. Native `crypto.createPrivateKey` (used by samlify 2.12+) rejects PEM
-* blocks with leading whitespace, which is common when keys are stored in
-* indented config files, environment variables, or JSON.
+* Same as `normalizePem`, but applied across the resolved list of IdP signing
+* certificates so multi-cert rotation configs survive the line-trim step.
 */
-function normalizePem(pem) {
-	if (!pem) return pem;
-	return pem.split("\n").map((line) => line.trim()).join("\n");
+function normalizePemList(certs) {
+	if (!certs) return certs;
+	return certs.map((pem) => normalizePem(pem) ?? pem);
 }
 async function findSAMLProvider(providerId, options, adapter) {
 	if (options?.defaultSSO?.length) {
@@ -1575,7 +1768,8 @@ function createSP(config, baseURL, providerId, opts) {
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
 		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
-		relayState: opts?.relayState
+		relayState: opts?.relayState,
+		clockDrifts: opts?.clockSkew && opts?.clockSkew !== 0 ? [-opts.clockSkew, opts.clockSkew] : void 0
 	});
 }
 function createIdP(config) {
@@ -1595,7 +1789,7 @@ function createIdP(config) {
 			Location: config.entryPoint
 		}],
 		singleLogoutService: idpData?.singleLogoutService,
-		signingCert: normalizePem(idpData?.cert || config.cert),
+		signingCert: normalizePemList(resolveSigningCerts(config)),
 		wantAuthnRequestsSigned: config.authnRequestsSigned || false,
 		isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
 		encPrivateKey: normalizePem(idpData?.encPrivateKey),
@@ -1731,7 +1925,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 	const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
+	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId, { clockSkew: options?.saml?.clockSkew });
 	const idp = createIdP(parsedSamlConfig);
 	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
@@ -1813,12 +2007,16 @@ async function processSAMLResponse(ctx, params, options) {
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
+	const attr = (key) => {
+		const value = attributes[key];
+		return Array.isArray(value) ? value[0] : value;
+	};
 	const userInfo = {
 		...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
-		id: attributes[mapping.id || "nameID"] || extract.nameID,
-		email: (attributes[mapping.email || "email"] || extract.nameID || "").toLowerCase(),
-		name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
+		id: attr(mapping.id || "nameID") || extract.nameID,
+		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
+		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1829,25 +2027,42 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const postAuthRedirect = relayState?.callbackURL || ctx.context.baseURL;
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || userInfo.email,
-			id: userInfo.id,
-			emailVerified: Boolean(userInfo.emailVerified)
-		},
-		account: {
+	const errorUrl = relayState?.errorURL || samlRedirectUrl;
+	let result;
+	try {
+		result = await signInWithOAuthIdentity(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
 			providerId,
 			accountId: userInfo.id,
-			accessToken: "",
-			refreshToken: ""
-		},
-		callbackURL: postAuthRedirect,
-		disableSignUp: options?.disableImplicitSignUp,
-		isTrustedProvider
-	});
+			tokens: {},
+			callbackURL: postAuthRedirect,
+			disableSignUp: options?.disableImplicitSignUp,
+			source: {
+				method: "sso-saml",
+				sso: {
+					providerId,
+					profile: attributes
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = errorUrl.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${errorUrl}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
 	if (result.error) throw ctx.redirect(`${samlRedirectUrl}?error=${result.error.split(" ").join("_")}`);
 	const { session, user } = result.data;
 	if (options?.provisionUser && (result.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
@@ -1876,6 +2091,7 @@ async function processSAMLResponse(ctx, params, options) {
 		const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${providerId}:${extract.nameID}`;
 		const samlSessionData = {
 			sessionId: session.id,
+			sessionToken: session.token,
 			providerId,
 			nameID: extract.nameID,
 			sessionIndex: extract.sessionIndex?.sessionIndex
@@ -1931,88 +2147,10 @@ const spMetadata = (options) => {
 		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
 	});
 };
-const ssoProviderBodySchema = z.object({
-	providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
-	issuer: z.string({}).meta({ description: "The issuer of the provider" }),
-	domain: z.string({}).meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
-	oidcConfig: z.object({
-		clientId: z.string({}).meta({ description: "The client ID" }),
-		clientSecret: z.string({}).optional().meta({ description: "The client secret. Required for client_secret_basic/client_secret_post. Optional for private_key_jwt." }),
-		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
-		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
-		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
-		tokenEndpointAuthentication: z.enum([
-			"client_secret_post",
-			"client_secret_basic",
-			"private_key_jwt"
-		]).optional(),
-		privateKeyId: z.string().optional(),
-		privateKeyAlgorithm: z.string().optional(),
-		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
-		discoveryEndpoint: z.string().optional(),
-		skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
-		scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
-		pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
-		mapping: z.object({
-			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
-			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
-			emailVerified: z.string({}).meta({ description: "Field mapping for email verification (defaults to 'email_verified')" }).optional(),
-			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'name')" }),
-			image: z.string({}).meta({ description: "Field mapping for image (defaults to 'picture')" }).optional(),
-			extraFields: z.record(z.string(), z.any()).optional()
-		}).optional()
-	}).optional(),
-	samlConfig: z.object({
-		entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
-		cert: z.string({}).meta({ description: "The certificate of the provider" }),
-		audience: z.string().optional(),
-		idpMetadata: z.object({
-			metadata: z.string().optional(),
-			entityID: z.string().optional(),
-			cert: z.string().optional(),
-			privateKey: z.string().optional(),
-			privateKeyPass: z.string().optional(),
-			isAssertionEncrypted: z.boolean().optional(),
-			encPrivateKey: z.string().optional(),
-			encPrivateKeyPass: z.string().optional(),
-			singleSignOnService: z.array(z.object({
-				Binding: z.string().meta({ description: "The binding type for the SSO service" }),
-				Location: z.string().meta({ description: "The URL for the SSO service" })
-			})).optional().meta({ description: "Single Sign-On service configuration" })
-		}).optional(),
-		spMetadata: z.object({
-			metadata: z.string().optional(),
-			entityID: z.string().optional(),
-			binding: z.string().optional(),
-			privateKey: z.string().optional(),
-			privateKeyPass: z.string().optional(),
-			isAssertionEncrypted: z.boolean().optional(),
-			encPrivateKey: z.string().optional(),
-			encPrivateKeyPass: z.string().optional()
-		}).optional(),
-		wantAssertionsSigned: z.boolean().optional(),
-		authnRequestsSigned: z.boolean().optional(),
-		signatureAlgorithm: z.string().optional(),
-		digestAlgorithm: z.string().optional(),
-		identifierFormat: z.string().optional(),
-		privateKey: z.string().optional(),
-		mapping: z.object({
-			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
-			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
-			emailVerified: z.string({}).meta({ description: "Field mapping for email verification" }).optional(),
-			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'displayName')" }),
-			firstName: z.string({}).meta({ description: "Field mapping for first name (defaults to 'givenName')" }).optional(),
-			lastName: z.string({}).meta({ description: "Field mapping for last name (defaults to 'surname')" }).optional(),
-			extraFields: z.record(z.string(), z.any()).optional()
-		}).optional()
-	}).optional(),
-	organizationId: z.string({}).meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
-	overrideUserInfo: z.boolean({}).meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
-});
 const registerSSOProvider = (options) => {
 	return createAuthEndpoint("/sso/register", {
 		method: "POST",
-		body: ssoProviderBodySchema,
+		body: registerSSOProviderBodySchema,
 		use: [sessionMiddleware],
 		metadata: { openapi: {
 			operationId: "registerSSOProvider",
@@ -2193,13 +2331,12 @@ const registerSSOProvider = (options) => {
 			}]
 		})).length >= limit) throw new APIError("FORBIDDEN", { message: "You have reached the maximum number of SSO providers" });
 		const body = ctx.body;
-		if (z.string().url().safeParse(body.issuer).error) throw new APIError("BAD_REQUEST", { message: "Invalid issuer. Must be a valid URL" });
 		if (body.samlConfig?.idpMetadata?.metadata) {
 			const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
 			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
 		}
 		if (ctx.body.organizationId) {
-			if (!await ctx.context.adapter.findOne({
+			const member = await ctx.context.adapter.findOne({
 				model: "member",
 				where: [{
 					field: "userId",
@@ -2208,7 +2345,17 @@ const registerSSOProvider = (options) => {
 					field: "organizationId",
 					value: ctx.body.organizationId
 				}]
-			})) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			});
+			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
+		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
 		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
@@ -2220,6 +2367,12 @@ const registerSSOProvider = (options) => {
 			ctx.context.logger.info(`SSO provider creation attempt with existing providerId: ${body.providerId}`);
 			throw new APIError("UNPROCESSABLE_ENTITY", { message: "SSO provider with this providerId already exists" });
 		}
+		if (body.oidcConfig) try {
+			validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+		} catch (error) {
+			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+			throw error;
+		}
 		let hydratedOIDCConfig = null;
 		if (body.oidcConfig && !body.oidcConfig.skipDiscovery) try {
 			hydratedOIDCConfig = await discoverOIDCConfig({
@@ -2281,6 +2434,7 @@ const registerSSOProvider = (options) => {
 				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
 				digestAlgorithm: body.samlConfig.digestAlgorithm
 			}, options?.saml?.algorithms);
+			validateCertSources(body.samlConfig);
 			const hasIdpMetadata = body.samlConfig.idpMetadata?.metadata;
 			let hasEntryPoint = false;
 			if (body.samlConfig.entryPoint) try {
@@ -2348,17 +2502,18 @@ const registerSSOProvider = (options) => {
 	});
 };
 const signInSSOBodySchema = z.object({
-	email: z.string({}).meta({ description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided" }).optional(),
-	organizationSlug: z.string({}).meta({ description: "The slug of the organization to sign in with" }).optional(),
-	providerId: z.string({}).meta({ description: "The ID of the provider to sign in with. This can be provided instead of email or issuer" }).optional(),
-	domain: z.string({}).meta({ description: "The domain of the provider." }).optional(),
-	callbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }),
-	errorCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }).optional(),
-	newUserCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login if the user is new" }).optional(),
+	email: z.string({}).meta({ description: "The email address to sign in with. Used to resolve the provider via the email domain; optional if providerId, domain, or organizationSlug is provided." }).optional(),
+	organizationSlug: z.string({}).meta({ description: "The slug of the organization to sign in with." }).optional(),
+	providerId: z.string({}).meta({ description: "The ID of the provider to sign in with. Can be provided instead of email." }).optional(),
+	domain: z.string({}).meta({ description: "The email domain of the provider. Can be provided instead of email." }).optional(),
+	callbackURL: z.string({}).meta({ description: "The URL to redirect to after successful sign-in." }),
+	errorCallbackURL: z.string({}).meta({ description: "The URL to redirect to if the sign-in flow fails." }).optional(),
+	newUserCallbackURL: z.string({}).meta({ description: "The URL to redirect to after sign-in if the user is newly registered." }).optional(),
 	scopes: z.array(z.string(), {}).meta({ description: "Scopes to request from the provider." }).optional(),
-	loginHint: z.string({}).meta({ description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, will be sent as 'login_hint'." }).optional(),
-	requestSignUp: z.boolean({}).meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider" }).optional(),
-	providerType: z.enum(["oidc", "saml"]).optional()
+	loginHint: z.string({}).meta({ description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, sent as 'login_hint'." }).optional(),
+	additionalParams: additionalAuthorizationParamsSchema,
+	requestSignUp: z.boolean({}).meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider." }).optional(),
+	providerType: z.enum(["oidc", "saml"]).meta({ description: "The provider protocol to sign in with." }).optional()
 });
 const signInSSO = (options) => {
 	return createAuthEndpoint("/sign-in/sso", {
@@ -2373,31 +2528,54 @@ const signInSSO = (options) => {
 				properties: {
 					email: {
 						type: "string",
-						description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided"
+						description: "The email address to sign in with. Used to resolve the provider via the email domain; optional if providerId, domain, or organizationSlug is provided."
 					},
-					issuer: {
+					organizationSlug: {
 						type: "string",
-						description: "The issuer identifier, this is the URL of the provider and can be used to verify the provider and identify the provider during login. It's optional if the email is provided"
+						description: "The slug of the organization to sign in with."
 					},
 					providerId: {
 						type: "string",
-						description: "The ID of the provider to sign in with. This can be provided instead of email or issuer"
+						description: "The ID of the provider to sign in with. Can be provided instead of email."
+					},
+					domain: {
+						type: "string",
+						description: "The email domain of the provider. Can be provided instead of email."
 					},
 					callbackURL: {
 						type: "string",
-						description: "The URL to redirect to after login"
+						description: "The URL to redirect to after successful sign-in."
 					},
 					errorCallbackURL: {
 						type: "string",
-						description: "The URL to redirect to after login"
+						description: "The URL to redirect to if the sign-in flow fails."
 					},
 					newUserCallbackURL: {
 						type: "string",
-						description: "The URL to redirect to after login if the user is new"
+						description: "The URL to redirect to after sign-in if the user is newly registered."
+					},
+					scopes: {
+						type: "array",
+						items: { type: "string" },
+						description: "Scopes to request from the provider."
 					},
 					loginHint: {
 						type: "string",
 						description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, sent as 'login_hint'."
+					},
+					additionalParams: {
+						type: "object",
+						additionalProperties: { type: "string" },
+						description: "Extra query parameters to append to the OIDC provider authorization URL. RFC 6749 reserved keys (state, client_id, redirect_uri, response_type, code_challenge, code_challenge_method, scope) are rejected. Not supported for SAML providers."
+					},
+					requestSignUp: {
+						type: "boolean",
+						description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider."
+					},
+					providerType: {
+						type: "string",
+						enum: ["oidc", "saml"],
+						description: "The provider protocol to sign in with."
 					}
 				},
 				required: ["callbackURL"]
@@ -2494,9 +2672,16 @@ const signInSSO = (options) => {
 				throw error;
 			}
 			if (!config.authorizationEndpoint) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
-			const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+			const requestedScopes = ctx.body.scopes || config.scopes || [
+				"openid",
+				"email",
+				"profile",
+				"offline_access"
+			];
+			if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+			const state = await generateState(ctx, { requestedScopes });
 			const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
-			const authorizationURL = await createAuthorizationURL({
+			const { url: authorizationURL } = await createAuthorizationURL({
 				id: provider.issuer,
 				options: {
 					clientId: config.clientId,
@@ -2505,14 +2690,10 @@ const signInSSO = (options) => {
 				redirectURI,
 				state: state.state,
 				codeVerifier: config.pkce ? state.codeVerifier : void 0,
-				scopes: ctx.body.scopes || config.scopes || [
-					"openid",
-					"email",
-					"profile",
-					"offline_access"
-				],
+				scopes: requestedScopes,
 				loginHint: ctx.body.loginHint || email,
-				authorizationEndpoint: config.authorizationEndpoint
+				authorizationEndpoint: config.authorizationEndpoint,
+				additionalParams: ctx.body.additionalParams
 			});
 			return ctx.json({
 				url: authorizationURL.toString(),
@@ -2520,10 +2701,11 @@ const signInSSO = (options) => {
 			});
 		}
 		if (provider.samlConfig) {
+			if (ctx.body.additionalParams) throw new APIError("BAD_REQUEST", { message: "additionalParams is not supported for SAML providers; the SAML AuthnRequest is signed and cannot carry caller-supplied query parameters." });
 			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
-			const { state: relayState } = await generateRelayState(ctx, void 0, false);
+			const { state: relayState } = await generateRelayState(ctx, void 0);
 			const sp = createSP(parsedSamlConfig, ctx.context.baseURL, provider.providerId, { relayState });
 			const idp = createIdP(parsedSamlConfig);
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
@@ -2552,7 +2734,7 @@ const signInSSO = (options) => {
 };
 const callbackSSOQuerySchema = z.object({
 	code: z.string().optional(),
-	state: z.string(),
+	state: z.string().optional(),
 	error: z.string().optional(),
 	error_description: z.string().optional()
 });
@@ -2571,31 +2753,9 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 		throw ctx.redirect(`${errorURL}?error=invalid_state`);
 	}
-	const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
+	const { callbackURL, errorURL, newUserURL, requestSignUp, requestedScopes } = stateData;
 	if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
-	let provider = null;
-	if (options?.defaultSSO?.length) {
-		const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
-		if (matchingDefault) provider = {
-			...matchingDefault,
-			issuer: matchingDefault.oidcConfig?.issuer || "",
-			userId: "default",
-			...options.domainVerification?.enabled ? { domainVerified: true } : {}
-		};
-	}
-	if (!provider) provider = await ctx.context.adapter.findOne({
-		model: "ssoProvider",
-		where: [{
-			field: "providerId",
-			value: providerId
-		}]
-	}).then((res) => {
-		if (!res) return null;
-		return {
-			...res,
-			oidcConfig: safeJsonParse(res.oidcConfig) || void 0
-		};
-	});
+	const provider = await resolveOIDCProvider(ctx, options, providerId);
 	if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 	let config = provider.oidcConfig;
@@ -2616,11 +2776,8 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		]
 	};
 	if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
-	let authMethod = "basic";
-	if (config.tokenEndpointAuthentication === "client_secret_post") authMethod = "post";
-	else if (config.tokenEndpointAuthentication === "private_key_jwt") authMethod = "private_key_jwt";
-	let clientAssertionConfig;
-	if (authMethod === "private_key_jwt") {
+	let tokenEndpointAuth = config.tokenEndpointAuthentication === "client_secret_post" ? { method: "client_secret_post" } : { method: "client_secret_basic" };
+	if (config.tokenEndpointAuthentication === "private_key_jwt") {
 		let resolved;
 		const matchingDefault = options?.defaultSSO?.find((p) => p.providerId === provider.providerId && "privateKey" in p && p.privateKey);
 		if (matchingDefault && "privateKey" in matchingDefault) resolved = matchingDefault.privateKey;
@@ -2629,28 +2786,28 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			keyId: config.privateKeyId,
 			issuer: config.issuer
 		});
-		if (!resolved) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=no_private_key_available`);
+		if (!resolved || !resolved.privateKeyJwk && !resolved.privateKeyPem) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=no_private_key_available`);
 		const rawAlg = config.privateKeyAlgorithm ?? resolved.algorithm;
-		const algorithm = rawAlg && ASSERTION_SIGNING_ALGORITHMS.includes(rawAlg) ? rawAlg : void 0;
-		clientAssertionConfig = {
-			privateKeyJwk: resolved.privateKeyJwk,
-			privateKeyPem: resolved.privateKeyPem,
-			kid: config.privateKeyId ?? resolved.kid,
-			algorithm,
-			tokenEndpoint: config.tokenEndpoint
+		const algorithm = rawAlg && PRIVATE_KEY_JWT_SIGNING_ALGORITHMS.includes(rawAlg) ? rawAlg : void 0;
+		tokenEndpointAuth = {
+			method: "private_key_jwt",
+			getClientAssertion: createPrivateKeyJwtClientAssertionGetter({
+				privateKeyJwk: resolved.privateKeyJwk,
+				privateKeyPem: resolved.privateKeyPem,
+				kid: config.privateKeyId ?? resolved.kid,
+				algorithm
+			})
 		};
 	}
+	const tokenRequestOptions = { clientId: config.clientId };
+	if (tokenEndpointAuth.method !== "private_key_jwt") tokenRequestOptions.clientSecret = config.clientSecret;
 	const tokenResponse = await validateAuthorizationCode({
 		code,
 		codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
 		redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
-		options: {
-			clientId: config.clientId,
-			clientSecret: config.clientSecret
-		},
+		options: tokenRequestOptions,
 		tokenEndpoint: config.tokenEndpoint,
-		authentication: authMethod,
-		clientAssertion: clientAssertionConfig
+		tokenEndpointAuth
 	}).catch((e) => {
 		ctx.context.logger.error("Error validating authorization code", e);
 		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
@@ -2659,10 +2816,15 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 	let userInfo = null;
 	const mapping = config.mapping || {};
+	let rawProfile;
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, {
+			headers: { Authorization: `Bearer ${tokenResponse.accessToken}` },
+			redirect: "error"
+		});
 		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 		const rawUserInfo = userInfoResponse.data;
+		rawProfile = rawUserInfo;
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
 			id: rawUserInfo[mapping.id || "sub"],
@@ -2673,6 +2835,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		};
 	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
+		rawProfile = idToken;
 		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
 		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
 			audience: config.clientId,
@@ -2693,30 +2856,49 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
-	const linked = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || "",
-			id: userInfo.id,
-			image: userInfo.image,
-			emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-		},
-		account: {
-			idToken: tokenResponse.idToken,
-			accessToken: tokenResponse.accessToken,
-			refreshToken: tokenResponse.refreshToken,
-			accountId: userInfo.id,
+	let linked;
+	try {
+		linked = await signInWithOAuthIdentity(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || "",
+				id: userInfo.id,
+				image: userInfo.image,
+				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+			},
 			providerId: provider.providerId,
-			accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-			refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-			scope: tokenResponse.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-		overrideUserInfo: config.overrideUserInfo,
-		isTrustedProvider
-	});
-	if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
+			accountId: userInfo.id,
+			tokens: tokenResponse,
+			requestedScopes,
+			callbackURL,
+			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+			overrideUserInfo: config.overrideUserInfo,
+			source: {
+				method: "sso-oidc",
+				sso: {
+					providerId: provider.providerId,
+					profile: rawProfile
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const baseURL = errorURL || callbackURL;
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = baseURL.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
+	if (linked.error) {
+		const baseURL = errorURL || callbackURL;
+		const params = new URLSearchParams({ error: linked.error });
+		const sep = baseURL.includes("?") ? "&" : "?";
+		throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+	}
 	const { session, user } = linked.data;
 	if (options?.provisionUser && (linked.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
 		user,
@@ -2764,9 +2946,91 @@ const callbackSSOEndpointConfig = {
 		}
 	}
 };
+/**
+* Resolves an SSO provider by `providerId`, first checking `options.defaultSSO`
+* and falling back to the `ssoProvider` table. Returns `null` when no match is
+* found so the caller can decide how to react (redirect, silently skip, etc.).
+*/
+async function resolveOIDCProvider(ctx, options, providerId) {
+	const matchingDefault = options?.defaultSSO?.find((defaultProvider) => defaultProvider.providerId === providerId);
+	if (matchingDefault) return {
+		...matchingDefault,
+		issuer: matchingDefault.oidcConfig?.issuer || "",
+		userId: "default",
+		...options?.domainVerification?.enabled ? { domainVerified: true } : {}
+	};
+	return ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return {
+			...res,
+			oidcConfig: safeJsonParse(res.oidcConfig) || void 0
+		};
+	});
+}
+/**
+* Restarts the OAuth flow server-side when a stateless callback arrives for
+* an OIDC provider that opted into IDP-initiated flows. Silently returns
+* otherwise, letting the normal handler produce its error redirect.
+*/
+async function bounceIfIdpInitiated(ctx, options, providerId) {
+	const provider = await resolveOIDCProvider(ctx, options, providerId);
+	if (!provider?.oidcConfig?.allowIdpInitiated) return;
+	let config = provider.oidcConfig;
+	try {
+		config = await ensureRuntimeDiscovery(config, provider.issuer, (url) => ctx.context.isTrustedOrigin(url));
+	} catch (error) {
+		ctx.context.logger.error("IDP-initiated bounce skipped: OIDC discovery failed", {
+			providerId: provider.providerId,
+			issuer: provider.issuer,
+			error
+		});
+		return;
+	}
+	if (!config.authorizationEndpoint) {
+		ctx.context.logger.error("IDP-initiated bounce skipped: authorizationEndpoint missing after discovery", {
+			providerId: provider.providerId,
+			issuer: provider.issuer
+		});
+		return;
+	}
+	if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+	const state = await generateState(ctx, { requestedScopes: config.scopes || [
+		"openid",
+		"email",
+		"profile",
+		"offline_access"
+	] });
+	const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
+	const { url: authorizationURL } = await createAuthorizationURL({
+		id: provider.issuer,
+		options: {
+			clientId: config.clientId,
+			clientSecret: config.clientSecret
+		},
+		redirectURI,
+		state: state.state,
+		codeVerifier: config.pkce ? state.codeVerifier : void 0,
+		scopes: config.scopes || [
+			"openid",
+			"email",
+			"profile",
+			"offline_access"
+		],
+		authorizationEndpoint: config.authorizationEndpoint
+	});
+	throw ctx.redirect(authorizationURL.toString());
+}
 const callbackSSO = (options) => {
 	return createAuthEndpoint("/sso/callback/:providerId", callbackSSOEndpointConfig, async (ctx) => {
-		return handleOIDCCallback(ctx, options, ctx.params.providerId);
+		const providerId = ctx.params.providerId;
+		if (ctx.query.state === void 0 && ctx.query.code) await bounceIfIdpInitiated(ctx, options, providerId);
+		return handleOIDCCallback(ctx, options, providerId);
 	});
 };
 /**
@@ -2792,7 +3056,7 @@ const callbackSSOShared = (options) => {
 			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 			throw ctx.redirect(`${errorURL}?error=invalid_state`);
 		}
-		const providerId = stateData.ssoProviderId;
+		const providerId = stateData.serverContext?.ssoProviderId;
 		if (!providerId) {
 			const errorURL = stateData.errorURL || stateData.callbackURL;
 			throw ctx.redirect(`${errorURL}?error=invalid_state&error_description=missing_provider_id`);
@@ -2941,7 +3205,7 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 	if (stored) {
 		const data = safeJsonParse(stored.value);
 		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
-			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
+			await ctx.context.internalAdapter.deleteSession(data.sessionToken).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
 			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
 		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
 			providerId,
@@ -2951,10 +3215,9 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
 	}
 	const currentSession = await getSessionFromCtx(ctx);
-	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
+	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.token);
 	deleteSessionCookie(ctx);
-	const requestId = parsed.extract.request?.id || "";
-	const res = sp.createLogoutResponse(idp, null, binding, relayState || "", (template) => template.replace("{InResponseTo}", requestId).replace("{StatusCode}", SAML_STATUS_SUCCESS));
+	const res = sp.createLogoutResponse(idp, parsed, binding, relayState || "");
 	if (binding === "post" && res.entityEndpoint) return createSAMLPostForm(res.entityEndpoint, "SAMLResponse", res.context, relayState);
 	throw ctx.redirect(res.context);
 }
@@ -3007,7 +3270,7 @@ const initiateSLO = (options) => {
 		});
 		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationByIdentifier(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
-		await ctx.context.internalAdapter.deleteSession(session.session.id);
+		await ctx.context.internalAdapter.deleteSession(session.session.token);
 		deleteSessionCookie(ctx);
 		throw ctx.redirect(logoutRequest.context);
 	});