npm - @hammadj/better-auth-sso - Versions diffs - 1.5.0-beta.9 - Mend

@hammadj/better-auth-sso 1.5.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/.turbo/turbo-build.log +116 -0
package/LICENSE.md +20 -0
package/dist/client.d.mts +10 -0
package/dist/client.mjs +15 -0
package/dist/client.mjs.map +1 -0
package/dist/index.d.mts +738 -0
package/dist/index.mjs +2953 -0
package/dist/index.mjs.map +1 -0
package/package.json +87 -0
package/src/client.ts +29 -0
package/src/constants.ts +58 -0
package/src/domain-verification.test.ts +551 -0
package/src/index.ts +265 -0
package/src/linking/index.ts +2 -0
package/src/linking/org-assignment.test.ts +325 -0
package/src/linking/org-assignment.ts +176 -0
package/src/linking/types.ts +10 -0
package/src/oidc/discovery.test.ts +1157 -0
package/src/oidc/discovery.ts +494 -0
package/src/oidc/errors.ts +92 -0
package/src/oidc/index.ts +31 -0
package/src/oidc/types.ts +219 -0
package/src/oidc.test.ts +688 -0
package/src/providers.test.ts +1326 -0
package/src/routes/domain-verification.ts +275 -0
package/src/routes/providers.ts +565 -0
package/src/routes/schemas.ts +96 -0
package/src/routes/sso.ts +2750 -0
package/src/saml/algorithms.test.ts +449 -0
package/src/saml/algorithms.ts +338 -0
package/src/saml/assertions.test.ts +239 -0
package/src/saml/assertions.ts +62 -0
package/src/saml/index.ts +13 -0
package/src/saml/parser.ts +56 -0
package/src/saml-state.ts +78 -0
package/src/saml.test.ts +4319 -0
package/src/types.ts +365 -0
package/src/utils.test.ts +103 -0
package/src/utils.ts +81 -0
package/tsconfig.json +14 -0
package/tsdown.config.ts +9 -0
package/vitest.config.ts +3 -0

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,2953 @@
+import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { XMLParser, XMLValidator } from "fast-xml-parser";
+import * as saml from "samlify";
+import { X509Certificate } from "node:crypto";
+import { generateRandomString } from "better-auth/crypto";
+import * as z$1 from "zod/v4";
+import z from "zod/v4";
+import { base64 } from "@better-auth/utils/base64";
+import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { setSessionCookie } from "better-auth/cookies";
+import { handleOAuthUserInfo } from "better-auth/oauth2";
+import { decodeJwt } from "jose";
+import { APIError as APIError$1 } from "better-call";
+//#region src/utils.ts
+/**
+* Safely parses a value that might be a JSON string or already a parsed object.
+* This handles cases where ORMs like Drizzle might return already parsed objects
+* instead of JSON strings from TEXT/JSON columns.
+*
+* @param value - The value to parse (string, object, null, or undefined)
+* @returns The parsed object or null
+* @throws Error if string parsing fails
+*/
+function safeJsonParse(value) {
+	if (!value) return null;
+	if (typeof value === "object") return value;
+	if (typeof value === "string") try {
+		return JSON.parse(value);
+	} catch (error) {
+		throw new Error(`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+	return null;
+}
+/**
+* Checks if a domain matches any domain in a comma-separated list.
+*/
+const domainMatches = (searchDomain, domainList) => {
+	const search = searchDomain.toLowerCase();
+	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
+};
+/**
+* Validates email domain against allowed domain(s).
+* Supports comma-separated domains for multi-domain SSO.
+*/
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain || !domain) return false;
+	return domainMatches(emailDomain, domain);
+};
+function parseCertificate(certPem) {
+	const cert = new X509Certificate(certPem.includes("-----BEGIN") ? certPem : `-----BEGIN CERTIFICATE-----\n${certPem}\n-----END CERTIFICATE-----`);
+	return {
+		fingerprintSha256: cert.fingerprint256,
+		notBefore: cert.validFrom,
+		notAfter: cert.validTo,
+		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
+	};
+}
+function maskClientId(clientId) {
+	if (clientId.length <= 4) return "****";
+	return `****${clientId.slice(-4)}`;
+}
+//#endregion
+//#region src/linking/org-assignment.ts
+/**
+* Assigns a user to an organization based on the SSO provider's organizationId.
+* Used in SSO flows (OIDC, SAML) where the provider is already linked to an org.
+*/
+async function assignOrganizationFromProvider(ctx, options) {
+	const { user, profile, provider, token, provisioningOptions } = options;
+	if (!provider.organizationId) return;
+	if (provisioningOptions?.disabled) return;
+	if (!ctx.context.hasPlugin("organization")) return;
+	if (await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: provider.organizationId
+		}, {
+			field: "userId",
+			value: user.id
+		}]
+	})) return;
+	const role = provisioningOptions?.getRole ? await provisioningOptions.getRole({
+		user,
+		userInfo: profile.rawAttributes || {},
+		token,
+		provider
+	}) : provisioningOptions?.defaultRole || "member";
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: provider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: /* @__PURE__ */ new Date()
+		}
+	});
+}
+/**
+* Assigns a user to an organization based on their email domain.
+* Looks up SSO providers that match the user's email domain and assigns
+* the user to the associated organization.
+*
+* This enables domain-based org assignment for non-SSO sign-in methods
+* (e.g., Google OAuth with @acme.com email gets added to Acme's org).
+*/
+async function assignOrganizationByDomain(ctx, options) {
+	const { user, provisioningOptions, domainVerification } = options;
+	if (provisioningOptions?.disabled) return;
+	if (!ctx.context.hasPlugin("organization")) return;
+	const domain = user.email.split("@")[1];
+	if (!domain) return;
+	const whereClause = [{
+		field: "domain",
+		value: domain
+	}];
+	if (domainVerification?.enabled) whereClause.push({
+		field: "domainVerified",
+		value: true
+	});
+	let ssoProvider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: whereClause
+	});
+	if (!ssoProvider) ssoProvider = (await ctx.context.adapter.findMany({
+		model: "ssoProvider",
+		where: domainVerification?.enabled ? [{
+			field: "domainVerified",
+			value: true
+		}] : []
+	})).find((p) => domainMatches(domain, p.domain)) ?? null;
+	if (!ssoProvider || !ssoProvider.organizationId) return;
+	if (await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "organizationId",
+			value: ssoProvider.organizationId
+		}, {
+			field: "userId",
+			value: user.id
+		}]
+	})) return;
+	const role = provisioningOptions?.getRole ? await provisioningOptions.getRole({
+		user,
+		userInfo: {},
+		provider: ssoProvider
+	}) : provisioningOptions?.defaultRole || "member";
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: ssoProvider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: /* @__PURE__ */ new Date()
+		}
+	});
+}
+//#endregion
+//#region src/routes/domain-verification.ts
+const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+const requestDomainVerification = (options) => {
+	return createAuthEndpoint("/sso/request-domain-verification", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Request a domain verification",
+			description: "Request a domain verification for the given SSO provider",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified" },
+				"201": { description: "Domain submitted for verification" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: body.providerId
+			}]
+		});
+		if (!provider) throw new APIError("NOT_FOUND", {
+			message: "Provider not found",
+			code: "PROVIDER_NOT_FOUND"
+		});
+		const userId = ctx.context.session.user.id;
+		let isOrgMember = true;
+		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
+			model: "member",
+			where: [{
+				field: "userId",
+				value: userId
+			}, {
+				field: "organizationId",
+				value: provider.organizationId
+			}]
+		}) > 0;
+		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
+			message: "User must be owner of or belong to the SSO provider organization",
+			code: "INSUFICCIENT_ACCESS"
+		});
+		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const activeVerification = await ctx.context.adapter.findOne({
+			model: "verification",
+			where: [{
+				field: "identifier",
+				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+			}, {
+				field: "expiresAt",
+				value: /* @__PURE__ */ new Date(),
+				operator: "gt"
+			}]
+		});
+		if (activeVerification) {
+			ctx.setStatus(201);
+			return ctx.json({ domainVerificationToken: activeVerification.value });
+		}
+		const domainVerificationToken = generateRandomString(24);
+		await ctx.context.adapter.create({
+			model: "verification",
+			data: {
+				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				createdAt: /* @__PURE__ */ new Date(),
+				updatedAt: /* @__PURE__ */ new Date(),
+				value: domainVerificationToken,
+				expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+			}
+		});
+		ctx.setStatus(201);
+		return ctx.json({ domainVerificationToken });
+	});
+};
+const verifyDomain = (options) => {
+	return createAuthEndpoint("/sso/verify-domain", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Verify the provider domain ownership",
+			description: "Verify the provider domain ownership via DNS records",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified or no pending verification exists" },
+				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
+				"204": { description: "Domain ownership was verified" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: body.providerId
+			}]
+		});
+		if (!provider) throw new APIError("NOT_FOUND", {
+			message: "Provider not found",
+			code: "PROVIDER_NOT_FOUND"
+		});
+		const userId = ctx.context.session.user.id;
+		let isOrgMember = true;
+		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
+			model: "member",
+			where: [{
+				field: "userId",
+				value: userId
+			}, {
+				field: "organizationId",
+				value: provider.organizationId
+			}]
+		}) > 0;
+		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
+			message: "User must be owner of or belong to the SSO provider organization",
+			code: "INSUFICCIENT_ACCESS"
+		});
+		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const activeVerification = await ctx.context.adapter.findOne({
+			model: "verification",
+			where: [{
+				field: "identifier",
+				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+			}, {
+				field: "expiresAt",
+				value: /* @__PURE__ */ new Date(),
+				operator: "gt"
+			}]
+		});
+		if (!activeVerification) throw new APIError("NOT_FOUND", {
+			message: "No pending domain verification exists",
+			code: "NO_PENDING_VERIFICATION"
+		});
+		let records = [];
+		let dns;
+		try {
+			dns = await import("node:dns/promises");
+		} catch (error) {
+			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "Unable to verify domain ownership due to server error",
+				code: "DOMAIN_VERIFICATION_FAILED"
+			});
+		}
+		try {
+			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+		} catch (error) {
+			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
+		}
+		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
+			message: "Unable to verify domain ownership. Try again later",
+			code: "DOMAIN_VERIFICATION_FAILED"
+		});
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: provider.providerId
+			}],
+			update: { domainVerified: true }
+		});
+		ctx.setStatus(204);
+	});
+};
+//#endregion
+//#region src/constants.ts
+/**
+* SAML Constants
+*
+* Centralized constants for SAML SSO functionality.
+*/
+/** Prefix for AuthnRequest IDs used in InResponseTo validation */
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+/** Prefix for used Assertion IDs used in replay protection */
+const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
+/**
+* Default TTL for AuthnRequest records (5 minutes).
+* This should be sufficient for most IdPs while protecting against stale requests.
+*/
+const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* Default TTL for used assertion records (15 minutes).
+* This should match the maximum expected NotOnOrAfter window plus clock skew.
+*/
+const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
+/**
+* Default clock skew tolerance (5 minutes).
+* Allows for minor time differences between IdP and SP servers.
+*
+* Accommodates:
+* - Network latency and processing time
+* - Clock synchronization differences (NTP drift)
+* - Distributed systems across timezones
+*/
+const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+/**
+* Default maximum size for SAML responses (256 KB).
+* Protects against memory exhaustion from oversized SAML payloads.
+*/
+const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+* Default maximum size for IdP metadata (100 KB).
+* Protects against oversized metadata documents.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
+//#endregion
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
+//#endregion
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+};
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
+}
+function extractEncryptionAlgorithms(xml) {
+	try {
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
+}
+function hasEncryptedAssertion(xml) {
+	try {
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
+		});
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
+	});
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
+//#endregion
+//#region src/saml/assertions.ts
+/** @lintignore used in tests */
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
+	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+//#endregion
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	image: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	firstName: z.string().optional(),
+	lastName: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const oidcConfigSchema = z.object({
+	clientId: z.string().optional(),
+	clientSecret: z.string().optional(),
+	authorizationEndpoint: z.string().url().optional(),
+	tokenEndpoint: z.string().url().optional(),
+	userInfoEndpoint: z.string().url().optional(),
+	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	jwksEndpoint: z.string().url().optional(),
+	discoveryEndpoint: z.string().url().optional(),
+	scopes: z.array(z.string()).optional(),
+	pkce: z.boolean().optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().optional(),
+	cert: z.string().optional(),
+	callbackUrl: z.string().url().optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	authnRequestsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	decryptionPvk: z.string().optional(),
+	additionalParams: z.record(z.string(), z.any()).optional(),
+	mapping: samlMappingSchema
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional()
+});
+//#endregion
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
+	});
+	if (!member) return false;
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
+}
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
+	});
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
+}
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
+	try {
+		oidcConfig = safeJsonParse(provider.oidcConfig);
+	} catch {
+		oidcConfig = null;
+	}
+	try {
+		samlConfig = safeJsonParse(provider.samlConfig);
+	} catch {
+		samlConfig = null;
+	}
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			callbackUrl: samlConfig.callbackUrl,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			authnRequestsSigned: samlConfig.authnRequestsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: (() => {
+				try {
+					return parseCertificate(samlConfig.cert);
+				} catch {
+					return { error: "Failed to parse certificate" };
+				}
+			})()
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
+}
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers" } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.hasPlugin("organization");
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderParamsSchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
+}
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "GET",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+	});
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
+	try {
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
+	}
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
+}
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
+	};
+}
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "PATCH",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		body: updateSSOProviderBodySchema,
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		const body = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
+		});
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/providers/:providerId", {
+		method: "DELETE",
+		use: [sessionMiddleware],
+		params: getSSOProviderParamsSchema,
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		});
+		return ctx.json({ success: true });
+	});
+};
+//#endregion
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
+	}
+};
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
+];
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
+	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+	return {
+		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
+		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
+		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
+		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
+		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
+		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
+		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
+		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+	};
+}
+/**
+* Compute the discovery URL from an issuer URL.
+*
+* Per OIDC Discovery spec, the discovery document is located at:
+* <issuer>/.well-known/openid-configuration
+*
+* Handles trailing slashes correctly.
+*/
+function computeDiscoveryUrl(issuer) {
+	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
+}
+/**
+* Validate a discovery URL before fetching.
+*
+* @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
+* @throws DiscoveryError if URL is invalid
+*/
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+}
+/**
+* Fetch the OIDC discovery document from the IdP.
+*
+* @param url - The discovery endpoint URL
+* @param timeout - Request timeout in milliseconds
+* @returns The parsed discovery document
+* @throws DiscoveryError on network errors, timeouts, or invalid responses
+*/
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+	try {
+		const response = await betterFetch(url, {
+			method: "GET",
+			timeout
+		});
+		if (response.error) {
+			const { status } = response.error;
+			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
+				url,
+				status
+			});
+			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+				url,
+				timeout
+			});
+			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
+				url,
+				...response.error
+			});
+		}
+		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
+		const data = response.data;
+		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
+			url,
+			bodyPreview: data.slice(0, 200)
+		});
+		return data;
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw error;
+		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+			url,
+			timeout
+		});
+		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
+	}
+}
+/**
+* Validate a discovery document.
+*
+* Checks:
+* 1. All required fields are present
+* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+*
+* Invariant: If this function returns without throwing, the document is safe
+* to use for hydrating OIDC config (required fields present, issuer matches
+* configured value, basic structural sanity verified).
+*
+* @param doc - The discovery document to validate
+* @param configuredIssuer - The expected issuer value
+* @throws DiscoveryError if validation fails
+*/
+function validateDiscoveryDocument(doc, configuredIssuer) {
+	const missingFields = [];
+	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
+	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
+	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
+		discovered: doc.issuer,
+		configured: configuredIssuer
+	});
+}
+/**
+* Normalize URLs in the discovery document.
+*
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
+* @returns The normalized discovery document
+*/
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
+	return doc;
+}
+/**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
+* Normalize a single URL endpoint.
+*
+* @param name - The endpoint name (e.g token_endpoint)
+* @param endpoint - The endpoint URL to normalize
+* @param issuer - The base issuer URL
+* @returns The normalized endpoint URL
+*/
+function normalizeUrl(name, endpoint, issuer) {
+	try {
+		return parseURL(name, endpoint).toString();
+	} catch {
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+	}
+}
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+	}
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
+	});
+}
+/**
+* Select the token endpoint authentication method.
+*
+* @param doc - The discovery document
+* @param existing - Existing authentication method from config
+* @returns The selected authentication method
+*/
+function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing) return existing;
+	const supported = doc.token_endpoint_auth_methods_supported;
+	if (!supported || supported.length === 0) return "client_secret_basic";
+	if (supported.includes("client_secret_basic")) return "client_secret_basic";
+	if (supported.includes("client_secret_post")) return "client_secret_post";
+	return "client_secret_basic";
+}
+/**
+* Check if a provider configuration needs runtime discovery.
+*
+* Returns true if we need discovery at runtime to complete the token exchange
+* and validation. Specifically checks for:
+* - `tokenEndpoint` - required for exchanging authorization code for tokens
+* - `jwksEndpoint` - required for validating ID token signatures
+*
+* Note: `authorizationEndpoint` is handled separately in the sign-in flow,
+* so it's not checked here.
+*
+* @param config - Partial OIDC config from the provider
+* @returns true if runtime discovery should be performed
+*/
+function needsRuntimeDiscovery(config) {
+	if (!config) return true;
+	return !config.tokenEndpoint || !config.jwksEndpoint;
+}
+//#endregion
+//#region src/oidc/errors.ts
+/**
+* OIDC Discovery Error Mapping
+*
+* Maps DiscoveryError codes to appropriate APIError responses.
+* Used at the boundary between the discovery pipeline and HTTP handlers.
+*/
+/**
+* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
+*
+* Error code mapping:
+* - discovery_invalid_url       → 400 BAD_REQUEST
+* - discovery_not_found         → 400 BAD_REQUEST
+* - discovery_invalid_json      → 400 BAD_REQUEST
+* - discovery_incomplete        → 400 BAD_REQUEST
+* - issuer_mismatch             → 400 BAD_REQUEST
+* - unsupported_token_auth_method → 400 BAD_REQUEST
+* - discovery_timeout           → 502 BAD_GATEWAY
+* - discovery_unexpected_error  → 502 BAD_GATEWAY
+*
+* @param error - The DiscoveryError to map
+* @returns An APIError with appropriate status and message
+*/
+function mapDiscoveryErrorToAPIError(error) {
+	switch (error.code) {
+		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery timed out: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery failed: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_not_found": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
+			message: `Invalid OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery returned invalid data: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery document is missing required fields: ${error.message}`,
+			code: error.code
+		});
+		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
+			message: `OIDC issuer mismatch: ${error.message}`,
+			code: error.code
+		});
+		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
+			message: `Incompatible OIDC provider: ${error.message}`,
+			code: error.code
+		});
+		default:
+			error.code;
+			return new APIError("INTERNAL_SERVER_ERROR", {
+				message: `Unexpected discovery error: ${error.message}`,
+				code: "discovery_unexpected_error"
+			});
+	}
+}
+//#endregion
+//#region src/saml-state.ts
+async function generateRelayState(c, link, additionalData) {
+	const callbackURL = c.body.callbackURL;
+	if (!callbackURL) throw new APIError$1("BAD_REQUEST", { message: "callbackURL is required" });
+	const codeVerifier = generateRandomString(128);
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body.errorCallbackURL,
+		newUserURL: c.body.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body.requestSignUp
+	};
+	try {
+		return generateGenericState(c, stateData, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to create verification for relay state", error);
+		throw new APIError$1("INTERNAL_SERVER_ERROR", {
+			message: "State error: Unable to create verification for relay state",
+			cause: error
+		});
+	}
+}
+async function parseRelayState(c) {
+	const state = c.body.RelayState;
+	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	let parsedData;
+	try {
+		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
+	} catch (error) {
+		c.context.logger.error("Failed to parse relay state", error);
+		throw new APIError$1("BAD_REQUEST", {
+			message: "State error: failed to validate relay state",
+			cause: error
+		});
+	}
+	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
+	return parsedData;
+}
+//#endregion
+//#region src/routes/sso.ts
+/**
+* Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+* Prevents acceptance of expired or future-dated assertions.
+* @throws {APIError} If timestamps are invalid, expired, or not yet valid
+*/
+function validateSAMLTimestamp(conditions, options = {}) {
+	const clockSkew = options.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+	if (!(conditions?.notBefore || conditions?.notOnOrAfter)) {
+		if (options.requireTimestamps) throw new APIError("BAD_REQUEST", {
+			message: "SAML assertion missing required timestamp conditions",
+			details: "Assertions must include NotBefore and/or NotOnOrAfter conditions"
+		});
+		options.logger?.warn("SAML assertion accepted without timestamp conditions", { hasConditions: !!conditions });
+		return;
+	}
+	const now = Date.now();
+	if (conditions?.notBefore) {
+		const notBeforeTime = new Date(conditions.notBefore).getTime();
+		if (Number.isNaN(notBeforeTime)) throw new APIError("BAD_REQUEST", {
+			message: "SAML assertion has invalid NotBefore timestamp",
+			details: `Unable to parse NotBefore value: ${conditions.notBefore}`
+		});
+		if (now < notBeforeTime - clockSkew) throw new APIError("BAD_REQUEST", {
+			message: "SAML assertion is not yet valid",
+			details: `Current time is before NotBefore (with ${clockSkew}ms clock skew tolerance)`
+		});
+	}
+	if (conditions?.notOnOrAfter) {
+		const notOnOrAfterTime = new Date(conditions.notOnOrAfter).getTime();
+		if (Number.isNaN(notOnOrAfterTime)) throw new APIError("BAD_REQUEST", {
+			message: "SAML assertion has invalid NotOnOrAfter timestamp",
+			details: `Unable to parse NotOnOrAfter value: ${conditions.notOnOrAfter}`
+		});
+		if (now > notOnOrAfterTime + clockSkew) throw new APIError("BAD_REQUEST", {
+			message: "SAML assertion has expired",
+			details: `Current time is after NotOnOrAfter (with ${clockSkew}ms clock skew tolerance)`
+		});
+	}
+}
+/**
+* Extracts the Assertion ID from a SAML response XML.
+* Returns null if the assertion ID cannot be found.
+*/
+function extractAssertionId(samlContent) {
+	try {
+		const parsed = new XMLParser({
+			ignoreAttributes: false,
+			attributeNamePrefix: "@_",
+			removeNSPrefix: true
+		}).parse(samlContent);
+		const response = parsed.Response || parsed["samlp:Response"];
+		if (!response) return null;
+		const rawAssertion = response.Assertion || response["saml:Assertion"];
+		const assertion = Array.isArray(rawAssertion) ? rawAssertion[0] : rawAssertion;
+		if (!assertion) return null;
+		return assertion["@_ID"] || null;
+	} catch {
+		return null;
+	}
+}
+const spMetadataQuerySchema = z.object({
+	providerId: z.string(),
+	format: z.enum(["xml", "json"]).default("xml")
+});
+const spMetadata = () => {
+	return createAuthEndpoint("/sso/saml2/sp/metadata", {
+		method: "GET",
+		query: spMetadataQuerySchema,
+		metadata: { openapi: {
+			operationId: "getSSOServiceProviderMetadata",
+			summary: "Get Service Provider metadata",
+			description: "Returns the SAML metadata for the Service Provider",
+			responses: { "200": { description: "SAML metadata in XML format" } }
+		} }
+	}, async (ctx) => {
+		const provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: ctx.query.providerId
+			}]
+		});
+		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
+		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
+		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({ metadata: parsedSamlConfig.spMetadata.metadata }) : saml.SPMetadata({
+			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+			assertionConsumerService: [{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
+			}],
+			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
+			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
+		});
+		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
+	});
+};
+const ssoProviderBodySchema = z.object({
+	providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
+	issuer: z.string({}).meta({ description: "The issuer of the provider" }),
+	domain: z.string({}).meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
+	oidcConfig: z.object({
+		clientId: z.string({}).meta({ description: "The client ID" }),
+		clientSecret: z.string({}).meta({ description: "The client secret" }),
+		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
+		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
+		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
+		tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
+		discoveryEndpoint: z.string().optional(),
+		skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
+		scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
+		pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
+		mapping: z.object({
+			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
+			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
+			emailVerified: z.string({}).meta({ description: "Field mapping for email verification (defaults to 'email_verified')" }).optional(),
+			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'name')" }),
+			image: z.string({}).meta({ description: "Field mapping for image (defaults to 'picture')" }).optional(),
+			extraFields: z.record(z.string(), z.any()).optional()
+		}).optional()
+	}).optional(),
+	samlConfig: z.object({
+		entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
+		cert: z.string({}).meta({ description: "The certificate of the provider" }),
+		callbackUrl: z.string({}).meta({ description: "The callback URL of the provider" }),
+		audience: z.string().optional(),
+		idpMetadata: z.object({
+			metadata: z.string().optional(),
+			entityID: z.string().optional(),
+			cert: z.string().optional(),
+			privateKey: z.string().optional(),
+			privateKeyPass: z.string().optional(),
+			isAssertionEncrypted: z.boolean().optional(),
+			encPrivateKey: z.string().optional(),
+			encPrivateKeyPass: z.string().optional(),
+			singleSignOnService: z.array(z.object({
+				Binding: z.string().meta({ description: "The binding type for the SSO service" }),
+				Location: z.string().meta({ description: "The URL for the SSO service" })
+			})).optional().meta({ description: "Single Sign-On service configuration" })
+		}).optional(),
+		spMetadata: z.object({
+			metadata: z.string().optional(),
+			entityID: z.string().optional(),
+			binding: z.string().optional(),
+			privateKey: z.string().optional(),
+			privateKeyPass: z.string().optional(),
+			isAssertionEncrypted: z.boolean().optional(),
+			encPrivateKey: z.string().optional(),
+			encPrivateKeyPass: z.string().optional()
+		}),
+		wantAssertionsSigned: z.boolean().optional(),
+		authnRequestsSigned: z.boolean().optional(),
+		signatureAlgorithm: z.string().optional(),
+		digestAlgorithm: z.string().optional(),
+		identifierFormat: z.string().optional(),
+		privateKey: z.string().optional(),
+		decryptionPvk: z.string().optional(),
+		additionalParams: z.record(z.string(), z.any()).optional(),
+		mapping: z.object({
+			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
+			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
+			emailVerified: z.string({}).meta({ description: "Field mapping for email verification" }).optional(),
+			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'displayName')" }),
+			firstName: z.string({}).meta({ description: "Field mapping for first name (defaults to 'givenName')" }).optional(),
+			lastName: z.string({}).meta({ description: "Field mapping for last name (defaults to 'surname')" }).optional(),
+			extraFields: z.record(z.string(), z.any()).optional()
+		}).optional()
+	}).optional(),
+	organizationId: z.string({}).meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
+	overrideUserInfo: z.boolean({}).meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
+});
+const registerSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/register", {
+		method: "POST",
+		body: ssoProviderBodySchema,
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "registerSSOProvider",
+			summary: "Register an OIDC provider",
+			description: "This endpoint is used to register an OIDC provider. This is used to configure the provider and link it to an organization",
+			responses: { "200": {
+				description: "OIDC provider created successfully",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						issuer: {
+							type: "string",
+							format: "uri",
+							description: "The issuer URL of the provider"
+						},
+						domain: {
+							type: "string",
+							description: "The domain of the provider, used for email matching"
+						},
+						domainVerified: {
+							type: "boolean",
+							description: "A boolean indicating whether the domain has been verified or not"
+						},
+						domainVerificationToken: {
+							type: "string",
+							description: "Domain verification token. It can be used to prove ownership over the SSO domain"
+						},
+						oidcConfig: {
+							type: "object",
+							properties: {
+								issuer: {
+									type: "string",
+									format: "uri",
+									description: "The issuer URL of the provider"
+								},
+								pkce: {
+									type: "boolean",
+									description: "Whether PKCE is enabled for the authorization flow"
+								},
+								clientId: {
+									type: "string",
+									description: "The client ID for the provider"
+								},
+								clientSecret: {
+									type: "string",
+									description: "The client secret for the provider"
+								},
+								authorizationEndpoint: {
+									type: "string",
+									format: "uri",
+									nullable: true,
+									description: "The authorization endpoint URL"
+								},
+								discoveryEndpoint: {
+									type: "string",
+									format: "uri",
+									description: "The discovery endpoint URL"
+								},
+								userInfoEndpoint: {
+									type: "string",
+									format: "uri",
+									nullable: true,
+									description: "The user info endpoint URL"
+								},
+								scopes: {
+									type: "array",
+									items: { type: "string" },
+									nullable: true,
+									description: "The scopes requested from the provider"
+								},
+								tokenEndpoint: {
+									type: "string",
+									format: "uri",
+									nullable: true,
+									description: "The token endpoint URL"
+								},
+								tokenEndpointAuthentication: {
+									type: "string",
+									enum: ["client_secret_post", "client_secret_basic"],
+									nullable: true,
+									description: "Authentication method for the token endpoint"
+								},
+								jwksEndpoint: {
+									type: "string",
+									format: "uri",
+									nullable: true,
+									description: "The JWKS endpoint URL"
+								},
+								mapping: {
+									type: "object",
+									nullable: true,
+									properties: {
+										id: {
+											type: "string",
+											description: "Field mapping for user ID (defaults to 'sub')"
+										},
+										email: {
+											type: "string",
+											description: "Field mapping for email (defaults to 'email')"
+										},
+										emailVerified: {
+											type: "string",
+											nullable: true,
+											description: "Field mapping for email verification (defaults to 'email_verified')"
+										},
+										name: {
+											type: "string",
+											description: "Field mapping for name (defaults to 'name')"
+										},
+										image: {
+											type: "string",
+											nullable: true,
+											description: "Field mapping for image (defaults to 'picture')"
+										},
+										extraFields: {
+											type: "object",
+											additionalProperties: { type: "string" },
+											nullable: true,
+											description: "Additional field mappings"
+										}
+									},
+									required: [
+										"id",
+										"email",
+										"name"
+									]
+								}
+							},
+							required: [
+								"issuer",
+								"pkce",
+								"clientId",
+								"clientSecret",
+								"discoveryEndpoint"
+							],
+							description: "OIDC configuration for the provider"
+						},
+						organizationId: {
+							type: "string",
+							nullable: true,
+							description: "ID of the linked organization, if any"
+						},
+						userId: {
+							type: "string",
+							description: "ID of the user who registered the provider"
+						},
+						providerId: {
+							type: "string",
+							description: "Unique identifier for the provider"
+						},
+						redirectURI: {
+							type: "string",
+							format: "uri",
+							description: "The redirect URI for the provider callback"
+						}
+					},
+					required: [
+						"issuer",
+						"domain",
+						"oidcConfig",
+						"userId",
+						"providerId",
+						"redirectURI"
+					]
+				} } }
+			} }
+		} }
+	}, async (ctx) => {
+		const user = ctx.context.session?.user;
+		if (!user) throw new APIError("UNAUTHORIZED");
+		const limit = typeof options?.providersLimit === "function" ? await options.providersLimit(user) : options?.providersLimit ?? 10;
+		if (!limit) throw new APIError("FORBIDDEN", { message: "SSO provider registration is disabled" });
+		if ((await ctx.context.adapter.findMany({
+			model: "ssoProvider",
+			where: [{
+				field: "userId",
+				value: user.id
+			}]
+		})).length >= limit) throw new APIError("FORBIDDEN", { message: "You have reached the maximum number of SSO providers" });
+		const body = ctx.body;
+		if (z.string().url().safeParse(body.issuer).error) throw new APIError("BAD_REQUEST", { message: "Invalid issuer. Must be a valid URL" });
+		if (body.samlConfig?.idpMetadata?.metadata) {
+			const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+		}
+		if (ctx.body.organizationId) {
+			if (!await ctx.context.adapter.findOne({
+				model: "member",
+				where: [{
+					field: "userId",
+					value: user.id
+				}, {
+					field: "organizationId",
+					value: ctx.body.organizationId
+				}]
+			})) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+		}
+		if (await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: body.providerId
+			}]
+		})) {
+			ctx.context.logger.info(`SSO provider creation attempt with existing providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "SSO provider with this providerId already exists" });
+		}
+		let hydratedOIDCConfig = null;
+		if (body.oidcConfig && !body.oidcConfig.skipDiscovery) try {
+			hydratedOIDCConfig = await discoverOIDCConfig({
+				issuer: body.issuer,
+				existingConfig: {
+					discoveryEndpoint: body.oidcConfig.discoveryEndpoint,
+					authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
+					tokenEndpoint: body.oidcConfig.tokenEndpoint,
+					jwksEndpoint: body.oidcConfig.jwksEndpoint,
+					userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
+					tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication
+				},
+				isTrustedOrigin: (url) => ctx.context.isTrustedOrigin(url)
+			});
+		} catch (error) {
+			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+			throw error;
+		}
+		const buildOIDCConfig = () => {
+			if (!body.oidcConfig) return null;
+			if (body.oidcConfig.skipDiscovery) return JSON.stringify({
+				issuer: body.issuer,
+				clientId: body.oidcConfig.clientId,
+				clientSecret: body.oidcConfig.clientSecret,
+				authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
+				tokenEndpoint: body.oidcConfig.tokenEndpoint,
+				tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication || "client_secret_basic",
+				jwksEndpoint: body.oidcConfig.jwksEndpoint,
+				pkce: body.oidcConfig.pkce,
+				discoveryEndpoint: body.oidcConfig.discoveryEndpoint || `${body.issuer}/.well-known/openid-configuration`,
+				mapping: body.oidcConfig.mapping,
+				scopes: body.oidcConfig.scopes,
+				userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
+				overrideUserInfo: ctx.body.overrideUserInfo || options?.defaultOverrideUserInfo || false
+			});
+			if (!hydratedOIDCConfig) return null;
+			return JSON.stringify({
+				issuer: hydratedOIDCConfig.issuer,
+				clientId: body.oidcConfig.clientId,
+				clientSecret: body.oidcConfig.clientSecret,
+				authorizationEndpoint: hydratedOIDCConfig.authorizationEndpoint,
+				tokenEndpoint: hydratedOIDCConfig.tokenEndpoint,
+				tokenEndpointAuthentication: hydratedOIDCConfig.tokenEndpointAuthentication,
+				jwksEndpoint: hydratedOIDCConfig.jwksEndpoint,
+				pkce: body.oidcConfig.pkce,
+				discoveryEndpoint: hydratedOIDCConfig.discoveryEndpoint,
+				mapping: body.oidcConfig.mapping,
+				scopes: body.oidcConfig.scopes,
+				userInfoEndpoint: hydratedOIDCConfig.userInfoEndpoint,
+				overrideUserInfo: ctx.body.overrideUserInfo || options?.defaultOverrideUserInfo || false
+			});
+		};
+		if (body.samlConfig) validateConfigAlgorithms({
+			signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+			digestAlgorithm: body.samlConfig.digestAlgorithm
+		}, options?.saml?.algorithms);
+		const provider = await ctx.context.adapter.create({
+			model: "ssoProvider",
+			data: {
+				issuer: body.issuer,
+				domain: body.domain,
+				domainVerified: false,
+				oidcConfig: buildOIDCConfig(),
+				samlConfig: body.samlConfig ? JSON.stringify({
+					issuer: body.issuer,
+					entryPoint: body.samlConfig.entryPoint,
+					cert: body.samlConfig.cert,
+					callbackUrl: body.samlConfig.callbackUrl,
+					audience: body.samlConfig.audience,
+					idpMetadata: body.samlConfig.idpMetadata,
+					spMetadata: body.samlConfig.spMetadata,
+					wantAssertionsSigned: body.samlConfig.wantAssertionsSigned,
+					authnRequestsSigned: body.samlConfig.authnRequestsSigned,
+					signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+					digestAlgorithm: body.samlConfig.digestAlgorithm,
+					identifierFormat: body.samlConfig.identifierFormat,
+					privateKey: body.samlConfig.privateKey,
+					decryptionPvk: body.samlConfig.decryptionPvk,
+					additionalParams: body.samlConfig.additionalParams,
+					mapping: body.samlConfig.mapping
+				}) : null,
+				organizationId: body.organizationId,
+				userId: ctx.context.session.user.id,
+				providerId: body.providerId
+			}
+		});
+		let domainVerificationToken;
+		let domainVerified;
+		if (options?.domainVerification?.enabled) {
+			domainVerified = false;
+			domainVerificationToken = generateRandomString(24);
+			await ctx.context.adapter.create({
+				model: "verification",
+				data: {
+					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					createdAt: /* @__PURE__ */ new Date(),
+					updatedAt: /* @__PURE__ */ new Date(),
+					value: domainVerificationToken,
+					expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+				}
+			});
+		}
+		const result = {
+			...provider,
+			oidcConfig: safeJsonParse(provider.oidcConfig),
+			samlConfig: safeJsonParse(provider.samlConfig),
+			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
+			...options?.domainVerification?.enabled ? { domainVerified } : {},
+			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
+		};
+		return ctx.json(result);
+	});
+};
+const signInSSOBodySchema = z.object({
+	email: z.string({}).meta({ description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided" }).optional(),
+	organizationSlug: z.string({}).meta({ description: "The slug of the organization to sign in with" }).optional(),
+	providerId: z.string({}).meta({ description: "The ID of the provider to sign in with. This can be provided instead of email or issuer" }).optional(),
+	domain: z.string({}).meta({ description: "The domain of the provider." }).optional(),
+	callbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }),
+	errorCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }).optional(),
+	newUserCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login if the user is new" }).optional(),
+	scopes: z.array(z.string(), {}).meta({ description: "Scopes to request from the provider." }).optional(),
+	loginHint: z.string({}).meta({ description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, will be sent as 'login_hint'." }).optional(),
+	requestSignUp: z.boolean({}).meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider" }).optional(),
+	providerType: z.enum(["oidc", "saml"]).optional()
+});
+const signInSSO = (options) => {
+	return createAuthEndpoint("/sign-in/sso", {
+		method: "POST",
+		body: signInSSOBodySchema,
+		metadata: { openapi: {
+			operationId: "signInWithSSO",
+			summary: "Sign in with SSO provider",
+			description: "This endpoint is used to sign in with an SSO provider. It redirects to the provider's authorization URL",
+			requestBody: { content: { "application/json": { schema: {
+				type: "object",
+				properties: {
+					email: {
+						type: "string",
+						description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided"
+					},
+					issuer: {
+						type: "string",
+						description: "The issuer identifier, this is the URL of the provider and can be used to verify the provider and identify the provider during login. It's optional if the email is provided"
+					},
+					providerId: {
+						type: "string",
+						description: "The ID of the provider to sign in with. This can be provided instead of email or issuer"
+					},
+					callbackURL: {
+						type: "string",
+						description: "The URL to redirect to after login"
+					},
+					errorCallbackURL: {
+						type: "string",
+						description: "The URL to redirect to after login"
+					},
+					newUserCallbackURL: {
+						type: "string",
+						description: "The URL to redirect to after login if the user is new"
+					},
+					loginHint: {
+						type: "string",
+						description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, sent as 'login_hint'."
+					}
+				},
+				required: ["callbackURL"]
+			} } } },
+			responses: { "200": {
+				description: "Authorization URL generated successfully for SSO sign-in",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						url: {
+							type: "string",
+							format: "uri",
+							description: "The authorization URL to redirect the user to for SSO sign-in"
+						},
+						redirect: {
+							type: "boolean",
+							description: "Indicates that the client should redirect to the provided URL",
+							enum: [true]
+						}
+					},
+					required: ["url", "redirect"]
+				} } }
+			} }
+		} }
+	}, async (ctx) => {
+		const body = ctx.body;
+		let { email, organizationSlug, providerId, domain } = body;
+		if (!options?.defaultSSO?.length && !email && !organizationSlug && !domain && !providerId) throw new APIError("BAD_REQUEST", { message: "email, organizationSlug, domain or providerId is required" });
+		domain = body.domain || email?.split("@")[1];
+		let orgId = "";
+		if (organizationSlug) orgId = await ctx.context.adapter.findOne({
+			model: "organization",
+			where: [{
+				field: "slug",
+				value: organizationSlug
+			}]
+		}).then((res) => {
+			if (!res) return "";
+			return res.id;
+		});
+		let provider = null;
+		if (options?.defaultSSO?.length) {
+			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO.find((defaultProvider) => defaultProvider.domain === domain);
+			if (matchingDefault) provider = {
+				issuer: matchingDefault.samlConfig?.issuer || matchingDefault.oidcConfig?.issuer || "",
+				providerId: matchingDefault.providerId,
+				userId: "default",
+				oidcConfig: matchingDefault.oidcConfig,
+				samlConfig: matchingDefault.samlConfig,
+				domain: matchingDefault.domain,
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
+			};
+		}
+		if (!providerId && !orgId && !domain) throw new APIError("BAD_REQUEST", { message: "providerId, orgId or domain is required" });
+		if (!provider) {
+			const parseProvider = (res) => {
+				if (!res) return null;
+				return {
+					...res,
+					oidcConfig: res.oidcConfig ? safeJsonParse(res.oidcConfig) || void 0 : void 0,
+					samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+				};
+			};
+			if (providerId || orgId) provider = parseProvider(await ctx.context.adapter.findOne({
+				model: "ssoProvider",
+				where: [{
+					field: providerId ? "providerId" : "organizationId",
+					value: providerId || orgId
+				}]
+			}));
+			else if (domain) {
+				provider = parseProvider(await ctx.context.adapter.findOne({
+					model: "ssoProvider",
+					where: [{
+						field: "domain",
+						value: domain
+					}]
+				}));
+				if (!provider) provider = parseProvider((await ctx.context.adapter.findMany({ model: "ssoProvider" })).find((p) => domainMatches(domain, p.domain)) ?? null);
+			}
+		}
+		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the issuer" });
+		if (body.providerType) {
+			if (body.providerType === "oidc" && !provider.oidcConfig) throw new APIError("BAD_REQUEST", { message: "OIDC provider is not configured" });
+			if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
+		}
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+		if (provider.oidcConfig && body.providerType !== "saml") {
+			let finalAuthUrl = provider.oidcConfig.authorizationEndpoint;
+			if (!finalAuthUrl && provider.oidcConfig.discoveryEndpoint) {
+				const discovery = await betterFetch(provider.oidcConfig.discoveryEndpoint, { method: "GET" });
+				if (discovery.data) finalAuthUrl = discovery.data.authorization_endpoint;
+			}
+			if (!finalAuthUrl) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
+			const state = await generateState(ctx, void 0, false);
+			const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
+			const authorizationURL = await createAuthorizationURL({
+				id: provider.issuer,
+				options: {
+					clientId: provider.oidcConfig.clientId,
+					clientSecret: provider.oidcConfig.clientSecret
+				},
+				redirectURI,
+				state: state.state,
+				codeVerifier: provider.oidcConfig.pkce ? state.codeVerifier : void 0,
+				scopes: ctx.body.scopes || provider.oidcConfig.scopes || [
+					"openid",
+					"email",
+					"profile",
+					"offline_access"
+				],
+				loginHint: ctx.body.loginHint || email,
+				authorizationEndpoint: finalAuthUrl
+			});
+			return ctx.json({
+				url: authorizationURL.toString(),
+				redirect: true
+			});
+		}
+		if (provider.samlConfig) {
+			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
+			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) ctx.context.logger.warn("authnRequestsSigned is enabled but no privateKey provided - AuthnRequests will not be signed", { providerId: provider.providerId });
+			let metadata = parsedSamlConfig.spMetadata.metadata;
+			if (!metadata) metadata = saml.SPMetadata({
+				entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+				assertionConsumerService: [{
+					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
+				}],
+				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
+				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
+			}).getMetadata() || "";
+			const sp = saml.ServiceProvider({
+				metadata,
+				allowCreate: true,
+				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+			});
+			const idp = saml.IdentityProvider({
+				metadata: parsedSamlConfig.idpMetadata?.metadata,
+				entityID: parsedSamlConfig.idpMetadata?.entityID,
+				encryptCert: parsedSamlConfig.idpMetadata?.cert,
+				singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
+			});
+			const loginRequest = sp.createLoginRequest(idp, "redirect");
+			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
+			const { state: relayState } = await generateRelayState(ctx, void 0, false);
+			if (loginRequest.id && options?.saml?.enableInResponseToValidation) {
+				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
+				const record = {
+					id: loginRequest.id,
+					providerId: provider.providerId,
+					createdAt: Date.now(),
+					expiresAt: Date.now() + ttl
+				};
+				await ctx.context.internalAdapter.createVerificationValue({
+					identifier: `${AUTHN_REQUEST_KEY_PREFIX}${record.id}`,
+					value: JSON.stringify(record),
+					expiresAt: new Date(record.expiresAt)
+				});
+			}
+			return ctx.json({
+				url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
+				redirect: true
+			});
+		}
+		throw new APIError("BAD_REQUEST", { message: "Invalid SSO provider" });
+	});
+};
+const callbackSSOQuerySchema = z.object({
+	code: z.string().optional(),
+	state: z.string(),
+	error: z.string().optional(),
+	error_description: z.string().optional()
+});
+const callbackSSO = (options) => {
+	return createAuthEndpoint("/sso/callback/:providerId", {
+		method: "GET",
+		query: callbackSSOQuerySchema,
+		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+		metadata: {
+			...HIDE_METADATA,
+			openapi: {
+				operationId: "handleSSOCallback",
+				summary: "Callback URL for SSO provider",
+				description: "This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
+				responses: { "302": { description: "Redirects to the callback URL" } }
+			}
+		}
+	}, async (ctx) => {
+		const { code, error, error_description } = ctx.query;
+		const stateData = await parseState(ctx);
+		if (!stateData) {
+			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+			throw ctx.redirect(`${errorURL}?error=invalid_state`);
+		}
+		const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
+		if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
+		let provider = null;
+		if (options?.defaultSSO?.length) {
+			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === ctx.params.providerId);
+			if (matchingDefault) provider = {
+				...matchingDefault,
+				issuer: matchingDefault.oidcConfig?.issuer || "",
+				userId: "default",
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
+			};
+		}
+		if (!provider) provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: ctx.params.providerId
+			}]
+		}).then((res) => {
+			if (!res) return null;
+			return {
+				...res,
+				oidcConfig: safeJsonParse(res.oidcConfig) || void 0
+			};
+		});
+		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+		let config = provider.oidcConfig;
+		if (!config) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		const discovery = await betterFetch(config.discoveryEndpoint);
+		if (discovery.data) config = {
+			tokenEndpoint: discovery.data.token_endpoint,
+			tokenEndpointAuthentication: discovery.data.token_endpoint_auth_method,
+			userInfoEndpoint: discovery.data.userinfo_endpoint,
+			scopes: [
+				"openid",
+				"email",
+				"profile",
+				"offline_access"
+			],
+			...config
+		};
+		if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_endpoint_not_found`);
+		const tokenResponse = await validateAuthorizationCode({
+			code,
+			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
+			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
+			options: {
+				clientId: config.clientId,
+				clientSecret: config.clientSecret
+			},
+			tokenEndpoint: config.tokenEndpoint,
+			authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
+		}).catch((e) => {
+			if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
+			return null;
+		});
+		if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_response_not_found`);
+		let userInfo = null;
+		if (tokenResponse.idToken) {
+			const idToken = decodeJwt(tokenResponse.idToken);
+			if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=jwks_endpoint_not_found`);
+			const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint).catch((e) => {
+				ctx.context.logger.error(e);
+				return null;
+			});
+			if (!verified) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=token_not_verified`);
+			if (verified.payload.iss !== provider.issuer) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=issuer_mismatch`);
+			const mapping = config.mapping || {};
+			userInfo = {
+				...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
+				id: idToken[mapping.id || "sub"],
+				email: idToken[mapping.email || "email"],
+				emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+				name: idToken[mapping.name || "name"],
+				image: idToken[mapping.image || "picture"]
+			};
+		}
+		if (!userInfo) {
+			if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=user_info_endpoint_not_found`);
+			const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+			if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+			userInfo = userInfoResponse.data;
+		}
+		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
+		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
+		const linked = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				image: userInfo.image,
+				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+			},
+			account: {
+				idToken: tokenResponse.idToken,
+				accessToken: tokenResponse.accessToken,
+				refreshToken: tokenResponse.refreshToken,
+				accountId: userInfo.id,
+				providerId: provider.providerId,
+				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
+				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
+				scope: tokenResponse.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+			overrideUserInfo: config.overrideUserInfo,
+			isTrustedProvider
+		});
+		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
+		const { session, user } = linked.data;
+		if (options?.provisionUser) await options.provisionUser({
+			user,
+			userInfo,
+			token: tokenResponse,
+			provider
+		});
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "oidc",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: userInfo
+			},
+			provider,
+			token: tokenResponse,
+			provisioningOptions: options?.organizationProvisioning
+		});
+		await setSessionCookie(ctx, {
+			session,
+			user
+		});
+		let toRedirectTo;
+		try {
+			toRedirectTo = (linked.isRegister ? newUserURL || callbackURL : callbackURL).toString();
+		} catch {
+			toRedirectTo = linked.isRegister ? newUserURL || callbackURL : callbackURL;
+		}
+		throw ctx.redirect(toRedirectTo);
+	});
+};
+const callbackSSOSAMLBodySchema = z.object({
+	SAMLResponse: z.string(),
+	RelayState: z.string().optional()
+});
+/**
+* Validates and returns a safe redirect URL.
+* - Prevents open redirect attacks by validating against trusted origins
+* - Prevents redirect loops by checking if URL points to callback route
+* - Falls back to appOrigin if URL is invalid or unsafe
+*/
+const getSafeRedirectUrl = (url, callbackPath, appOrigin, isTrustedOrigin) => {
+	if (!url) return appOrigin;
+	if (url.startsWith("/") && !url.startsWith("//")) {
+		try {
+			const absoluteUrl = new URL(url, appOrigin);
+			if (absoluteUrl.origin !== appOrigin) return appOrigin;
+			const callbackPathname = new URL(callbackPath).pathname;
+			if (absoluteUrl.pathname === callbackPathname) return appOrigin;
+		} catch {
+			return appOrigin;
+		}
+		return url;
+	}
+	if (!isTrustedOrigin(url, { allowRelativePaths: false })) return appOrigin;
+	try {
+		const callbackPathname = new URL(callbackPath).pathname;
+		if (new URL(url).pathname === callbackPathname) return appOrigin;
+	} catch {
+		if (url === callbackPath || url.startsWith(`${callbackPath}?`)) return appOrigin;
+	}
+	return url;
+};
+const callbackSSOSAML = (options) => {
+	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
+		method: ["GET", "POST"],
+		body: callbackSSOSAMLBodySchema.optional(),
+		query: z.object({ RelayState: z.string().optional() }).optional(),
+		metadata: {
+			...HIDE_METADATA,
+			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+			openapi: {
+				operationId: "handleSAMLCallback",
+				summary: "Callback URL for SAML provider",
+				description: "This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
+				responses: {
+					"302": { description: "Redirects to the callback URL" },
+					"400": { description: "Invalid SAML response" },
+					"401": { description: "Unauthorized - SAML authentication failed" }
+				}
+			}
+		}
+	}, async (ctx) => {
+		const { providerId } = ctx.params;
+		const appOrigin = new URL(ctx.context.baseURL).origin;
+		const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
+		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
+			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			const relayState = ctx.query?.RelayState;
+			const safeRedirectUrl = getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+			throw ctx.redirect(safeRedirectUrl);
+		}
+		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
+		const { SAMLResponse } = ctx.body;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let relayState = null;
+		if (ctx.body.RelayState) try {
+			relayState = await parseRelayState(ctx);
+		} catch {
+			relayState = null;
+		}
+		let provider = null;
+		if (options?.defaultSSO?.length) {
+			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
+			if (matchingDefault) provider = {
+				...matchingDefault,
+				userId: "default",
+				issuer: matchingDefault.samlConfig?.issuer || "",
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
+			};
+		}
+		if (!provider) provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		}).then((res) => {
+			if (!res) return null;
+			return {
+				...res,
+				samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+			};
+		});
+		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
+		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
+		const idpData = parsedSamlConfig.idpMetadata;
+		let idp = null;
+		if (!idpData?.metadata) idp = saml.IdentityProvider({
+			entityID: idpData?.entityID || parsedSamlConfig.issuer,
+			singleSignOnService: [{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Location: parsedSamlConfig.entryPoint
+			}],
+			signingCert: idpData?.cert || parsedSamlConfig.cert,
+			wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+			encPrivateKey: idpData?.encPrivateKey,
+			encPrivateKeyPass: idpData?.encPrivateKeyPass
+		});
+		else idp = saml.IdentityProvider({
+			metadata: idpData.metadata,
+			privateKey: idpData.privateKey,
+			privateKeyPass: idpData.privateKeyPass,
+			isAssertionEncrypted: idpData.isAssertionEncrypted,
+			encPrivateKey: idpData.encPrivateKey,
+			encPrivateKeyPass: idpData.encPrivateKeyPass
+		});
+		const spData = parsedSamlConfig.spMetadata;
+		const sp = saml.ServiceProvider({
+			metadata: spData?.metadata,
+			entityID: spData?.entityID || parsedSamlConfig.issuer,
+			assertionConsumerService: spData?.metadata ? void 0 : [{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location: parsedSamlConfig.callbackUrl
+			}],
+			privateKey: spData?.privateKey || parsedSamlConfig.privateKey,
+			privateKeyPass: spData?.privateKeyPass,
+			isAssertionEncrypted: spData?.isAssertionEncrypted || false,
+			encPrivateKey: spData?.encPrivateKey,
+			encPrivateKeyPass: spData?.encPrivateKeyPass,
+			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
+		});
+		validateSingleAssertion(SAMLResponse);
+		let parsedResponse;
+		try {
+			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
+				SAMLResponse,
+				RelayState: ctx.body.RelayState || void 0
+			} });
+			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
+		} catch (error) {
+			ctx.context.logger.error("SAML response validation failed", {
+				error,
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+			});
+			throw new APIError("BAD_REQUEST", {
+				message: "Invalid SAML response",
+				details: error instanceof Error ? error.message : String(error)
+			});
+		}
+		const { extract } = parsedResponse;
+		validateSAMLAlgorithms(parsedResponse, options?.saml?.algorithms);
+		validateSAMLTimestamp(extract.conditions, {
+			clockSkew: options?.saml?.clockSkew,
+			requireTimestamps: options?.saml?.requireTimestamps,
+			logger: ctx.context.logger
+		});
+		const inResponseTo = extract.inResponseTo;
+		if (options?.saml?.enableInResponseToValidation) {
+			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+			if (inResponseTo) {
+				let storedRequest = null;
+				const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+				if (verification) try {
+					storedRequest = JSON.parse(verification.value);
+					if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+				} catch {
+					storedRequest = null;
+				}
+				if (!storedRequest) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+						inResponseTo,
+						providerId: provider.providerId
+					});
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+				}
+				if (storedRequest.providerId !== provider.providerId) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+						inResponseTo,
+						expectedProvider: storedRequest.providerId,
+						actualProvider: provider.providerId
+					});
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+					const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+				}
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+			} else if (!allowIdpInitiated) {
+				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+			}
+		}
+		const samlContent = parsedResponse.samlContent;
+		const assertionId = samlContent ? extractAssertionId(samlContent) : null;
+		if (assertionId) {
+			const issuer = idp.entityMeta.getEntityID();
+			const conditions = extract.conditions;
+			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
+			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
+			let isReplay = false;
+			if (existingAssertion) try {
+				if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
+			} catch (error) {
+				ctx.context.logger.warn("Failed to parse stored assertion record", {
+					assertionId,
+					error
+				});
+			}
+			if (isReplay) {
+				ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+					assertionId,
+					issuer,
+					providerId: provider.providerId
+				});
+				const redirectUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+			}
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
+				value: JSON.stringify({
+					assertionId,
+					issuer,
+					providerId: provider.providerId,
+					usedAt: Date.now(),
+					expiresAt
+				}),
+				expiresAt: new Date(expiresAt)
+			});
+		} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId: provider.providerId });
+		const attributes = extract.attributes || {};
+		const mapping = parsedSamlConfig.mapping ?? {};
+		const userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
+			id: attributes[mapping.id || "nameID"] || extract.nameID,
+			email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
+			name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
+			emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
+		};
+		if (!userInfo.id || !userInfo.email) {
+			ctx.context.logger.error("Missing essential user info from SAML response", {
+				attributes: Object.keys(attributes),
+				mapping,
+				extractedId: userInfo.id,
+				extractedEmail: userInfo.email
+			});
+			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
+		}
+		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		const { session, user } = result.data;
+		if (options?.provisionUser) await options.provisionUser({
+			user,
+			userInfo,
+			provider
+		});
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "saml",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: attributes
+			},
+			provider,
+			provisioningOptions: options?.organizationProvisioning
+		});
+		await setSessionCookie(ctx, {
+			session,
+			user
+		});
+		const safeRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+		throw ctx.redirect(safeRedirectUrl);
+	});
+};
+const acsEndpointBodySchema = z.object({
+	SAMLResponse: z.string(),
+	RelayState: z.string().optional()
+});
+const acsEndpoint = (options) => {
+	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
+		method: "POST",
+		body: acsEndpointBodySchema,
+		metadata: {
+			...HIDE_METADATA,
+			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
+			openapi: {
+				operationId: "handleSAMLAssertionConsumerService",
+				summary: "SAML Assertion Consumer Service",
+				description: "Handles SAML responses from IdP after successful authentication",
+				responses: { "302": { description: "Redirects to the callback URL after successful authentication" } }
+			}
+		}
+	}, async (ctx) => {
+		const { SAMLResponse, RelayState = "" } = ctx.body;
+		const { providerId } = ctx.params;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		let provider = null;
+		if (options?.defaultSSO?.length) {
+			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
+			if (matchingDefault) provider = {
+				issuer: matchingDefault.samlConfig?.issuer || "",
+				providerId: matchingDefault.providerId,
+				userId: "default",
+				samlConfig: matchingDefault.samlConfig,
+				domain: matchingDefault.domain,
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
+			};
+		} else provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
+		}).then((res) => {
+			if (!res) return null;
+			return {
+				...res,
+				samlConfig: res.samlConfig ? safeJsonParse(res.samlConfig) || void 0 : void 0
+			};
+		});
+		if (!provider?.samlConfig) throw new APIError("NOT_FOUND", { message: "No SAML provider found" });
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
+		const parsedSamlConfig = provider.samlConfig;
+		const sp = saml.ServiceProvider({
+			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+			assertionConsumerService: [{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`
+			}],
+			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+			metadata: parsedSamlConfig.spMetadata?.metadata,
+			privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+			privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
+		});
+		const idpData = parsedSamlConfig.idpMetadata;
+		const idp = !idpData?.metadata ? saml.IdentityProvider({
+			entityID: idpData?.entityID || parsedSamlConfig.issuer,
+			singleSignOnService: idpData?.singleSignOnService || [{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Location: parsedSamlConfig.entryPoint
+			}],
+			signingCert: idpData?.cert || parsedSamlConfig.cert
+		}) : saml.IdentityProvider({ metadata: idpData.metadata });
+		try {
+			validateSingleAssertion(SAMLResponse);
+		} catch (error) {
+			if (error instanceof APIError) {
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
+				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
+			}
+			throw error;
+		}
+		let parsedResponse;
+		try {
+			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
+				SAMLResponse,
+				RelayState: RelayState || void 0
+			} });
+			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
+		} catch (error) {
+			ctx.context.logger.error("SAML response validation failed", {
+				error,
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+			});
+			throw new APIError("BAD_REQUEST", {
+				message: "Invalid SAML response",
+				details: error instanceof Error ? error.message : String(error)
+			});
+		}
+		const { extract } = parsedResponse;
+		validateSAMLAlgorithms(parsedResponse, options?.saml?.algorithms);
+		validateSAMLTimestamp(extract.conditions, {
+			clockSkew: options?.saml?.clockSkew,
+			requireTimestamps: options?.saml?.requireTimestamps,
+			logger: ctx.context.logger
+		});
+		const inResponseToAcs = extract.inResponseTo;
+		if (options?.saml?.enableInResponseToValidation) {
+			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+			if (inResponseToAcs) {
+				let storedRequest = null;
+				const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+				if (verification) try {
+					storedRequest = JSON.parse(verification.value);
+					if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+				} catch {
+					storedRequest = null;
+				}
+				if (!storedRequest) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+						inResponseTo: inResponseToAcs,
+						providerId
+					});
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+				}
+				if (storedRequest.providerId !== providerId) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+						inResponseTo: inResponseToAcs,
+						expectedProvider: storedRequest.providerId,
+						actualProvider: providerId
+					});
+					await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+				}
+				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+			} else if (!allowIdpInitiated) {
+				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+			}
+		}
+		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		if (assertionIdAcs) {
+			const issuer = idp.entityMeta.getEntityID();
+			const conditions = extract.conditions;
+			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
+			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`);
+			let isReplay = false;
+			if (existingAssertion) try {
+				if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
+			} catch (error) {
+				ctx.context.logger.warn("Failed to parse stored assertion record", {
+					assertionId: assertionIdAcs,
+					error
+				});
+			}
+			if (isReplay) {
+				ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+					assertionId: assertionIdAcs,
+					issuer,
+					providerId
+				});
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+			}
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`,
+				value: JSON.stringify({
+					assertionId: assertionIdAcs,
+					issuer,
+					providerId,
+					usedAt: Date.now(),
+					expiresAt
+				}),
+				expiresAt: new Date(expiresAt)
+			});
+		} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
+		const attributes = extract.attributes || {};
+		const mapping = parsedSamlConfig.mapping ?? {};
+		const userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
+			id: attributes[mapping.id || "nameID"] || extract.nameID,
+			email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
+			name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
+			emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
+		};
+		if (!userInfo.id || !userInfo.email) {
+			ctx.context.logger.error("Missing essential user info from SAML response", {
+				attributes: Object.keys(attributes),
+				mapping,
+				extractedId: userInfo.id,
+				extractedEmail: userInfo.email
+			});
+			throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
+		}
+		const isTrustedProvider = !!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+		const callbackUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+		if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+		const { session, user } = result.data;
+		if (options?.provisionUser) await options.provisionUser({
+			user,
+			userInfo,
+			provider
+		});
+		await assignOrganizationFromProvider(ctx, {
+			user,
+			profile: {
+				providerType: "saml",
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				email: userInfo.email,
+				emailVerified: Boolean(userInfo.emailVerified),
+				rawAttributes: attributes
+			},
+			provider,
+			provisioningOptions: options?.organizationProvisioning
+		});
+		await setSessionCookie(ctx, {
+			session,
+			user
+		});
+		throw ctx.redirect(callbackUrl);
+	});
+};
+//#endregion
+//#region src/index.ts
+saml.setSchemaValidator({ async validate(xml) {
+	if (XMLValidator.validate(xml, { allowBooleanAttributes: true }) === true) return "SUCCESS_VALIDATE_XML";
+	throw "ERR_INVALID_XML";
+} });
+/**
+* SAML endpoint paths that should skip origin check validation.
+* These endpoints receive POST requests from external Identity Providers,
+* which won't have a matching Origin header.
+*/
+const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/callback", "/sso/saml2/sp/acs"];
+function sso(options) {
+	const optionsWithStore = options;
+	let endpoints = {
+		spMetadata: spMetadata(),
+		registerSSOProvider: registerSSOProvider(optionsWithStore),
+		signInSSO: signInSSO(optionsWithStore),
+		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
+		acsEndpoint: acsEndpoint(optionsWithStore),
+		listSSOProviders: listSSOProviders(),
+		getSSOProvider: getSSOProvider(),
+		updateSSOProvider: updateSSOProvider(optionsWithStore),
+		deleteSSOProvider: deleteSSOProvider()
+	};
+	if (options?.domainVerification?.enabled) {
+		const domainVerificationEndpoints = {
+			requestDomainVerification: requestDomainVerification(optionsWithStore),
+			verifyDomain: verifyDomain(optionsWithStore)
+		};
+		endpoints = {
+			...endpoints,
+			...domainVerificationEndpoints
+		};
+	}
+	return {
+		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) return {};
+			return { context: { skipOriginCheck: [...Array.isArray(existing) ? existing : [], ...SAML_SKIP_ORIGIN_CHECK_PATHS] } };
+		},
+		endpoints,
+		hooks: { after: [{
+			matcher(context) {
+				return context.path?.startsWith("/callback/") ?? false;
+			},
+			handler: createAuthMiddleware(async (ctx) => {
+				const newSession = ctx.context.newSession;
+				if (!newSession?.user) return;
+				if (!ctx.context.hasPlugin("organization")) return;
+				await assignOrganizationByDomain(ctx, {
+					user: newSession.user,
+					provisioningOptions: options?.organizationProvisioning,
+					domainVerification: options?.domainVerification
+				});
+			})
+		}] },
+		schema: { ssoProvider: {
+			modelName: options?.modelName ?? "ssoProvider",
+			fields: {
+				issuer: {
+					type: "string",
+					required: true,
+					fieldName: options?.fields?.issuer ?? "issuer"
+				},
+				oidcConfig: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.oidcConfig ?? "oidcConfig"
+				},
+				samlConfig: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.samlConfig ?? "samlConfig"
+				},
+				userId: {
+					type: "string",
+					references: {
+						model: "user",
+						field: "id"
+					},
+					fieldName: options?.fields?.userId ?? "userId"
+				},
+				providerId: {
+					type: "string",
+					required: true,
+					unique: true,
+					fieldName: options?.fields?.providerId ?? "providerId"
+				},
+				organizationId: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.organizationId ?? "organizationId"
+				},
+				domain: {
+					type: "string",
+					required: true,
+					fieldName: options?.fields?.domain ?? "domain"
+				},
+				...options?.domainVerification?.enabled ? { domainVerified: {
+					type: "boolean",
+					required: false
+				} } : {}
+			}
+		} },
+		options
+	};
+}
+//#endregion
+export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+//# sourceMappingURL=index.mjs.map