@logto/schemas 1.22.0 → 1.23.0

package/alterations/1.23.0-1732851150-rename-saml-application-constraints.ts

@@ -0,0 +1,34 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs 
+        rename constraint application_type 
+        to saml_application_configs__application_type;
+    `);
+
+    await pool.query(sql`
+      alter table saml_application_secrets
+        rename constraint application_type 
+        to saml_application_secrets__application_type;
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table saml_application_configs 
+        rename constraint saml_application_configs__application_type 
+        to application_type;
+    `);
+
+    await pool.query(sql`
+      alter table saml_application_secrets
+        rename constraint saml_application_secrets__application_type 
+        to application_type;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.0-1733212543-add-saml-application-type-to-idp-initiated-sso-application-allow-list.ts

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA', 'SAML'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.23.0-1735012422-add-saml-application-sessions-table.ts

@@ -0,0 +1,37 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table saml_application_sessions (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(32) not null,
+        application_id varchar(21) not null 
+          references applications (id) on update cascade on delete cascade,
+        saml_request_id varchar(128) not null,
+        oidc_state varchar(32),
+        relay_state varchar(256),
+        raw_auth_request text not null,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        primary key (tenant_id, id),
+        constraint saml_application_sessions__application_type 
+          check (check_application_type(application_id, 'SAML'))
+      );
+    `);
+    await applyTableRls(pool, 'saml_application_sessions');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'saml_application_sessions');
+    await pool.query(sql`
+      drop table if exists saml_application_sessions;
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.23.0-1732851150-rename-saml-application-constraints.js

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs 
+        rename constraint application_type 
+        to saml_application_configs__application_type;
+    `);
+        await pool.query(sql `
+      alter table saml_application_secrets
+        rename constraint application_type 
+        to saml_application_secrets__application_type;
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table saml_application_configs 
+        rename constraint saml_application_configs__application_type 
+        to application_type;
+    `);
+        await pool.query(sql `
+      alter table saml_application_secrets
+        rename constraint saml_application_secrets__application_type 
+        to application_type;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.0-1733212543-add-saml-application-type-to-idp-initiated-sso-application-allow-list.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA', 'SAML'));
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;`);
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+        check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.23.0-1735012422-add-saml-application-sessions-table.js

@@ -0,0 +1,32 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table saml_application_sessions (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(32) not null,
+        application_id varchar(21) not null 
+          references applications (id) on update cascade on delete cascade,
+        saml_request_id varchar(128) not null,
+        oidc_state varchar(32),
+        relay_state varchar(256),
+        raw_auth_request text not null,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        primary key (tenant_id, id),
+        constraint saml_application_sessions__application_type 
+          check (check_application_type(application_id, 'SAML'))
+      );
+    `);
+        await applyTableRls(pool, 'saml_application_sessions');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'saml_application_sessions');
+        await pool.query(sql `
+      drop table if exists saml_application_sessions;
+    `);
+    },
+};
+export default alteration;

package/lib/consts/subscriptions.d.ts

@@ -8,26 +8,27 @@ export declare enum ReservedPlanId {
     Free = "free",
     /**
      * @deprecated
-     * In recent refactoring, the `hobby` plan is now treated as the `pro` plan.
-     * Only use this plan ID to check if a plan is a `pro` plan or not.
-     * This plan ID will be renamed to `pro` after legacy Stripe data is migrated by @darcyYe
-     *
-     * Todo @darcyYe:
-     * - LOG-7846: Rename `hobby` to `pro` and `pro` to `legacy-pro`
-     * - LOG-8339: Migrate legacy Stripe data
+     * Grandfathered Pro plan ID deprecated from 2024-11.
+     * Use {@link Pro202411} instead.
      */
-    Hobby = "hobby",
     Pro = "pro",
-    Enterprise = "enterprise",
-    /**
-     * @deprecated
-     * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.
-     */
-    GrandfatheredPro = "grandfathered-pro",
     Development = "dev",
     /**
      * This plan ID is reserved for Admin tenant.
      * In our new pricing model, we plan to add a special plan for Admin tenant, previously, admin tenant is using the `pro` plan, which is not suitable.
      */
-    Admin = "admin"
+    Admin = "admin",
+    /**
+     * The latest Pro plan ID applied from 2024-11.
+     */
+    Pro202411 = "pro-202411"
+}
+/**
+ * Tenant subscription related Redis cache keys.
+ *
+ * We use Redis to cache the tenant subscription data to reduce the number of requests to the Cloud.
+ * Both @logto/core and @logto/cloud will need to access the cache, so we define the cache keys here as the SSOT.
+ */
+export declare enum SubscriptionRedisCacheKey {
+    Subscription = "subscription"
 }

package/lib/consts/subscriptions.js

@@ -9,26 +9,28 @@ export var ReservedPlanId;
     ReservedPlanId["Free"] = "free";
     /**
      * @deprecated
-     * In recent refactoring, the `hobby` plan is now treated as the `pro` plan.
-     * Only use this plan ID to check if a plan is a `pro` plan or not.
-     * This plan ID will be renamed to `pro` after legacy Stripe data is migrated by @darcyYe
-     *
-     * Todo @darcyYe:
-     * - LOG-7846: Rename `hobby` to `pro` and `pro` to `legacy-pro`
-     * - LOG-8339: Migrate legacy Stripe data
+     * Grandfathered Pro plan ID deprecated from 2024-11.
+     * Use {@link Pro202411} instead.
      */
-    ReservedPlanId["Hobby"] = "hobby";
     ReservedPlanId["Pro"] = "pro";
-    ReservedPlanId["Enterprise"] = "enterprise";
-    /**
-     * @deprecated
-     * Should not use this plan ID, we only use this tag as a record for the legacy `pro` plan since we will rename the `hobby` plan to be `pro`.
-     */
-    ReservedPlanId["GrandfatheredPro"] = "grandfathered-pro";
     ReservedPlanId["Development"] = "dev";
     /**
      * This plan ID is reserved for Admin tenant.
      * In our new pricing model, we plan to add a special plan for Admin tenant, previously, admin tenant is using the `pro` plan, which is not suitable.
      */
     ReservedPlanId["Admin"] = "admin";
+    /**
+     * The latest Pro plan ID applied from 2024-11.
+     */
+    ReservedPlanId["Pro202411"] = "pro-202411";
 })(ReservedPlanId || (ReservedPlanId = {}));
+/**
+ * Tenant subscription related Redis cache keys.
+ *
+ * We use Redis to cache the tenant subscription data to reduce the number of requests to the Cloud.
+ * Both @logto/core and @logto/cloud will need to access the cache, so we define the cache keys here as the SSOT.
+ */
+export var SubscriptionRedisCacheKey;
+(function (SubscriptionRedisCacheKey) {
+    SubscriptionRedisCacheKey["Subscription"] = "subscription";
+})(SubscriptionRedisCacheKey || (SubscriptionRedisCacheKey = {}));

package/lib/db-entries/index.d.ts

@@ -44,6 +44,7 @@ export * from './role.js';
 export * from './roles-scope.js';
 export * from './saml-application-config.js';
 export * from './saml-application-secret.js';
+export * from './saml-application-session.js';
 export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';

package/lib/db-entries/index.js

@@ -45,6 +45,7 @@ export * from './role.js';
 export * from './roles-scope.js';
 export * from './saml-application-config.js';
 export * from './saml-application-secret.js';
+export * from './saml-application-session.js';
 export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';

package/lib/db-entries/saml-application-config.d.ts

@@ -1 +1,24 @@
-export {};
+import { SamlAttributeMapping, SamlAcsUrl, GeneratedSchema } from './../foundations/index.js';
+/**
+ * The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application.
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link SamlApplicationConfig} for the original type.
+ */
+export type CreateSamlApplicationConfig = {
+    applicationId: string;
+    tenantId?: string;
+    attributeMapping?: SamlAttributeMapping;
+    entityId?: string | null;
+    acsUrl?: SamlAcsUrl | null;
+};
+/** The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application. */
+export type SamlApplicationConfig = {
+    applicationId: string;
+    tenantId: string;
+    attributeMapping: SamlAttributeMapping;
+    entityId: string | null;
+    acsUrl: SamlAcsUrl | null;
+};
+export type SamlApplicationConfigKeys = 'applicationId' | 'tenantId' | 'attributeMapping' | 'entityId' | 'acsUrl';
+export declare const SamlApplicationConfigs: GeneratedSchema<SamlApplicationConfigKeys, CreateSamlApplicationConfig, SamlApplicationConfig, 'saml_application_configs', 'saml_application_config'>;

package/lib/db-entries/saml-application-config.js

@@ -1,2 +1,38 @@
 // THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-export {};
+import { z } from 'zod';
+import { samlAttributeMappingGuard, samlAcsUrlGuard } from './../foundations/index.js';
+const createGuard = z.object({
+    applicationId: z.string().min(1).max(21),
+    tenantId: z.string().max(21).optional(),
+    attributeMapping: samlAttributeMappingGuard.optional(),
+    entityId: z.string().max(128).nullable().optional(),
+    acsUrl: samlAcsUrlGuard.nullable().optional(),
+});
+const guard = z.object({
+    applicationId: z.string().min(1).max(21),
+    tenantId: z.string().max(21),
+    attributeMapping: samlAttributeMappingGuard,
+    entityId: z.string().max(128).nullable(),
+    acsUrl: samlAcsUrlGuard.nullable(),
+});
+export const SamlApplicationConfigs = Object.freeze({
+    table: 'saml_application_configs',
+    tableSingular: 'saml_application_config',
+    fields: {
+        applicationId: 'application_id',
+        tenantId: 'tenant_id',
+        attributeMapping: 'attribute_mapping',
+        entityId: 'entity_id',
+        acsUrl: 'acs_url',
+    },
+    fieldKeys: [
+        'applicationId',
+        'tenantId',
+        'attributeMapping',
+        'entityId',
+        'acsUrl',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/saml-application-session.d.ts

@@ -0,0 +1,40 @@
+import { GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link SamlApplicationSession} for the original type.
+ */
+export type CreateSamlApplicationSession = {
+    tenantId?: string;
+    /** The globally unique identifier of the session. */
+    id: string;
+    applicationId: string;
+    /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
+    samlRequestId: string;
+    /** The identifier of the OIDC auth request state. */
+    oidcState?: string | null;
+    /** The relay state of the SAML auth request. */
+    relayState?: string | null;
+    /** The raw request of the SAML auth request. */
+    rawAuthRequest: string;
+    createdAt?: number;
+    expiresAt: number;
+};
+export type SamlApplicationSession = {
+    tenantId: string;
+    /** The globally unique identifier of the session. */
+    id: string;
+    applicationId: string;
+    /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
+    samlRequestId: string;
+    /** The identifier of the OIDC auth request state. */
+    oidcState: string | null;
+    /** The relay state of the SAML auth request. */
+    relayState: string | null;
+    /** The raw request of the SAML auth request. */
+    rawAuthRequest: string;
+    createdAt: number;
+    expiresAt: number;
+};
+export type SamlApplicationSessionKeys = 'tenantId' | 'id' | 'applicationId' | 'samlRequestId' | 'oidcState' | 'relayState' | 'rawAuthRequest' | 'createdAt' | 'expiresAt';
+export declare const SamlApplicationSessions: GeneratedSchema<SamlApplicationSessionKeys, CreateSamlApplicationSession, SamlApplicationSession, 'saml_application_sessions', 'saml_application_session'>;

package/lib/db-entries/saml-application-session.js

@@ -0,0 +1,53 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    id: z.string().min(1).max(32),
+    applicationId: z.string().min(1).max(21),
+    samlRequestId: z.string().min(1).max(128),
+    oidcState: z.string().max(32).nullable().optional(),
+    relayState: z.string().max(256).nullable().optional(),
+    rawAuthRequest: z.string().min(1),
+    createdAt: z.number().optional(),
+    expiresAt: z.number(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    id: z.string().min(1).max(32),
+    applicationId: z.string().min(1).max(21),
+    samlRequestId: z.string().min(1).max(128),
+    oidcState: z.string().max(32).nullable(),
+    relayState: z.string().max(256).nullable(),
+    rawAuthRequest: z.string().min(1),
+    createdAt: z.number(),
+    expiresAt: z.number(),
+});
+export const SamlApplicationSessions = Object.freeze({
+    table: 'saml_application_sessions',
+    tableSingular: 'saml_application_session',
+    fields: {
+        tenantId: 'tenant_id',
+        id: 'id',
+        applicationId: 'application_id',
+        samlRequestId: 'saml_request_id',
+        oidcState: 'oidc_state',
+        relayState: 'relay_state',
+        rawAuthRequest: 'raw_auth_request',
+        createdAt: 'created_at',
+        expiresAt: 'expires_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'id',
+        'applicationId',
+        'samlRequestId',
+        'oidcState',
+        'relayState',
+        'rawAuthRequest',
+        'createdAt',
+        'expiresAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/foundations/jsonb-types/index.d.ts

@@ -11,5 +11,6 @@ export * from './applications.js';
 export * from './verification-records.js';
 export * from './account-centers.js';
 export * from './saml-application-configs.js';
+export * from './saml-application-sessions.js';
 export { configurableConnectorMetadataGuard, type ConfigurableConnectorMetadata, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';
 export type { Json, JsonObject } from '@withtyped/server';

package/lib/foundations/jsonb-types/index.js

@@ -11,4 +11,5 @@ export * from './applications.js';
 export * from './verification-records.js';
 export * from './account-centers.js';
 export * from './saml-application-configs.js';
+export * from './saml-application-sessions.js';
 export { configurableConnectorMetadataGuard, jsonGuard, jsonObjectGuard, } from '@logto/connector-kit';

package/lib/foundations/jsonb-types/saml-application-configs.d.ts

@@ -2,11 +2,11 @@ import { z } from 'zod';
 export type SamlAttributeMapping = Record<string, string>;
 export declare const samlAttributeMappingGuard: z.ZodRecord<z.ZodString, z.ZodString>;
 export declare enum BindingType {
-    POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-    REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    Post = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+    Redirect = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 }
 export type SamlAcsUrl = {
-    binding?: BindingType;
+    binding: BindingType;
     url: string;
 };
 export declare const samlAcsUrlGuard: z.ZodObject<{

package/lib/foundations/jsonb-types/saml-application-configs.js

@@ -2,10 +2,10 @@ import { z } from 'zod';
 export const samlAttributeMappingGuard = z.record(z.string());
 export var BindingType;
 (function (BindingType) {
-    BindingType["POST"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
-    BindingType["REDIRECT"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
+    BindingType["Post"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST";
+    BindingType["Redirect"] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
 })(BindingType || (BindingType = {}));
 export const samlAcsUrlGuard = z.object({
     binding: z.nativeEnum(BindingType),
-    url: z.string(),
+    url: z.string().url(),
 });

package/lib/foundations/jsonb-types/saml-application-sessions.d.ts

@@ -0,0 +1,45 @@
+import { z } from 'zod';
+export type AuthRequestInfo = {
+    issuer: string;
+    request: {
+        id: string;
+        destination: string;
+        issueInstant: string;
+        assertionConsumerServiceUrl: string;
+    };
+};
+export declare const authRequestInfoGuard: z.ZodObject<{
+    issuer: z.ZodString;
+    request: z.ZodObject<{
+        id: z.ZodString;
+        destination: z.ZodString;
+        issueInstant: z.ZodString;
+        assertionConsumerServiceUrl: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        id: string;
+        destination: string;
+        issueInstant: string;
+        assertionConsumerServiceUrl: string;
+    }, {
+        id: string;
+        destination: string;
+        issueInstant: string;
+        assertionConsumerServiceUrl: string;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    issuer: string;
+    request: {
+        id: string;
+        destination: string;
+        issueInstant: string;
+        assertionConsumerServiceUrl: string;
+    };
+}, {
+    issuer: string;
+    request: {
+        id: string;
+        destination: string;
+        issueInstant: string;
+        assertionConsumerServiceUrl: string;
+    };
+}>;

package/lib/foundations/jsonb-types/saml-application-sessions.js

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+export const authRequestInfoGuard = z.object({
+    issuer: z.string(),
+    request: z.object({
+        id: z.string(),
+        destination: z.string(),
+        issueInstant: z.string(),
+        assertionConsumerServiceUrl: z.string(),
+    }),
+});

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -142,8 +142,16 @@ export declare enum MfaFactor {
 export declare const mfaFactorsGuard: z.ZodArray<z.ZodNativeEnum<typeof MfaFactor>, "many">;
 export type MfaFactors = z.infer<typeof mfaFactorsGuard>;
 export declare enum MfaPolicy {
+    /** @deprecated, use `PromptAtSignInAndSignUp` instead */
     UserControlled = "UserControlled",
-    Mandatory = "Mandatory"
+    /** MFA is required for all users */
+    Mandatory = "Mandatory",
+    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt) */
+    PromptOnlyAtSignIn = "PromptOnlyAtSignIn",
+    /** Ask users to set up MFA during registration (skippable, one-time prompt) */
+    PromptAtSignInAndSignUp = "PromptAtSignInAndSignUp",
+    /** Do not ask users to set up MFA */
+    NoPrompt = "NoPrompt"
 }
 export declare const mfaGuard: z.ZodObject<{
     factors: z.ZodArray<z.ZodNativeEnum<typeof MfaFactor>, "many">;

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -65,8 +65,16 @@ export var MfaFactor;
 export const mfaFactorsGuard = z.nativeEnum(MfaFactor).array();
 export var MfaPolicy;
 (function (MfaPolicy) {
+    /** @deprecated, use `PromptAtSignInAndSignUp` instead */
     MfaPolicy["UserControlled"] = "UserControlled";
+    /** MFA is required for all users */
     MfaPolicy["Mandatory"] = "Mandatory";
+    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt) */
+    MfaPolicy["PromptOnlyAtSignIn"] = "PromptOnlyAtSignIn";
+    /** Ask users to set up MFA during registration (skippable, one-time prompt) */
+    MfaPolicy["PromptAtSignInAndSignUp"] = "PromptAtSignInAndSignUp";
+    /** Do not ask users to set up MFA */
+    MfaPolicy["NoPrompt"] = "NoPrompt";
 })(MfaPolicy || (MfaPolicy = {}));
 export const mfaGuard = z.object({
     factors: mfaFactorsGuard,

package/lib/types/index.d.ts

@@ -30,3 +30,4 @@ export * from './onboarding.js';
 export * from './sign-in-experience.js';
 export * from './subject-token.js';
 export * from './ssr.js';
+export * from './saml-application.js';

package/lib/types/index.js

@@ -30,3 +30,4 @@ export * from './onboarding.js';
 export * from './sign-in-experience.js';
 export * from './subject-token.js';
 export * from './ssr.js';
+export * from './saml-application.js';

package/lib/types/saml-application.d.ts

@@ -0,0 +1,493 @@
+import { z } from 'zod';
+export declare const samlApplicationCreateGuard: z.ZodObject<z.objectUtil.extendShape<Pick<z.objectUtil.extendShape<{
+    type: z.ZodOptional<z.ZodType<import("../index.js").ApplicationType, z.ZodTypeDef, import("../index.js").ApplicationType>>;
+    name: z.ZodOptional<z.ZodType<string, z.ZodTypeDef, string>>;
+    customData: z.ZodOptional<z.ZodOptional<z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>>>;
+    description: z.ZodOptional<z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>>;
+    oidcClientMetadata: z.ZodOptional<z.ZodType<import("../index.js").OidcClientMetadata, z.ZodTypeDef, import("../index.js").OidcClientMetadata>>;
+    customClientMetadata: z.ZodOptional<z.ZodOptional<z.ZodType<{
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }, z.ZodTypeDef, {
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }>>>;
+    protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodType<{
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null, z.ZodTypeDef, {
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null>>>;
+    isThirdParty: z.ZodOptional<z.ZodOptional<z.ZodType<boolean, z.ZodTypeDef, boolean>>>;
+}, Pick<{
+    tenantId: z.ZodOptional<z.ZodType<string, z.ZodTypeDef, string>>;
+    id: z.ZodType<string, z.ZodTypeDef, string>;
+    name: z.ZodType<string, z.ZodTypeDef, string>;
+    secret: z.ZodType<string, z.ZodTypeDef, string>;
+    description: z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>;
+    type: z.ZodType<import("../index.js").ApplicationType, z.ZodTypeDef, import("../index.js").ApplicationType>;
+    oidcClientMetadata: z.ZodType<import("../index.js").OidcClientMetadata, z.ZodTypeDef, import("../index.js").OidcClientMetadata>;
+    customClientMetadata: z.ZodOptional<z.ZodType<{
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }, z.ZodTypeDef, {
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }>>;
+    protectedAppMetadata: z.ZodOptional<z.ZodType<{
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null, z.ZodTypeDef, {
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null>>;
+    customData: z.ZodOptional<z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>>;
+    isThirdParty: z.ZodOptional<z.ZodType<boolean, z.ZodTypeDef, boolean>>;
+    createdAt: z.ZodOptional<z.ZodType<number, z.ZodTypeDef, number>>;
+}, "type" | "name">>, "name" | "customData" | "description">, {
+    attributeMapping: z.ZodOptional<z.ZodType<import("../index.js").SamlAttributeMapping, z.ZodTypeDef, import("../index.js").SamlAttributeMapping>>;
+    entityId: z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>;
+    acsUrl: z.ZodOptional<z.ZodType<import("../index.js").SamlAcsUrl | null, z.ZodTypeDef, import("../index.js").SamlAcsUrl | null>>;
+}>, "strip", z.ZodTypeAny, {
+    name: string;
+    customData?: import("@withtyped/server").JsonObject;
+    description?: string | null;
+    attributeMapping?: import("../index.js").SamlAttributeMapping | undefined;
+    entityId?: string | null | undefined;
+    acsUrl?: import("../index.js").SamlAcsUrl | null | undefined;
+}, {
+    name: string;
+    customData?: import("@withtyped/server").JsonObject;
+    description?: string | null;
+    attributeMapping?: import("../index.js").SamlAttributeMapping | undefined;
+    entityId?: string | null | undefined;
+    acsUrl?: import("../index.js").SamlAcsUrl | null | undefined;
+}>;
+export type CreateSamlApplication = z.infer<typeof samlApplicationCreateGuard>;
+export declare const samlApplicationPatchGuard: z.ZodObject<z.objectUtil.extendShape<Pick<Omit<{
+    customData: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>>>>;
+    description: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>>>;
+    oidcClientMetadata: z.ZodOptional<z.ZodOptional<z.ZodType<import("../index.js").OidcClientMetadata, z.ZodTypeDef, import("../index.js").OidcClientMetadata>>>;
+    customClientMetadata: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<{
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }, z.ZodTypeDef, {
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }>>>>;
+    protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<{
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null, z.ZodTypeDef, {
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null>>>>;
+    isThirdParty: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<boolean, z.ZodTypeDef, boolean>>>>;
+    type: z.ZodOptional<z.ZodType<import("../index.js").ApplicationType, z.ZodTypeDef, import("../index.js").ApplicationType>>;
+    name: z.ZodOptional<z.ZodType<string, z.ZodTypeDef, string>>;
+}, "type" | "isThirdParty">, "name" | "customData" | "description">, {
+    attributeMapping: z.ZodOptional<z.ZodType<import("../index.js").SamlAttributeMapping, z.ZodTypeDef, import("../index.js").SamlAttributeMapping>>;
+    entityId: z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>;
+    acsUrl: z.ZodOptional<z.ZodType<import("../index.js").SamlAcsUrl | null, z.ZodTypeDef, import("../index.js").SamlAcsUrl | null>>;
+}>, "strip", z.ZodTypeAny, {
+    name?: string | undefined;
+    customData?: import("@withtyped/server").JsonObject;
+    description?: string | null;
+    attributeMapping?: import("../index.js").SamlAttributeMapping | undefined;
+    entityId?: string | null | undefined;
+    acsUrl?: import("../index.js").SamlAcsUrl | null | undefined;
+}, {
+    name?: string | undefined;
+    customData?: import("@withtyped/server").JsonObject;
+    description?: string | null;
+    attributeMapping?: import("../index.js").SamlAttributeMapping | undefined;
+    entityId?: string | null | undefined;
+    acsUrl?: import("../index.js").SamlAcsUrl | null | undefined;
+}>;
+export type PatchSamlApplication = z.infer<typeof samlApplicationPatchGuard>;
+export declare const samlApplicationResponseGuard: z.ZodObject<z.objectUtil.extendShape<Omit<{
+    tenantId: z.ZodType<string, z.ZodTypeDef, string>;
+    id: z.ZodType<string, z.ZodTypeDef, string>;
+    name: z.ZodType<string, z.ZodTypeDef, string>;
+    secret: z.ZodType<string, z.ZodTypeDef, string>;
+    description: z.ZodType<string | null, z.ZodTypeDef, string | null>;
+    type: z.ZodType<import("../index.js").ApplicationType, z.ZodTypeDef, import("../index.js").ApplicationType>;
+    oidcClientMetadata: z.ZodType<import("../index.js").OidcClientMetadata, z.ZodTypeDef, import("../index.js").OidcClientMetadata>;
+    customClientMetadata: z.ZodType<{
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }, z.ZodTypeDef, {
+        corsAllowedOrigins?: string[] | undefined;
+        idTokenTtl?: number | undefined;
+        refreshTokenTtl?: number | undefined;
+        refreshTokenTtlInDays?: number | undefined;
+        tenantId?: string | undefined;
+        alwaysIssueRefreshToken?: boolean | undefined;
+        rotateRefreshToken?: boolean | undefined;
+    }>;
+    protectedAppMetadata: z.ZodType<{
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null, z.ZodTypeDef, {
+        host: string;
+        origin: string;
+        sessionDuration: number;
+        pageRules: {
+            path: string;
+        }[];
+        customDomains?: {
+            status: import("../index.js").DomainStatus;
+            domain: string;
+            errorMessage: string | null;
+            dnsRecords: {
+                type: string;
+                value: string;
+                name: string;
+            }[];
+            cloudflareData: {
+                status: string;
+                id: string;
+                ssl: {
+                    status: string;
+                    validation_errors?: {
+                        message: string;
+                    }[] | undefined;
+                };
+                verification_errors?: string[] | undefined;
+            } | null;
+        }[] | undefined;
+    } | null>;
+    customData: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
+    isThirdParty: z.ZodType<boolean, z.ZodTypeDef, boolean>;
+    createdAt: z.ZodType<number, z.ZodTypeDef, number>;
+}, "secret" | "oidcClientMetadata" | "customClientMetadata" | "protectedAppMetadata">, Pick<{
+    applicationId: z.ZodType<string, z.ZodTypeDef, string>;
+    tenantId: z.ZodType<string, z.ZodTypeDef, string>;
+    attributeMapping: z.ZodType<import("../index.js").SamlAttributeMapping, z.ZodTypeDef, import("../index.js").SamlAttributeMapping>;
+    entityId: z.ZodType<string | null, z.ZodTypeDef, string | null>;
+    acsUrl: z.ZodType<import("../index.js").SamlAcsUrl | null, z.ZodTypeDef, import("../index.js").SamlAcsUrl | null>;
+}, "attributeMapping" | "entityId" | "acsUrl">>, "strip", z.ZodTypeAny, {
+    type: import("../index.js").ApplicationType;
+    name: string;
+    id: string;
+    tenantId: string;
+    createdAt: number;
+    customData: import("@withtyped/server").JsonObject;
+    description: string | null;
+    isThirdParty: boolean;
+    attributeMapping: import("../index.js").SamlAttributeMapping;
+    entityId: string | null;
+    acsUrl: import("../index.js").SamlAcsUrl | null;
+}, {
+    type: import("../index.js").ApplicationType;
+    name: string;
+    id: string;
+    tenantId: string;
+    createdAt: number;
+    customData: import("@withtyped/server").JsonObject;
+    description: string | null;
+    isThirdParty: boolean;
+    attributeMapping: import("../index.js").SamlAttributeMapping;
+    entityId: string | null;
+    acsUrl: import("../index.js").SamlAcsUrl | null;
+}>;
+export type SamlApplicationResponse = z.infer<typeof samlApplicationResponseGuard>;
+type FingerprintFormat = {
+    formatted: string;
+    unformatted: string;
+};
+export type CertificateFingerprints = {
+    sha256: FingerprintFormat;
+};
+export declare const certificateFingerprintsGuard: z.ZodObject<{
+    sha256: z.ZodObject<{
+        formatted: z.ZodString;
+        unformatted: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        formatted: string;
+        unformatted: string;
+    }, {
+        formatted: string;
+        unformatted: string;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    sha256: {
+        formatted: string;
+        unformatted: string;
+    };
+}, {
+    sha256: {
+        formatted: string;
+        unformatted: string;
+    };
+}>;
+export declare const samlApplicationSecretResponseGuard: z.ZodObject<z.objectUtil.extendShape<Omit<{
+    id: z.ZodType<string, z.ZodTypeDef, string>;
+    tenantId: z.ZodType<string, z.ZodTypeDef, string>;
+    applicationId: z.ZodType<string, z.ZodTypeDef, string>;
+    privateKey: z.ZodType<string, z.ZodTypeDef, string>;
+    certificate: z.ZodType<string, z.ZodTypeDef, string>;
+    createdAt: z.ZodType<number, z.ZodTypeDef, number>;
+    expiresAt: z.ZodType<number, z.ZodTypeDef, number>;
+    active: z.ZodType<boolean, z.ZodTypeDef, boolean>;
+}, "applicationId" | "tenantId" | "privateKey">, {
+    fingerprints: z.ZodObject<{
+        sha256: z.ZodObject<{
+            formatted: z.ZodString;
+            unformatted: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            formatted: string;
+            unformatted: string;
+        }, {
+            formatted: string;
+            unformatted: string;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        sha256: {
+            formatted: string;
+            unformatted: string;
+        };
+    }, {
+        sha256: {
+            formatted: string;
+            unformatted: string;
+        };
+    }>;
+}>, "strip", z.ZodTypeAny, {
+    id: string;
+    createdAt: number;
+    expiresAt: number;
+    certificate: string;
+    active: boolean;
+    fingerprints: {
+        sha256: {
+            formatted: string;
+            unformatted: string;
+        };
+    };
+}, {
+    id: string;
+    createdAt: number;
+    expiresAt: number;
+    certificate: string;
+    active: boolean;
+    fingerprints: {
+        sha256: {
+            formatted: string;
+            unformatted: string;
+        };
+    };
+}>;
+export type SamlApplicationSecretResponse = z.infer<typeof samlApplicationSecretResponseGuard>;
+export {};

package/lib/types/saml-application.js

@@ -0,0 +1,54 @@
+import { z } from 'zod';
+import { Applications } from '../db-entries/application.js';
+import { SamlApplicationConfigs } from '../db-entries/saml-application-config.js';
+import { SamlApplicationSecrets } from '../db-entries/saml-application-secret.js';
+import { applicationCreateGuard, applicationPatchGuard } from './application.js';
+const samlAppConfigGuard = SamlApplicationConfigs.guard.pick({
+    attributeMapping: true,
+    entityId: true,
+    acsUrl: true,
+});
+export const samlApplicationCreateGuard = applicationCreateGuard
+    .pick({
+    name: true,
+    description: true,
+    customData: true,
+})
+    // The reason for encapsulating attributeMapping and spMetadata into an object within the config field is that you cannot provide only one of `attributeMapping` or `spMetadata`. Due to the structure of the `saml_application_configs` table, both must be not null.
+    .merge(samlAppConfigGuard.partial());
+export const samlApplicationPatchGuard = applicationPatchGuard
+    .pick({
+    name: true,
+    description: true,
+    customData: true,
+})
+    // The reason for encapsulating attributeMapping and spMetadata into an object within the config field is that you cannot provide only one of `attributeMapping` or `spMetadata`. Due to the structure of the `saml_application_configs` table, both must be not null.
+    .merge(samlAppConfigGuard.partial());
+export const samlApplicationResponseGuard = Applications.guard
+    .omit({
+    secret: true,
+    oidcClientMetadata: true,
+    customClientMetadata: true,
+    protectedAppMetadata: true,
+})
+    .merge(
+// Partial to allow the optional fields to be omitted in the response.
+// When starting to create a SAML application, SAML configuration is optional, which can lead to the absence of SAML configuration.
+samlAppConfigGuard);
+const fingerprintFormatGuard = z.object({
+    formatted: z.string(),
+    unformatted: z.string(),
+});
+export const certificateFingerprintsGuard = z.object({
+    sha256: fingerprintFormatGuard,
+});
+// Make sure the `privateKey` is not exposed in the response.
+export const samlApplicationSecretResponseGuard = SamlApplicationSecrets.guard
+    .omit({
+    tenantId: true,
+    applicationId: true,
+    privateKey: true,
+})
+    .extend({
+    fingerprints: certificateFingerprintsGuard,
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.22.0",
+  "version": "1.23.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -31,7 +31,7 @@
     "@types/inquirer": "^9.0.0",
     "@types/node": "^20.9.5",
     "@types/pluralize": "^0.0.33",
-    "@vitest/coverage-v8": "^2.0.0",
+    "@vitest/coverage-v8": "^2.1.8",
     "camelcase": "^8.0.0",
     "chalk": "^5.3.0",
     "eslint": "^8.56.0",
@@ -40,7 +40,7 @@
     "prettier": "^3.0.0",
     "roarr": "^7.11.0",
     "typescript": "^5.5.3",
-    "vitest": "^2.0.0"
+    "vitest": "^2.1.8"
   },
   "eslintConfig": {
     "extends": "@silverhand",
@@ -64,13 +64,13 @@
   "prettier": "@silverhand/eslint-config/.prettierrc",
   "dependencies": {
     "@logto/connector-kit": "^4.1.0",
-    "@logto/core-kit": "^2.5.0",
+    "@logto/core-kit": "^2.5.2",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.15.0",
+    "@logto/phrases": "^1.16.0",
     "@logto/phrases-experience": "^1.9.0",
     "@logto/shared": "^3.1.2",
     "@withtyped/server": "^0.14.0",
-    "nanoid": "^5.0.1"
+    "nanoid": "^5.0.9"
   },
   "peerDependencies": {
     "zod": "^3.23.8"

package/tables/saml_application_configs.sql

@@ -1,10 +1,6 @@
 /* init_order = 2 */
 
-/**
- * The SAML application config and SAML-type application have a one-to-one correspondence:
- * - a SAML-type application can only have one SAML application config
- * - a SAML application config can only configure one SAML-type application
- */
+/** The SAML application config and SAML-type application have a one-to-one correspondence: 1. a SAML-type application can only have one SAML application config. (CANNOT use "semicolon" in comments, since it indicates the end of query.) 2. a SAML application config can only configure one SAML-type application. */
 create table saml_application_configs (
   application_id varchar(21) not null
     references applications (id) on update cascade on delete cascade,
@@ -14,6 +10,6 @@ create table saml_application_configs (
   entity_id varchar(128),
   acs_url jsonb /* @use SamlAcsUrl */,
   primary key (tenant_id, application_id),
-  constraint application_type
+  constraint saml_application_configs__application_type
     check (check_application_type(application_id, 'SAML'))
 );

package/tables/saml_application_secrets.sql

@@ -12,7 +12,7 @@ create table saml_application_secrets (
   expires_at timestamptz not null,
   active boolean not null,
   primary key (tenant_id, application_id, id),
-  constraint application_type
+  constraint saml_application_secrets__application_type
     check (check_application_type(application_id, 'SAML'))
 );
 

package/tables/saml_application_sessions.sql

@@ -0,0 +1,23 @@
+/* init_order = 2 */
+
+create table saml_application_sessions (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the session. */
+  id varchar(32) not null,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The identifier of the SAML SSO auth request ID, SAML request ID is pretty long. */
+  saml_request_id varchar(128) not null,
+  /** The identifier of the OIDC auth request state. */
+  oidc_state varchar(32),
+  /** The relay state of the SAML auth request. */
+  relay_state varchar(256),
+  /** The raw request of the SAML auth request. */
+  raw_auth_request text not null,
+  created_at timestamptz not null default(now()),
+  expires_at timestamptz not null,
+  primary key (tenant_id, id),
+  constraint saml_application_sessions__application_type 
+    check (check_application_type(application_id, 'SAML'))
+);

package/tables/sso_connector_idp_initiated_auth_configs.sql

@@ -20,5 +20,5 @@ create table sso_connector_idp_initiated_auth_configs (
   primary key (tenant_id, connector_id),
   /** Insure the application type is Traditional or SPA. */
   constraint application_type
-    check (check_application_type(default_application_id, 'Traditional', 'SPA'))
+    check (check_application_type(default_application_id, 'Traditional', 'SPA', 'SAML'))
 );