@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

package/dist/server/sso.js

@@ -1,7 +1,7 @@
 import { Fx } from "@robelest/fx";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { createRemoteJWKSet, customFetch, decodeProtectedHeader, jwtVerify } from "jose";
 import { Constants, IdentityProvider, ServiceProvider, setSchemaValidator } from "@robelest/samlify";
 import { decodeIdToken } from "arctic";
 
@@ -10,20 +10,28 @@ const _samlifyPermissiveValidator = { validate: (_xml) => Promise.resolve("OK")
 function ensureSamlifyValidator() {
 	setSchemaValidator(_samlifyPermissiveValidator);
 }
+/** @internal */
 const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
+/** @internal */
 const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
+/** @internal */
 const ENTERPRISE_OIDC_PROVIDER_PREFIX = "enterprise:oidc:";
+/** @internal */
 const ENTERPRISE_SAML_PROVIDER_PREFIX = "enterprise:saml:";
 const OIDC_JWKS_CACHE = /* @__PURE__ */ new Map();
+/** @internal */
 function normalizeDomain(domain) {
 	return domain.trim().toLowerCase().replace(/^@+/, "");
 }
+/** @internal */
 function enterpriseOidcProviderId(enterpriseId) {
 	return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;
 }
+/** @internal */
 function enterpriseSamlProviderId(enterpriseId) {
 	return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;
 }
+/** @internal */
 function getEnterpriseSamlUrls(opts) {
 	const root = opts.rootUrl.replace(/\/$/, "");
 	return {
@@ -32,6 +40,7 @@ function getEnterpriseSamlUrls(opts) {
 		sloUrl: `${root}/api/auth/sso/${opts.source.id}/saml/slo`
 	};
 }
+/** @internal */
 function getEnterpriseOidcUrls(opts) {
 	const root = opts.rootUrl.replace(/\/$/, "");
 	return {
@@ -39,25 +48,120 @@ function getEnterpriseOidcUrls(opts) {
 		callbackUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/callback`
 	};
 }
+/** @internal */
 function isEnterpriseSamlSourceActive(source) {
 	return source.status === "active";
 }
+/** @internal */
 function isEnterpriseProviderId(providerId) {
 	return providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) || providerId.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX);
 }
 const asRecord = (value) => typeof value === "object" && value !== null ? value : null;
+/** @internal */
+const DEFAULT_ENTERPRISE_POLICY = {
+	version: 1,
+	identity: { accountLinking: {
+		oidc: "verifiedEmail",
+		saml: "verifiedEmail"
+	} },
+	provisioning: {
+		scimReuse: { user: "externalId" },
+		jit: {
+			mode: "createUserAndMembership",
+			defaultRoleIds: []
+		},
+		deprovision: { mode: "soft" }
+	}
+};
+/** @internal */
+function normalizeEnterprisePolicy(policy) {
+	const input = asRecord(policy) ?? {};
+	const accountLinking = asRecord((asRecord(input.identity) ?? {}).accountLinking) ?? {};
+	const provisioning = asRecord(input.provisioning) ?? {};
+	const scimReuse = asRecord(provisioning.scimReuse) ?? {};
+	const jit = asRecord(provisioning.jit) ?? {};
+	const deprovision = asRecord(provisioning.deprovision) ?? {};
+	const extend = asRecord(input.extend) ?? void 0;
+	return {
+		version: 1,
+		identity: { accountLinking: {
+			oidc: accountLinking.oidc === "none" ? "none" : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.oidc,
+			saml: accountLinking.saml === "none" ? "none" : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.saml
+		} },
+		provisioning: {
+			scimReuse: { user: scimReuse.user === "none" ? "none" : DEFAULT_ENTERPRISE_POLICY.provisioning.scimReuse.user },
+			jit: {
+				mode: jit.mode === "off" || jit.mode === "createUser" || jit.mode === "createUserAndMembership" ? jit.mode : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.mode,
+				defaultRoleIds: Array.isArray(jit.defaultRoleIds) ? Array.from(new Set(jit.defaultRoleIds.filter((value) => typeof value === "string" && value.length > 0))) : typeof jit.defaultRole === "string" && jit.defaultRole.length > 0 ? [jit.defaultRole] : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.defaultRoleIds
+			},
+			deprovision: { mode: deprovision.mode === "hard" ? "hard" : DEFAULT_ENTERPRISE_POLICY.provisioning.deprovision.mode }
+		},
+		...extend ? { extend } : {}
+	};
+}
+/** @internal */
+function patchEnterprisePolicy(current, patch) {
+	const base = normalizeEnterprisePolicy(current);
+	return normalizeEnterprisePolicy({
+		...base,
+		...patch,
+		identity: {
+			...base.identity,
+			...patch.identity,
+			accountLinking: {
+				...base.identity.accountLinking,
+				...patch.identity?.accountLinking
+			}
+		},
+		provisioning: {
+			...base.provisioning,
+			...patch.provisioning,
+			scimReuse: {
+				...base.provisioning.scimReuse,
+				...patch.provisioning?.scimReuse
+			},
+			jit: {
+				...base.provisioning.jit,
+				...patch.provisioning?.jit
+			},
+			deprovision: {
+				...base.provisioning.deprovision,
+				...patch.provisioning?.deprovision
+			}
+		},
+		extend: patch.extend === void 0 ? base.extend : {
+			...base.extend,
+			...patch.extend
+		}
+	});
+}
 const getProtocolConfig = (config, protocol) => {
 	const base = asRecord(config);
 	const direct = base?.[protocol];
 	const viaProtocols = asRecord(base?.protocols)?.[protocol];
 	return asRecord(direct) ?? asRecord(viaProtocols) ?? {};
 };
+/** @internal */
 function getOidcConfig(config) {
 	return getProtocolConfig(config, "oidc");
 }
+/** @internal */
+function getPublicOidcConfig(config) {
+	const { clientSecret: _clientSecret, ...publicOidc } = getOidcConfig(config);
+	return publicOidc;
+}
+/** @internal */
+function withOidcSecretState(config, hasClientSecret) {
+	return {
+		...config,
+		hasClientSecret
+	};
+}
+/** @internal */
 function getSamlConfig(config) {
 	return getProtocolConfig(config, "saml");
 }
+/** @internal */
 function upsertProtocolConfig(config, protocol, protocolConfig) {
 	const base = asRecord(config) ?? {};
 	const protocols = asRecord(base.protocols) ?? {};
@@ -70,6 +174,7 @@ function upsertProtocolConfig(config, protocol, protocolConfig) {
 		protocols
 	};
 }
+/** @internal */
 function createSamlPostBindingResponse(opts) {
 	const fields = [`<input type="hidden" name="${opts.parameter}" value="${opts.value.replace(/"/g, "&quot;")}" />`, opts.relayState ? `<input type="hidden" name="RelayState" value="${opts.relayState.replace(/"/g, "&quot;")}" />` : ""].join("");
 	return new Response(`<!doctype html><html><body><form method="POST" action="${opts.endpoint}">${fields}</form><script>document.forms[0].submit();<\/script></body></html>`, {
@@ -77,6 +182,7 @@ function createSamlPostBindingResponse(opts) {
 		headers: { "Content-Type": "text/html; charset=utf-8" }
 	});
 }
+/** @internal */
 function decodeRelayState(value) {
 	if (!value) return {};
 	try {
@@ -85,6 +191,7 @@ function decodeRelayState(value) {
 		return {};
 	}
 }
+/** @internal */
 function encodeEnterpriseSamlRelayState(value) {
 	return encodeBase64urlNoPadding(new TextEncoder().encode(JSON.stringify({
 		source: `${value.source.kind}:${value.source.id}`,
@@ -94,6 +201,7 @@ function encodeEnterpriseSamlRelayState(value) {
 		redirectTo: value.redirectTo
 	})));
 }
+/** @internal */
 function decodeEnterpriseSamlRelayStateOrThrow(value) {
 	if (!value) throw new Error("Missing SAML RelayState.");
 	const decoded = decodeRelayState(value);
@@ -112,6 +220,7 @@ function decodeEnterpriseSamlRelayStateOrThrow(value) {
 		redirectTo: typeof decoded.redirectTo === "string" ? decoded.redirectTo : void 0
 	};
 }
+/** @internal */
 async function readRequestBody(request) {
 	const contentType = request.headers.get("Content-Type") ?? "";
 	if (contentType.includes("application/x-www-form-urlencoded") || contentType.includes("multipart/form-data")) {
@@ -124,6 +233,7 @@ async function readRequestBody(request) {
 	}
 	return {};
 }
+/** @internal */
 async function readEnterpriseSamlHttpRequest(request) {
 	const url = new URL(request.url);
 	const body = await readRequestBody(request);
@@ -140,9 +250,10 @@ async function readEnterpriseSamlHttpRequest(request) {
 async function discoverOidcConfiguration(config) {
 	const discoveryUrl = typeof config.discoveryUrl === "string" ? config.discoveryUrl : typeof config.issuer === "string" ? `${config.issuer.replace(/\/$/, "")}/.well-known/openid-configuration` : null;
 	if (!discoveryUrl) throw new Error("Enterprise OIDC requires an issuer or discoveryUrl.");
+	const oidcFetch = createEnterpriseOidcFetch(config, config.issuer);
 	return await Fx.run(Fx.defer(() => Fx.from({
 		ok: async () => {
-			const response = await fetch(discoveryUrl);
+			const response = await oidcFetch(discoveryUrl);
 			if (!response.ok) throw new Error(`Failed to discover OIDC configuration: ${response.status}`);
 			const discovery = await response.json();
 			if (typeof discovery.issuer !== "string" || typeof discovery.authorization_endpoint !== "string" || typeof discovery.token_endpoint !== "string" || typeof discovery.jwks_uri !== "string") throw new Error("OIDC discovery document is missing required fields.");
@@ -151,18 +262,33 @@ async function discoverOidcConfiguration(config) {
 		err: (error) => error instanceof Error ? error : new Error(String(error))
 	})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Fx.fail(error instanceof Error ? error : new Error(String(error))))));
 }
-function getOidcJwks(url) {
-	let jwks = OIDC_JWKS_CACHE.get(url);
+function createEnterpriseOidcFetch(config, discoveredIssuer) {
+	const runtimeOrigin = typeof config.discoveryUrl === "string" ? new URL(config.discoveryUrl).origin : void 0;
+	const externalHost = typeof config.issuer === "string" ? new URL(config.issuer).host : typeof discoveredIssuer === "string" ? new URL(discoveredIssuer).host : void 0;
+	return async (input, init) => {
+		const url = new URL(typeof input === "string" ? input : input.toString());
+		const rewrittenUrl = runtimeOrigin !== void 0 && url.origin !== runtimeOrigin ? new URL(`${runtimeOrigin}${url.pathname}${url.search}`) : url;
+		const headers = new Headers(init?.headers);
+		if (runtimeOrigin !== void 0 && externalHost !== void 0) headers.set("host", externalHost);
+		return await fetch(rewrittenUrl, {
+			...init,
+			headers
+		});
+	};
+}
+function getOidcJwks(url, fetchImpl) {
+	const cacheKey = fetchImpl ? `${url}::custom` : url;
+	let jwks = OIDC_JWKS_CACHE.get(cacheKey);
 	if (!jwks) {
-		jwks = createRemoteJWKSet(new URL(url));
-		OIDC_JWKS_CACHE.set(url, jwks);
+		jwks = fetchImpl ? createRemoteJWKSet(new URL(url), { [customFetch]: fetchImpl }) : createRemoteJWKSet(new URL(url));
+		OIDC_JWKS_CACHE.set(cacheKey, jwks);
 	}
 	return jwks;
 }
 function userInfoProfileFx(opts) {
 	return Fx.from({
 		ok: async () => {
-			const response = await fetch(opts.endpoint, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
+			const response = await (opts.fetchImpl ?? fetch)(opts.endpoint, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
 			if (!response.ok) throw new Error(`OIDC userinfo request failed: ${response.status}`);
 			return await response.json();
 		},
@@ -185,6 +311,7 @@ function userInfoProfileFx(opts) {
 		return Fx.fail(/* @__PURE__ */ new Error("OIDC userinfo subject does not match ID token subject."));
 	}));
 }
+/** @internal */
 async function createEnterpriseOidcProvider(config, redirectUri) {
 	const discovery = await discoverOidcConfiguration(config);
 	const expectedIssuer = String(config.issuer ?? discovery.issuer).replace(/\/$/, "");
@@ -202,6 +329,7 @@ async function createEnterpriseOidcProvider(config, redirectUri) {
 	const jwksUri = String(config.jwksUri ?? discovery.jwks_uri);
 	const supportedIdTokenSigningAlgs = Array.isArray(discovery.id_token_signing_alg_values_supported) ? discovery.id_token_signing_alg_values_supported.filter((value) => typeof value === "string") : [];
 	const userinfoEndpoint = discovery.userinfo_endpoint ?? void 0;
+	const oidcFetch = createEnterpriseOidcFetch(config, discovery.issuer);
 	const scopes = Array.isArray(config.scopes) ? config.scopes.filter((value) => typeof value === "string") : [
 		"openid",
 		"profile",
@@ -215,7 +343,7 @@ async function createEnterpriseOidcProvider(config, redirectUri) {
 		return candidates;
 	};
 	const expectedIssuers = strictIssuer ? [expectedIssuer] : Array.from(new Set([...getIssuerCandidates(expectedIssuer), ...getIssuerCandidates(discoveredIssuer)]));
-	const jwks = getOidcJwks(jwksUri);
+	const jwks = getOidcJwks(jwksUri, oidcFetch);
 	let verifiedClaims = null;
 	let verifiedProfile = null;
 	const normalizeProfile = (claims) => ({
@@ -249,7 +377,7 @@ async function createEnterpriseOidcProvider(config, redirectUri) {
 				});
 				if (typeof config.clientSecret === "string") body.set("client_secret", config.clientSecret);
 				if (codeVerifier) body.set("code_verifier", codeVerifier);
-				const response = await fetch(tokenEndpoint, {
+				const response = await oidcFetch(tokenEndpoint, {
 					method: "POST",
 					headers: { "Content-Type": "application/x-www-form-urlencoded" },
 					body
@@ -318,7 +446,8 @@ async function createEnterpriseOidcProvider(config, redirectUri) {
 						endpoint: userinfoEndpoint,
 						accessToken: tokens.accessToken(),
 						verifiedClaims,
-						verifiedProfile
+						verifiedProfile,
+						fetchImpl: oidcFetch
 					}));
 					if (userInfoProfile !== null) return userInfoProfile;
 				}
@@ -327,15 +456,17 @@ async function createEnterpriseOidcProvider(config, redirectUri) {
 		}
 	};
 }
-function createSyntheticOAuthMaterializedConfig(providerId) {
+/** @internal */
+function createSyntheticOAuthMaterializedConfig(providerId, options) {
 	return {
 		id: providerId,
 		type: "oauth",
 		provider: null,
 		scopes: [],
-		accountLinking: "verifiedEmail"
+		accountLinking: options?.accountLinking ?? "verifiedEmail"
 	};
 }
+/** @internal */
 function parseSamlIdpMetadata(metadata) {
 	const entityMeta = IdentityProvider({ metadata }).entityMeta;
 	const normalizeService = (value) => {
@@ -360,6 +491,7 @@ function parseSamlIdpMetadata(metadata) {
 		wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned()
 	};
 }
+/** @internal */
 function createServiceProviderMetadata(opts) {
 	const binding = Constants.namespace.binding;
 	return ServiceProvider({
@@ -384,6 +516,7 @@ function createServiceProviderMetadata(opts) {
 		}] : void 0
 	}).getMetadata();
 }
+/** @internal */
 function createEnterpriseSamlMetadataXml(opts) {
 	return createServiceProviderMetadata(getSamlServiceProviderOptions({
 		rootUrl: opts.rootUrl,
@@ -391,6 +524,7 @@ function createEnterpriseSamlMetadataXml(opts) {
 		config: opts.config
 	}));
 }
+/** @internal */
 function getSamlServiceProviderOptions(opts) {
 	const saml = getSamlConfig(opts.config);
 	const sp = asRecord(saml.sp) ?? {};
@@ -412,6 +546,7 @@ function getSamlServiceProviderOptions(opts) {
 		encPrivateKeyPass: sp.encPrivateKeyPass
 	};
 }
+/** @internal */
 function createSamlServiceProvider(opts) {
 	const binding = Constants.namespace.binding;
 	return ServiceProvider({
@@ -437,6 +572,7 @@ function createSamlServiceProvider(opts) {
 		}] : void 0
 	});
 }
+/** @internal */
 function createEnterpriseSamlRuntime(opts) {
 	const saml = getSamlConfig(opts.config);
 	const spOptions = getSamlServiceProviderOptions({
@@ -457,6 +593,7 @@ function createEnterpriseSamlRuntime(opts) {
 		})
 	};
 }
+/** @internal */
 function createEnterpriseSamlSignInRequest(opts) {
 	const runtime = createEnterpriseSamlRuntime({
 		rootUrl: opts.rootUrl,
@@ -487,6 +624,7 @@ function createEnterpriseSamlSignInRequest(opts) {
 		} : void 0
 	};
 }
+/** @internal */
 async function parseEnterpriseSamlLoginResponse(opts) {
 	ensureSamlifyValidator();
 	const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
@@ -527,9 +665,11 @@ function warnDeprecatedSamlAlgorithms(parsed) {
 		if (digestAlg && DEPRECATED_SAML_ALGORITHMS.has(digestAlg)) console.warn(`[convex-auth] SAML response uses deprecated digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
 	} catch {}
 }
+/** @internal */
 function validateEnterpriseSamlLoginRelayState(opts) {
 	if (opts.relayState.source.kind !== opts.source.kind || opts.relayState.source.id !== opts.source.id || opts.relayState.requestId !== opts.inResponseTo) throw new Error("SAML RelayState did not match the pending login request.");
 }
+/** @internal */
 async function parseEnterpriseSamlLogoutMessage(opts) {
 	ensureSamlifyValidator();
 	const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
@@ -549,22 +689,23 @@ async function parseEnterpriseSamlLogoutMessage(opts) {
 		parsedRequest
 	};
 }
+/** @internal */
 async function createEnterpriseOidcRuntime(opts) {
-	const oidc = getOidcConfig(opts.config);
 	const providerId = enterpriseOidcProviderId(opts.enterpriseId);
 	const urls = getEnterpriseOidcUrls({
 		rootUrl: opts.rootUrl,
 		enterpriseId: opts.enterpriseId
 	});
-	const { provider, oauthConfig } = await createEnterpriseOidcProvider(oidc, urls.callbackUrl);
+	const { provider, oauthConfig } = await createEnterpriseOidcProvider(opts.oidc, urls.callbackUrl);
 	return {
-		oidc,
+		oidc: opts.oidc,
 		providerId,
 		provider,
 		oauthConfig,
 		...urls
 	};
 }
+/** @internal */
 function profileFromSamlExtract(extract, mapping) {
 	const attributes = typeof extract?.attributes === "object" && extract.attributes !== null ? extract.attributes : {};
 	const resolveFirst = (...keys) => {
@@ -593,9 +734,10 @@ function profileFromSamlExtract(extract, mapping) {
 		samlSessionIndex: extract?.sessionIndex?.SessionIndex
 	};
 }
+/** @internal */
 function parseScimPath(pathname) {
-	const [api, auth, enterprise, enterpriseId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
-	if (api !== "api" || auth !== "auth" || enterprise !== "enterprise" || !enterpriseId || enterpriseId === "setup" || protocol !== "scim" || version !== "v2") return {
+	const [api, auth, sso, enterpriseId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
+	if (api !== "api" || auth !== "auth" || sso !== "sso" || !enterpriseId || enterpriseId === "setup" || protocol !== "scim" || version !== "v2") return {
 		enterpriseId: "",
 		resource: "",
 		resourceId: void 0
@@ -606,6 +748,7 @@ function parseScimPath(pathname) {
 		resourceId: rest[1]
 	};
 }
+/** @internal */
 function parseScimListRequest(url) {
 	const startIndex = Math.max(1, Number(url.searchParams.get("startIndex") ?? "1"));
 	const count = Math.min(100, Math.max(1, Number(url.searchParams.get("count") ?? "100")));
@@ -623,6 +766,7 @@ function parseScimListRequest(url) {
 		})() : void 0
 	};
 }
+/** @internal */
 function scimJson(data, status = 200, headers) {
 	const responseHeaders = new Headers({ "Content-Type": "application/scim+json" });
 	if (headers) new Headers(headers).forEach((value, key) => {
@@ -633,6 +777,7 @@ function scimJson(data, status = 200, headers) {
 		headers: responseHeaders
 	});
 }
+/** @internal */
 function scimError(status, scimType, detail) {
 	return scimJson({
 		schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
@@ -641,6 +786,7 @@ function scimError(status, scimType, detail) {
 		detail
 	}, status);
 }
+/** @internal */
 function serializeScimUser(args) {
 	return {
 		schemas: [SCIM_USER_SCHEMA_ID],
@@ -664,6 +810,7 @@ function serializeScimUser(args) {
 		displayName: args.user.name
 	};
 }
+/** @internal */
 function serializeScimGroup(args) {
 	return {
 		schemas: [SCIM_GROUP_SCHEMA_ID],
@@ -679,5 +826,5 @@ function serializeScimGroup(args) {
 }
 
 //#endregion
-export { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, createEnterpriseOidcProvider, createEnterpriseOidcRuntime, createEnterpriseSamlMetadataXml, createEnterpriseSamlRuntime, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createSamlServiceProvider, createServiceProviderMetadata, createSyntheticOAuthMaterializedConfig, decodeEnterpriseSamlRelayStateOrThrow, decodeRelayState, encodeEnterpriseSamlRelayState, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getEnterpriseSamlUrls, getOidcConfig, getSamlConfig, getSamlServiceProviderOptions, isEnterpriseProviderId, isEnterpriseSamlSourceActive, normalizeDomain, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, parseScimListRequest, parseScimPath, profileFromSamlExtract, readEnterpriseSamlHttpRequest, readRequestBody, scimError, scimJson, serializeScimGroup, serializeScimUser, upsertProtocolConfig, validateEnterpriseSamlLoginRelayState };
+export { DEFAULT_ENTERPRISE_POLICY, ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, createEnterpriseOidcProvider, createEnterpriseOidcRuntime, createEnterpriseSamlMetadataXml, createEnterpriseSamlRuntime, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createSamlServiceProvider, createServiceProviderMetadata, createSyntheticOAuthMaterializedConfig, decodeEnterpriseSamlRelayStateOrThrow, decodeRelayState, encodeEnterpriseSamlRelayState, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getEnterpriseSamlUrls, getOidcConfig, getPublicOidcConfig, getSamlConfig, getSamlServiceProviderOptions, isEnterpriseProviderId, isEnterpriseSamlSourceActive, normalizeDomain, normalizeEnterprisePolicy, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, parseScimListRequest, parseScimPath, patchEnterprisePolicy, profileFromSamlExtract, readEnterpriseSamlHttpRequest, readRequestBody, scimError, scimJson, serializeScimGroup, serializeScimUser, upsertProtocolConfig, validateEnterpriseSamlLoginRelayState, withOidcSecretState };
 //# sourceMappingURL=sso.js.map