enhancement(auth): support IdP-initiated SAML and harden the SSO completion flow#406
Merged
Conversation
…letion flow Follow-up to the SP-initiated SAML fix (#405), three changes: - IdP-initiated SSO: an Okta dashboard-tile launch posts an assertion with no RelayState. Rather than rejecting it, the ACS now picks the enabled SAML config whose certificate validates the assertion's signature (the stored issuer is the SP entity id, not a reliable IdP identifier) and defaults the post-login destination to /. - Enforce 2FA for SAML logins: the completion route now reads force2FAAllLogins and stamps the same twoFactorRequired / twoFactorSetupRequired claims the NextAuth jwt callback sets at sign-in, so SAML sessions hit the existing middleware 2FA gate instead of bypassing it. - Single-use completion token: the token handed to /api/auth/saml/complete rides in a redirect URL, so it now registers a single-use jti in Valkey (deleted on consume) and its lifetime is cut to two minutes — a replayed link is rejected.
therealbrad
changed the title
therealbrad
force-pushed
the
feat/saml-auth-hardening
branch
from
9c93c05 to
bb3ede4
Compare
Contributor
Author
|
🎉 This PR is included in version 0.35.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
4 tasks
therealbrad
added a commit
that referenced
this pull request
Jun 5, 2026
Accepting IdP-initiated (no-RelayState) POSTs in #406 opened a replay vector: any captured assertion — including an SP-initiated one with its RelayState stripped — could be re-POSTed and accepted until it expired, since the only remaining bound was its notBefore/notOnOrAfter window. The ACS now records each validated assertion by its signed ID in Valkey for the remainder of its validity window and rejects a second use — the same single-use pattern as the relay state and completion token. The ID is the dedup key (not a byte hash) because it lives inside the signed element: an attacker can't change it without the IdP's key, whereas the surrounding bytes can be mutated (re-canonicalization, namespace/attribute reordering, the unsigned Response wrapper) while keeping a valid signature. Without Valkey the assertion's expiry window remains the only bound.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to #405 (SP-initiated SAML). Three changes to the SAML SSO flow:
IdP-initiated SSO (new capability)
An Okta dashboard-tile launch posts an assertion to the ACS with no
RelayState, which #405 rejected with a 400. The ACS now handles it: with noRelayStateit selects the enabled SAML config whose certificate validates the assertion's signature (the storedissueris the SP entity id, not a reliable IdP identifier, so matching is by cryptographic validation, not a field compare) and defaults the post-login destination to/.Enforce 2FA for SAML logins (security)
force2FAAllLoginswas bypassed for SAML, because that gate only fires inside NextAuth'sjwtcallback (which needs anaccount) and this flow mints the session directly./api/auth/saml/completenow reads the setting and stamps the sametwoFactorRequired/twoFactorSetupRequiredclaims, so SAML sessions hit the existing middleware 2FA gate.Single-use completion token (security)
The token handed to
/api/auth/saml/completerides in a redirect URL (Referer, logs, history), so it now registers a single-usejtiin Valkey (deleted on consume) with a signed-JWT fallback, and its lifetime is cut from 5 minutes to 2. A replayed link is rejected.Related Issue
Follow-up to #405; addresses review observations on IdP-initiated launches, 2FA bypass, and token replay.
Type of Change
Testing
decode), and IdP-initiated config selection by signature.tscclean for the changed files; prettier clean.Checklist