BA
Better Auth4mo ago
Shifty

SAML SSO Plugin Help

I've gotten all the way to the point with the new SSO plugin. When i click the button that's attached to the authClient.signIn.sso, I redirect to a page with JSON: {"redirect":true,"url":"https://login.microsoftonline.com/<idp-id>/saml2/dashboard"} I'm not understanding where the 302 redirect is supposed to happen if at all here. I've followed the beta docs (minus using the spMetadata function due to it not building the xml correctly with the entityId). Can someone please explain whats happening here?
13 Replies
bekacru
bekacru4mo ago
you need to redirect to the url instead By default, it should redirect unless you pass disableRedirect. But either way, it's not a 302 redirect - you need to handle the redirect on the client after receiving the JSON response
Shifty
ShiftyOP4mo ago
const handleSSOSignIn = async () => {
    try {
      await authClient.signIn.sso({
        organizationSlug: orgSlug,
        callbackURL: '/dashboard'
      })
    } catch (error) {
      console.error('SSO sign-in error:', error)
      form.setError('root', { message: 'Failed to sign in with SSO' })
    }
  }
const handleSSOSignIn = async () => {
    try {
      await authClient.signIn.sso({
        organizationSlug: orgSlug,
        callbackURL: '/dashboard'
      })
    } catch (error) {
      console.error('SSO sign-in error:', error)
      form.setError('root', { message: 'Failed to sign in with SSO' })
    }
  }
this is what i have currently so you're saying i need to add redirect logic here? the plugin won't automatically do it?
bekacru
bekacru4mo ago
is this on the server or client?
Shifty
ShiftyOP4mo ago
client 
const handleMicrosoftSignIn = async () => {
    try {
      await authClient.signIn.social({
        provider: 'microsoft',
        callbackURL: '/select-organization'
      })
    } catch (error) {
      console.error('Microsoft sign-in error:', error)
      form.setError('root', { message: 'Failed to sign in with Microsoft' })
    }
  }
const handleMicrosoftSignIn = async () => {
    try {
      await authClient.signIn.social({
        provider: 'microsoft',
        callbackURL: '/select-organization'
      })
    } catch (error) {
      console.error('Microsoft sign-in error:', error)
      form.setError('root', { message: 'Failed to sign in with Microsoft' })
    }
  }
here's what i originally had for a social sign on that worked through microsoft, but the app needs SAML SSO capabilities since it will be multi-tenant so i figured the implementation was similar but i guess not hence the confusion
bekacru
bekacru4mo ago
It should redirect automatically on the client. I'll check on this. But in the meantime you can redirect yourself usin window.location.href = data.url
Shifty
ShiftyOP4mo ago
Yeah I was doing it like with window.location.href but I’m not getting luck for it to redirect to the data.url. It’s like the signIn.sso is kicking off something before I can do the redirect manually.
bekacru
bekacru4mo ago
pass disableRedirect this shouldn't happen. If it redirects, it should redirect to the provider url
Shifty
ShiftyOP4mo ago
Got it. Also I assume provisionUser is a must otherwise it just tries to create users with a bunch of null fields? I wasn’t sure because I signed in, got redirected to the api JSON page with the redirect:true, and then in my db there was a user with all null fields.
bekacru
bekacru4mo ago
no. provision user isn't necessary unless you want to do some additional things
Shifty
ShiftyOP4mo ago
im not seeing anything regarding disableRedirect as a property for the authClient.signIn.sso function? Docs say nothing about it either. I'm up to date on the @better-auth/sso library as well. the function is redirecting me to: http://localhost:3000/api/auth/sso/saml2/callback/<providerId> which is where the {redirect: true....} JSON is showing. lastly just to confirm if im using the new SSO plugin, does that also mean I need to be using the beta? or are these seperate and i can still use prod release better-auth?
Shifty
ShiftyOP4mo ago
even looking at the source code I dont see anything about disableRedirect, but the logic looks sound in terms of how it should handle user creation upon successful callback from the SAML provider: https://github.com/better-auth/better-auth/blob/v1.3/packages/sso/src/index.ts#L1331. Not sure why everytime the SSO triggers, the redirect doesn't happen and a user with all null values gets created instead of signing in as the already existing user..
GitHub
better-auth/packages/sso/src/index.ts at v1.3 · better-auth/better...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
Shifty
ShiftyOP4mo ago
this is not working on either prod release or beta it becomes clear between callbackSSO and callbackSSOSAML, one is handling a redirect, and the other is just returning the json.
Shifty
ShiftyOP4mo ago
saw that someone caught it as well and has submitted a PR: https://github.com/better-auth/better-auth/pull/3343
GitHub
fix(sso): saml redirection by Kinfe123 · Pull Request #3343 · bet...
Summary by cubic Fixed SAML redirection to use HTTP redirects instead of returning a JSON response, ensuring proper client navigation after SSO login. Bug Fixes Updated SAML callback to throw an ...

Did you find this page helpful?