Better Auth•2mo ago

Where is spMetadata supposed to come from?

Hey we are trying to setup SSO with Entra ID and SAML 2.0 right now. The docs are somewhat unclear on how this should be done exactly. One particularly confusing part is the spMetadata. Where is this supposed to come from, do we have to come up with one ourselves? Shouldn't better-auth provide this automatically?

12 Replies

Bhavik | Building MVPs at Zexa•2mo ago

I have same doubt. Can anyone help?

The Untraceable•2mo ago

https://www.better-auth.com/docs/plugins/sso#get-service-provider-metadata

Single Sign-On (SSO) | Better Auth

Integrate Single Sign-On (SSO) with your application.

The Untraceable•2mo ago

Does that answer your question? That has to happen AFTER registering the SAML Provider

Bhavik | Building MVPs at Zexa•2mo ago

but spMetadata is required field here, when we register a provider. What should we pass there? https://www.better-auth.com/docs/plugins/sso#register-a-saml-provider

Single Sign-On (SSO) | Better Auth

Integrate Single Sign-On (SSO) with your application.

GigadroidOP•2mo ago

Yeah right, also auth.api.spMetadata just returns the config provided during registration. So to be more clear, how do we get the spMetadata in the first place? Do we have to come up with it ourselves? That doesn't seem quite right @The Untraceable

The Untraceable•2mo ago

You need to generate your own service provider metadata, using an XML file. When registering you enter data such as:

spMetadata: {
            metadata: "<!-- SP Metadata XML -->",
            binding: "post",
            privateKey: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
            privateKeyPass: "your-sp-private-key-password",
            isAssertionEncrypted: true,
            encPrivateKey: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
            encPrivateKeyPass: "your-sp-encryption-key-password"
        }

spMetadata: {
            metadata: "<!-- SP Metadata XML -->",
            binding: "post",
            privateKey: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
            privateKeyPass: "your-sp-private-key-password",
            isAssertionEncrypted: true,
            encPrivateKey: "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----",
            encPrivateKeyPass: "your-sp-encryption-key-password"
        }

You need to set this all up

GigadroidOP•5w ago

Hey @The Untraceable , after implementing the SSO for one of our customers I'm quite sure the spMetadata is not something we should need to set ourselves but rather should be generated by better-auth automatically. Are you maintaining the SSO plugin or is there someone else I can reach out to to discuss this?

The Untraceable•5w ago

I'm not a maintainer, make a GH issue

Shifty•5w ago

@Gigadroid do you have a working SAML implementation with SSO and entra? I’ve been banging my head for months to get something implemented but keep running into road blocks

GigadroidOP•5w ago

@Shifty yeah got it working for entra

Shifty•5w ago

And it’s working after update? Every time I try to sign in with SSO I get [object Object] is not JSON also what kind of database adapter are you using?

The Untraceable•4w ago

Fixed in https://github.com/better-auth/better-auth/pull/4866 i believe

GitHub

feat(sso): provide default service provider metadata by dvanmali ·...

Provides default sp metadata for the /sso/saml2/sp/metadata endpoint. Additional improvements with type specifying SAMLConfig type when needed. Fixes: #4833 Summary by cubic Adds default Service ...

Gaming

Programming

Where is spMetadata supposed to come from?

Did you find this page helpful?