fix(sso): correct SAML callback path and generate idpMetadata from cert+entryPoint

Author: waleedlatif1

apps/docs/content/docs/en/enterprise/sso.mdx

@@ -65,15 +65,18 @@ Go to **Settings → Enterprise → Single Sign-On** in your workspace.
 
 The **Callback URL** shown in the form is the endpoint your identity provider must redirect users back to after authentication. Copy it and register it in your IdP before saving.
 
+**OIDC providers** (Okta, Microsoft Entra ID, Google Workspace, Auth0):
 ```
 https://simstudio.ai/api/auth/sso/callback/{provider-id}
 ```
 
-For self-hosted:
+**SAML providers** (ADFS, Shibboleth):
 ```
-https://your-instance.com/api/auth/sso/callback/{provider-id}
+https://simstudio.ai/api/auth/sso/saml2/callback/{provider-id}
 ```
 
+For self-hosted, replace `simstudio.ai` with your instance hostname.
+
 ### 5. Save and test
 
 Click **Save**. To test, sign out and use the **Sign in with SSO** button on the login page. Enter an email address at your configured domain — Sim will redirect you to your identity provider.
@@ -194,9 +197,9 @@ Click **Save**. To test, sign out and use the **Sign in with SSO** button on the
    For self-hosted, use your instance's base URL (e.g. `https://sim.company.com`)
 4. Add an endpoint: **SAML Assertion Consumer Service** (HTTP POST) with the URL:
    ```
-   https://simstudio.ai/api/auth/sso/callback/adfs
+   https://simstudio.ai/api/auth/sso/saml2/callback/adfs
    ```
-   For self-hosted: `https://sim.company.com/api/auth/sso/callback/adfs`
+   For self-hosted: `https://sim.company.com/api/auth/sso/saml2/callback/adfs`
 5. Export the **Token-signing certificate** from **Certificates**: right-click → **View Certificate → Details → Copy to File**, choose **Base-64 encoded X.509 (.CER)**. The `.cer` file is PEM-encoded — rename it to `.pem` before pasting its contents into Sim.
 6. Note the **ADFS Federation Service endpoint URL** (e.g. `https://adfs.company.com/adfs/ls`)
 
@@ -270,7 +273,7 @@ Users who sign in via SSO for the first time are automatically provisioned and a
   },
   {
     question: "What is the Callback URL?",
-    answer: "The Callback URL (also called Redirect URI or ACS URL) is the endpoint in Sim that receives the authentication response from your identity provider. It follows the format: https://simstudio.ai/api/auth/sso/callback/{provider-id}. You must register this URL in your identity provider before SSO will work."
+    answer: "The Callback URL (also called Redirect URI or ACS URL) is the endpoint in Sim that receives the authentication response from your identity provider. For OIDC providers it follows the format: https://simstudio.ai/api/auth/sso/callback/{provider-id}. For SAML providers it is: https://simstudio.ai/api/auth/sso/saml2/callback/{provider-id}. You must register this URL in your identity provider before SSO will work."
   },
   {
     question: "How do I update or replace an existing SSO configuration?",

apps/sim/app/api/auth/sso/register/route.ts

@@ -344,7 +344,7 @@ export async function POST(request: NextRequest) {
       } = body
 
       const computedCallbackUrl =
-        callbackUrl || `${getBaseUrl()}/api/auth/sso/callback/${providerId}`
+        callbackUrl || `${getBaseUrl()}/api/auth/sso/saml2/callback/${providerId}`
 
       const escapeXml = (str: string) =>
         str.replace(/[<>&"']/g, (c) => {
@@ -371,13 +371,38 @@ export async function POST(request: NextRequest) {
   </md:SPSSODescriptor>
 </md:EntityDescriptor>`
 
+      const certBase64 = cert
+        .replace(/-----BEGIN CERTIFICATE-----/g, '')
+        .replace(/-----END CERTIFICATE-----/g, '')
+        .replace(/\s/g, '')
+
+      const computedIdpMetadataXml =
+        idpMetadata ||
+        `<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${escapeXml(entryPoint)}">
+  <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>${certBase64}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${escapeXml(entryPoint)}"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${escapeXml(entryPoint)}"/>
+  </IDPSSODescriptor>
+</EntityDescriptor>`
+
       const samlConfig: any = {
         entryPoint,
         cert,
         callbackUrl: computedCallbackUrl,
         spMetadata: {
           metadata: spMetadataXml,
         },
+        idpMetadata: {
+          metadata: computedIdpMetadataXml,
+        },
         mapping,
       }
 
@@ -386,11 +411,6 @@ export async function POST(request: NextRequest) {
       if (signatureAlgorithm) samlConfig.signatureAlgorithm = signatureAlgorithm
       if (digestAlgorithm) samlConfig.digestAlgorithm = digestAlgorithm
       if (identifierFormat) samlConfig.identifierFormat = identifierFormat
-      if (idpMetadata) {
-        samlConfig.idpMetadata = {
-          metadata: idpMetadata,
-        }
-      }
 
       providerConfig.samlConfig = samlConfig
       providerConfig.mapping = undefined

apps/sim/ee/sso/components/sso-settings.tsx

@@ -320,7 +320,8 @@ export function SSO() {
     })
   }
 
-  const callbackUrl = `${getBaseUrl()}/api/auth/sso/callback/${formData.providerId || existingProvider?.providerId || 'provider-id'}`
+  const isSaml = formData.providerType === 'saml'
+  const callbackUrl = `${getBaseUrl()}/api/auth/${isSaml ? 'sso/saml2/callback' : 'sso/callback'}/${formData.providerId || existingProvider?.providerId || 'provider-id'}`
 
   const copyToClipboard = async (url: string) => {
     try {
@@ -390,7 +391,7 @@ export function SSO() {
   }
 
   if (existingProvider && !isEditing) {
-    const providerCallbackUrl = `${getBaseUrl()}/api/auth/sso/callback/${existingProvider.providerId}`
+    const providerCallbackUrl = `${getBaseUrl()}/api/auth/${existingProvider.providerType === 'saml' ? 'sso/saml2/callback' : 'sso/callback'}/${existingProvider.providerId}`
 
     return (
       <div className='flex h-full flex-col gap-4.5'>
@@ -765,7 +766,7 @@ export function SSO() {
                       <FormField label='Callback URL Override' optional>
                         <Input
                           type='url'
-                          placeholder={`${getBaseUrl()}/api/auth/sso/callback/provider-id`}
+                          placeholder={`${getBaseUrl()}/api/auth/sso/saml2/callback/provider-id`}
                           value={formData.callbackUrl}
                           autoComplete='off'
                           autoCapitalize='none'

packages/db/scripts/register-sso-provider.ts

@@ -26,7 +26,7 @@
  * SAML Providers:
  *   SSO_SAML_ENTRY_POINT=https://your-idp/sso
  *   SSO_SAML_CERT=your-certificate-pem-string
- *   SSO_SAML_CALLBACK_URL=https://yourdomain.com/api/auth/sso/callback/provider-id
+ *   SSO_SAML_CALLBACK_URL=https://yourdomain.com/api/auth/sso/saml2/callback/provider-id
  *   SSO_SAML_SP_METADATA=<custom-sp-metadata-xml> (optional, auto-generated if not provided)
  *   SSO_SAML_IDP_METADATA=<idp-metadata-xml> (optional)
  *   SSO_SAML_AUDIENCE=https://yourdomain.com (optional, defaults to SSO_ISSUER)
@@ -242,7 +242,7 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
     ).replace(/\/$/, '')
 
     const callbackUrl =
-      process.env.SSO_SAML_CALLBACK_URL || `${appBaseUrl}/api/auth/sso/callback/${providerId}`
+      process.env.SSO_SAML_CALLBACK_URL || `${appBaseUrl}/api/auth/sso/saml2/callback/${providerId}`
 
     let spMetadata = process.env.SSO_SAML_SP_METADATA
     if (!spMetadata) {
@@ -254,6 +254,31 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
 </md:EntityDescriptor>`
     }
 
+    const idpMetadataXml = process.env.SSO_SAML_IDP_METADATA
+    let computedIdpMetadata: string
+    if (idpMetadataXml) {
+      computedIdpMetadata = idpMetadataXml
+    } else {
+      const certBase64 = cert
+        .replace(/-----BEGIN CERTIFICATE-----/g, '')
+        .replace(/-----END CERTIFICATE-----/g, '')
+        .replace(/\s/g, '')
+      computedIdpMetadata = `<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${entryPoint}">
+  <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>${certBase64}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${entryPoint}"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="${entryPoint}"/>
+  </IDPSSODescriptor>
+</EntityDescriptor>`
+    }
+
     config.samlConfig = {
       issuer,
       entryPoint,
@@ -268,12 +293,9 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
         metadata: spMetadata,
         entityID: appBaseUrl,
       },
-    }
-    const idpMetadata = process.env.SSO_SAML_IDP_METADATA
-    if (idpMetadata) {
-      config.samlConfig.idpMetadata = {
-        metadata: idpMetadata,
-      }
+      idpMetadata: {
+        metadata: computedIdpMetadata,
+      },
     }
   }
 
@@ -598,8 +620,13 @@ async function registerSSOProvider(): Promise<boolean> {
 
     const baseUrl =
       process.env.NEXT_PUBLIC_APP_URL || process.env.BETTER_AUTH_URL || 'https://your-domain.com'
-    const callbackUrl = `${baseUrl}/api/auth/sso/callback/${ssoConfig.providerId}`
-    logger.info(`📋 Callback URL (configure this in your identity provider): ${callbackUrl}`)
+    const callbackPath =
+      ssoConfig.providerType === 'saml'
+        ? `api/auth/sso/saml2/callback/${ssoConfig.providerId}`
+        : `api/auth/sso/callback/${ssoConfig.providerId}`
+    logger.info(
+      `📋 Callback URL (configure this in your identity provider): ${baseUrl}/${callbackPath}`
+    )
 
     return true
   } catch (error) {