fix(sso): final audit corrections — saml mapping, xml escaping, self-hosted org guard

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.ts

@@ -403,7 +403,6 @@ export async function POST(request: NextRequest) {
         idpMetadata: {
           metadata: computedIdpMetadataXml,
         },
-        mapping,
       }
 
       if (audience) samlConfig.audience = audience
@@ -413,7 +412,6 @@ export async function POST(request: NextRequest) {
       if (identifierFormat) samlConfig.identifierFormat = identifierFormat
 
       providerConfig.samlConfig = samlConfig
-      providerConfig.mapping = undefined
     }
 
     logger.info('Calling Better Auth registerSSOProvider with config:', {

apps/sim/ee/sso/components/sso-settings.tsx

@@ -133,7 +133,12 @@ export function SSO() {
       )
     }
   } else {
-    if (!isLoadingProviders && isSSOProviderOwner === false && providers.length > 0) {
+    if (
+      !activeOrganization &&
+      !isLoadingProviders &&
+      isSSOProviderOwner === false &&
+      providers.length > 0
+    ) {
       return (
         <div className='flex h-full items-center justify-center text-[var(--text-muted)] text-small'>
           Only the user who configured SSO can manage these settings.

packages/db/scripts/register-sso-provider.ts

@@ -241,19 +241,6 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
       ''
     ).replace(/\/$/, '')
 
-    const callbackUrl =
-      process.env.SSO_SAML_CALLBACK_URL || `${appBaseUrl}/api/auth/sso/saml2/callback/${providerId}`
-
-    let spMetadata = process.env.SSO_SAML_SP_METADATA
-    if (!spMetadata) {
-      spMetadata = `<?xml version="1.0" encoding="UTF-8"?>
-<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${appBaseUrl}">
-  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${callbackUrl}" index="1"/>
-  </md:SPSSODescriptor>
-</md:EntityDescriptor>`
-    }
-
     const escapeXml = (str: string) =>
       str.replace(/[<>&"']/g, (c) => {
         switch (c) {
@@ -272,6 +259,19 @@ function buildSSOConfigFromEnv(): SSOProviderConfig | null {
         }
       })
 
+    const callbackUrl =
+      process.env.SSO_SAML_CALLBACK_URL || `${appBaseUrl}/api/auth/sso/saml2/callback/${providerId}`
+
+    let spMetadata = process.env.SSO_SAML_SP_METADATA
+    if (!spMetadata) {
+      spMetadata = `<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="${escapeXml(appBaseUrl)}">
+  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${escapeXml(callbackUrl)}" index="1"/>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>`
+    }
+
     const idpMetadataXml = process.env.SSO_SAML_IDP_METADATA
     let computedIdpMetadata: string
     if (idpMetadataXml) {