fix(sso): always require NEXT_PUBLIC_APP_URL for SAML SP metadata entityID

waleedlatif1 · waleedlatif1 · commit e94f80393563 · 2026-04-20T14:09:21.000-07:00
diff --git a/packages/db/scripts/register-sso-provider.ts b/packages/db/scripts/register-sso-provider.ts
@@ -427,12 +427,11 @@ async function registerSSOProvider(): Promise<boolean> {
 
     if (
       ssoConfig.providerType === 'saml' &&
-      !process.env.SSO_SAML_CALLBACK_URL &&
       !process.env.NEXT_PUBLIC_APP_URL &&
       !process.env.BETTER_AUTH_URL
     ) {
       logger.error(
-        'NEXT_PUBLIC_APP_URL or BETTER_AUTH_URL is required to generate the SAML callback URL. Set one of these or provide SSO_SAML_CALLBACK_URL explicitly.'
+        'NEXT_PUBLIC_APP_URL or BETTER_AUTH_URL is required for SAML — it is used as the SP entity ID in SP metadata. Set one of these env vars.'
       )
       return false
     }

Original file line number	Diff line number	Diff line change
`@@ -427,12 +427,11 @@ async function registerSSOProvider(): Promise<boolean> {`
`427`	`427`
`428`	`428`	`if (`
`429`	`429`	`ssoConfig.providerType === 'saml' &&`
`430`		`- !process.env.SSO_SAML_CALLBACK_URL &&`
`431`	`430`	`!process.env.NEXT_PUBLIC_APP_URL &&`
`432`	`431`	`!process.env.BETTER_AUTH_URL`
`433`	`432`	`) {`
`434`	`433`	`logger.error(`
`435`		`- 'NEXT_PUBLIC_APP_URL or BETTER_AUTH_URL is required to generate the SAML callback URL. Set one of these or provide SSO_SAML_CALLBACK_URL explicitly.'`
	`434`	`+ 'NEXT_PUBLIC_APP_URL or BETTER_AUTH_URL is required for SAML — it is used as the SP entity ID in SP metadata. Set one of these env vars.'`
`436`	`435`	`)`
`437`	`436`	`return false`
`438`	`437`	`}`