SAML 2.0 SSO (service-provider) for the togo auth family — enterprise login via Okta, Azure AD, OneLogin, etc.
togo install togo-framework/auth-saml
Adds SAML 2.0 service-provider login to togo. It configures a SAML SP from env, exposes the standard SP endpoints, and on a verified IdP assertion finds-or-creates the user by the asserted email and issues an auth session via the auth plugin. When unconfigured it registers cleanly and its endpoints return 501 (no crash).
| Env | Description |
|---|---|
SAML_ROOT_URL |
the app's external base URL, e.g. https://app.example.com |
SAML_SP_CERT |
the SP's X.509 certificate (PEM) |
SAML_SP_KEY |
the SP's RSA private key (PEM) |
SAML_IDP_METADATA_URL |
the IdP metadata URL (or use SAML_IDP_METADATA_XML) |
SAML_IDP_METADATA_XML |
the IdP metadata XML inline (alternative to the URL) |
SAML_RETURN_URL |
post-login redirect (default /) |
Generate an SP keypair:
openssl req -x509 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj "/CN=app.example.com" export SAML_SP_CERT="$(cat sp.crt)" SAML_SP_KEY="$(cat sp.key)"
Register the SP with your IdP using the metadata at /api/auth/saml/metadata (Entity ID + ACS URL are derived from SAML_ROOT_URL).
| Method | Path | Purpose |
|---|---|---|
GET |
/api/auth/saml/metadata |
SP metadata XML (give this to the IdP) |
GET |
/api/auth/saml/login?return=/admin |
SP-initiated login → redirect to the IdP |
POST |
/api/auth/saml/acs |
Assertion Consumer Service → verify, issue session, redirect |
GET |
/api/auth/saml/status |
{ "configured": bool } |
On success the ACS issues an auth session (cookie/JWT via the auth plugin) and redirects to the validated RelayState/return URL (open-redirect-safe — local paths only).