Crate rustauth_sso

Expand description

Server-side enterprise single sign-on support for RustAuth.

The crate exposes an RustAuth plugin that adds Better Auth-compatible SSO provider management, OIDC sign-in, SAML ACS, SAML metadata, domain verification, and SAML single logout endpoints.

§SAML support

SAML 2.0 SP flows (sign-in, ACS, metadata, SLO) are implemented via the [rustauth_saml] crate and the pinned opensaml dependency. Enable the saml feature on this crate; use saml-signed on [rustauth_saml] for XMLDSig and XML-Enc. Without saml-signed, signed or encrypted IdP messages are rejected fail-closed.

§Example

use rustauth_sso::{sso, SsoOptions};

let plugin = sso(SsoOptions::default());
assert_eq!(plugin.id, "sso");

Re-exports§

pub use linking::NormalizedSsoProfile;

Modules§

linking: Stable SSO account-linking helpers.

Structs§

CreateSsoProviderInput: Input used to create an SSO provider record.
DnsTxtResolver: Async resolver used to verify domain ownership through DNS TXT records.
DomainVerificationOptions: Domain verification behavior for registered SSO providers.
OidcOptions: OIDC runtime and security behavior for SSO providers.
OidcProfileMapping: Mapping from OIDC claims to RustAuth profile fields.
OidcProviderConfig: OIDC configuration for an enterprise SSO provider.
OrganizationProvisioningOptions: Controls automatic organization membership assignment for SSO users.
OrganizationRoleInput: Input passed to organization role resolution after a successful SSO login.
OrganizationRoleResolver: Async callback that maps an SSO login to an organization role.
ProvidersLimitResolver: Async resolver used to compute a per-user dynamic provider limit.
ProvisionUserInput: Input passed to the provision_user hook.
ProvisionUserResolver: Async hook invoked after an SSO user is created or linked.
SamlAlgorithmOptions: SAML algorithm allow lists and deprecated algorithm behavior.
SamlConfig: SAML configuration for an SSO provider.
SamlIdpMetadata: IdP metadata fields accepted by SAML provider configuration.
SamlMapping: Mapping from SAML attributes to RustAuth profile fields.
SamlOptions: Runtime and security options for SAML flows.
SamlService: SAML metadata service endpoint.
SamlSpMetadata: Service provider metadata overrides.
SanitizedSsoProvider: Provider representation returned by public read endpoints.
SecretString: Secret string wrapper that redacts its value in Debug output.
SsoAuditEvent: Audit event emitted by the SSO plugin.
SsoAuditEventResolver: Async sink for SSO audit events.
SsoErrorDescriptor: Descriptor for a stable SSO error code registered by the plugin.
SsoOptions: Configuration for the RustAuth SSO plugin.
SsoProvider: Static SSO provider definition used by SsoOptions::default_sso.
SsoProviderRecord: Raw SSO provider record loaded from the adapter.
SsoProviderStore: Adapter-backed store for SSO provider records.
SsoRateLimitOptions: Rate limit rules contributed by the SSO plugin.

Enums§

DeprecatedAlgorithmBehavior: Behavior used when SAML algorithms are deprecated.
SsoAuditEventKind: SSO audit event kind emitted by provider, domain, SAML, and SLO flows.
SsoAuditSeverity: Severity level for SSO audit events.
SsoErrorCategory: High-level category for stable public SSO error codes.
TokenEndpointAuthentication: Supported OAuth token endpoint authentication methods.

Constants§

DEFAULT_MAX_SAML_METADATA_SIZE: Default maximum accepted IdP metadata XML size (100 KiB).
DEFAULT_MAX_SAML_RESPONSE_SIZE: Default maximum accepted base64 SAML response size (256 KiB).
UPSTREAM_PLUGIN_ID: Better Auth upstream plugin identifier used for endpoint and schema parity.
VERSION: Current crate version.

Functions§

sso: Build the server-side SSO plugin.
sso_error_category: Look up the high-level category for a stable SSO error code.
sso_error_descriptors: Return all SSO error descriptors known by the plugin.

Type Aliases§

OidcConfig: Backward-compatible OIDC provider config alias.
OidcMapping: Backward-compatible OIDC mapping alias.