Marketplace
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>
auth-saml
Authtogo SAML 2.0 SSO — service-provider login (metadata/login/ACS) issuing an auth session
togo-framework
bash
togo install togo-framework/auth-samlInstall
bash
togo install togo-framework/auth-samlAdds SAML 2.0 service-provider login to togo. It configures a SAML SP from env, exposes the standard SP endpoints, and on a verified IdP assertion finds-or-creates the user by the asserted email and issues an auth session via the auth plugin. When unconfigured it registers cleanly and its endpoints return 501 (no crash).
Configuration
Env | Description |
|---|---|
| SAML_ROOT_URL | the app's external base URL, e.g. https://app.example.com |
| SAML_SP_CERT | the SP's X.509 certificate (PEM) |
| SAML_SP_KEY | the SP's RSA private key (PEM) |
| SAML_IDP_METADATA_URL | the IdP metadata URL (or use SAML_IDP_METADATA_XML) |
| SAML_IDP_METADATA_XML | the IdP metadata XML inline (alternative to the URL) |
| SAML_RETURN_URL | post-login redirect (default /) |
Rows per page
1–6 of 6Page 1 of 1
Generate an SP keypair:
bash
openssl req -x509 -newkey rsa:2048 -keyout sp.key -out sp.crt -days 3650 -nodes -subj "/CN=app.example.com"
export SAML_SP_CERT="$(cat sp.crt)" SAML_SP_KEY="$(cat sp.key)"
Register the SP with your IdP using the metadata at /api/auth/saml/metadata (Entity ID + ACS URL are derived from SAML_ROOT_URL).
Endpoints
Method | Path | Purpose |
|---|---|---|
| GET | /api/auth/saml/metadata | SP metadata XML (give this to the IdP) |
| GET | /api/auth/saml/login?return=/admin | SP-initiated login → redirect to the IdP |
| POST | /api/auth/saml/acs | Assertion Consumer Service → verify, issue session, redirect |
| GET | /api/auth/saml/status | { "configured": bool } |
Rows per page
1–4 of 4Page 1 of 1
On success the ACS issues an auth session (cookie/JWT via the auth plugin) and redirects to the validated RelayState/return URL (open-redirect-safe — local paths only).
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>