← Back to Changelog

Changelog

May 2026

๐Ÿ”

SAML SP Proxy Mode

Added SAML Service Provider proxy mode support, allowing the SSO server to forward raw SAML assertions directly to external applications. Includes signing utilities, validation endpoints, and UI configuration.

โšก

Direct Skip-Auth Flow

Implemented direct skip-auth entry point for SSO-linked applications, enabling apps to bypass the UI dashboard while maintaining secure authentication. Added encoded parameter support for flexible integration.

๐Ÿ—„๏ธ

DB-Backed SAML State

Implemented database-backed SAML state management to fix Keycloak RelayState truncation issues. Provides more reliable state persistence compared to session-only storage.

๐Ÿ“ค

POST Redirect Support

Added support for external application redirection via POST method with encoded payload in body. Enables more secure and flexible integration with applications requiring POST-based callbacks.

๐Ÿ›

SAML Authentication Fixes

Fixed SAML UI mode redirect loops, ObjectId cast errors, POST binding handling, and CSP nonce integration. Improved defensive handling for appId parameters and added legacy URL format support.

๐Ÿš€

Coolify Deployment

Added comprehensive Coolify deployment support with automated scripts, environment configuration, and versioned Docker tags. Streamlined deployment workflow for production environments.

๐Ÿš€ Features

  • [07/05]feat (auth) Add tests for direct skip auth entry point and UI callback handling
  • [07/05]feat (auth) Add direct skip-auth entry point for SSO-linked apps
  • [05/05]feat (auth) Add encoded parameter support to skip-auth flow and UI
  • [05/05]feat (documentation) Add AGENTS.md with project overview, commands, and deployment docs #61810
  • [05/05]feat (auth) Add peekIdpToken to ssoToken import in auth routes #61810
  • [05/05]feat (scripts) Add interactive test setup CLI for OpenID, SAML, and encoded parameters #61810
  • [05/05]feat (examples) Add SAML SP Proxy Mode example application with documentation #61810
  • [17/03]feat (saml) Add SAML signing utility with assertion signing and verification capabilities
  • [17/03]feat (SAML) Add SAML SP proxy mode support with raw response forwarding
  • [17/03]feat (api) Add SAML SP proxy validation and SSO certificate endpoint
  • [17/03]feat (applications) Add SAML SP proxy mode configuration and validation
  • [17/03]feat: Add SAML SP Proxy Mode UI configuration and handlers
  • [10/03]feat (redirect) support external app POST redirection with encoded payload in body

๐Ÿ› Bug Fixes

  • [05/05]fix (auth.saml) Add CSP nonce to SAML auto-submit forms
  • [05/05]fix (auth.saml) Handle POST binding in SAML UI mode correctly
  • [05/05]fix (auth.saml) Defensive handling for appId and fix UI mode SAML initiation
  • [05/05]fix (auth.saml) Add redirect route for old SAML UI URL format
  • [05/05]fix (auth.saml) Fix redirect loop in SAML UI mode authentication
  • [05/05]fix (auth.saml) Handle UI mode in SAML route to prevent ObjectId cast error
  • [05/05]fix (auth) Handle UI mode in SAML auth callback for branch #61810
  • [05/05]fix (auth) Add constructRedirectUrl import for skip auth flow

๐Ÿ“š Documentation

  • [07/05]docs (encoded-parameters-integration) Add documentation for special parameters and validation rules
  • [05/05]docs (common) Update Skip-Auth Flow header in consumer quickstart #61810
  • [05/05]docs (consumer) Clarify default backend-to-backend auth flow in consumer docs
  • [05/05]docs (consumer) Add high-level quickstart guide for consumer teams
  • [05/05]docs (consumer) Add consumer-team onboarding guide
  • [05/05]docs (specs) Update SSO skip-auth flow spec with verified poc-10 SAML example
  • [17/03]docs: Add SAML SP Proxy Mode authentication flow documentation
  • [13/03]docs (feat-sso-server-external-redirect-post) Add specification for External App Redirection via POST #60629

๐Ÿšœ Refactor

  • [07/05]refactor (routing) Preserve existing hash when no relativeURL provided in joinBaseAndRelativeUrl
  • [05/05]refactor (tests) Update Google OAuth test to include IDP tokens and restructure mocks #61810
  • [17/03]refactor (models) Add SAML SP Proxy Mode Configuration and hashRouting support

๐Ÿงช Testing

  • [05/05]test (auth.saml-sp) Add UI mode test to prevent ObjectId cast error #61810
  • [05/05]test (keycloak) Add _idpTokens object to expected user profile in unit test #61810
  • [05/05]test (config) add _idpTokens field to gitlab user mock #61810
  • [05/05]test (auth0) Add _idpTokens assertion in unit test #61810
  • [05/05]test (utils/ssoToken) Add unit tests for ssoToken utilities #61810
  • [05/05]test (auth) Add skipAuthFlow endpoint and SSO token verification tests #61810
  • [19/03]test (auth.saml.test.js) Add Application mock and populate mocks in SAML callback UI and regular app tests
  • [17/03]test (SAML SP) Add unit tests for SAML SP proxy mode validation #N/A

โš™๏ธ Miscellaneous Tasks

  • [05/05]chore (deployment) Use versioned Docker tags and no-cache build
  • [05/05]chore (deployment) Add Coolify deployment support with script, env example, and package.json updates #61810
  • [05/05]chore (docs) Add SAML SP Proxy Mode documentation and specifications #61810
  • [23/04]chore (deploy) Update coolify:deploy script to use new registry path in package.json #
  • [13/03]chore (common) Bump Docker image version in coolify:deploy script to 1.2.2 #60629

๐Ÿ’ผ Other

  • [18/05]Implement DB-backed SAML state to fix Keycloak RelayState truncation (#62137)
  • [05/05]Merge branch 'SSO-61810 into master
  • [05/05]Merge feat-proxy-mode into SSO-61810
  • [23/04]Merge branch 'SSO-61810' of ssh://git.geored.fr:220/RD_soft/pocs/google-login-poc
  • [19/03]{type} (applicationModule) Add SAML authentication configuration to unit tests{hash}
  • [13/03]Merge branch 'vk/84dd-feat-make-extern' into SSO-60629