🔑feat: SAML authentication

[tsutsu3]

Pull Request Template

⚠️ Before Submitting a PR, Please Review:

• Please ensure that you have thoroughly read and understood the Contributing Docs before submitting your Pull Request.

⚠️ Documentation Updates Notice:

• Kindly note that documentation updates are managed in this repository: librechat.ai

Summary

ref: #6034

Many organizations use SAML for single sign-on (SSO) authentication.
Adding SAML login support allows seamless integration with enterprise authentication systems, improving security and user convenience.

Dependencies:

• node-saml/passport-saml
• passport-saml-metadata
• xml2js

Key Points

• Implemented SAML authentication using a issuer, entry_point, cert.
• Single Logout (SLO) is not supported.
• Disabling SAML registration from the LibreChat UI is not supported.
• SAML_CERT supports both a cert file path and a cert string.
• SAML is disabled if OpenID is enabled (mutually exclusive authentication methods).
• Support Signed SAML Response and Signed SAML Assertion.

Concerns

• SAML icon and its license.
• How to register the com_auth_saml_login key in Locize. (not yet)

Change Type

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• Translation update

Testing

Test Configuration:

See: LibreChat-AI/librechat.ai#255

Setup Auth0 SAML and .env.

Checklist

Please delete any irrelevant options.

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have commented in any complex areas of my code
• I have made pertinent documentation changes
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes
• Any changes dependent on mine have been merged and published in downstream modules.
• A pull request for updating the documentation has been submitted.

[rubentalstra]

please have a look at my comment at:
docker-compose.override.yml.example

[rubentalstra]

I think you missed here something? you mean the cert file here right?

[tsutsu3]

Yes

[rubentalstra]

I think you still made a typo 😅 ycert.pem

[tsutsu3]

Changed it to your_cert.pem

[rubentalstra]

I'm not sure about this file. about this logic in specific:

samlLoginEnabled: !isOpenIdEnabled && isSamlEnabled,

[tsutsu3]

This logic is designed to ensure that only one authentication method, either OpenID or SAML, can be enabled at a time.

I thought the comment no that you can only setup OpenID or SAML also in the backend api suggested that OpenID and SAML should be mutually exclusive.

[rubentalstra]

Yeah you're correct. It's not common to allow SAML and OpenID authentication at the same time.

But it's more about the changes you made in that file that I'm not fully sure about that's all. I just need to have a good look. 👀

[tsutsu3]

Testing with different combinations of app session, IdP session, and SAML token expiration...

Especially curious about the behavior when the IdP session expires while the app session remains active—want to align it with OpenID behavior.

---

result:

Same behavior as OpenID:

Reauthentication is required only if both the app session has expired (or the user has logged out) and the IdP session is also expired.