fix: register SAML login flow routes (login, ACS, metadata, logout, SLO)

The SAML handler functions existed but were never registered in setupRoutes(), causing 404s for all SAML authentication flows. Adds /api/saml/ prefix route with dispatcher for all 5 endpoints.
2026-05-22 19:36:46 +00:00 · 2026-02-11 13:29:05 +00:00 · 2026-02-11 13:29:05 +00:00 · bee3d05f0d
commit bee3d05f0d
parent 89969079b9
1 changed files with 24 additions and 0 deletions
--- a/internal/api/router.go
+++ b/internal/api/router.go
@ -597,6 +597,30 @@ func (r *Router) setupRoutes() {
 	r.mux.HandleFunc("/api/security/sso/providers/test", RequireAdmin(r.config, r.handleTestSSOProvider))
 	r.mux.HandleFunc("/api/security/sso/providers/metadata/preview", RequireAdmin(r.config, r.handleMetadataPreview))
 	r.mux.HandleFunc("/api/security/sso/providers/", RequireAdmin(r.config, r.handleSSOProvider))
+
+	// SAML login flow routes (unauthenticated - these are login/callback endpoints)
+	r.mux.HandleFunc("/api/saml/", func(w http.ResponseWriter, req *http.Request) {
+		parts := strings.Split(strings.TrimPrefix(req.URL.Path, "/"), "/")
+		if len(parts) < 4 {
+			http.NotFound(w, req)
+			return
+		}
+		switch parts[3] {
+		case "login":
+			r.handleSAMLLogin(w, req)
+		case "acs":
+			r.handleSAMLACS(w, req)
+		case "metadata":
+			r.handleSAMLMetadata(w, req)
+		case "logout":
+			r.handleSAMLLogout(w, req)
+		case "slo":
+			r.handleSAMLSLO(w, req)
+		default:
+			http.NotFound(w, req)
+		}
+	})
+
 	r.mux.HandleFunc("/api/security/tokens", RequirePermission(r.config, r.authorizer, auth.ActionAdmin, auth.ResourceUsers, func(w http.ResponseWriter, req *http.Request) {
 		switch req.Method {
 		case http.MethodGet: