From bee3d05f0d7b4d9e23c1ae39e65e05094dcef9dd Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 11 Feb 2026 13:29:05 +0000
Subject: [PATCH] fix: register SAML login flow routes (login, ACS, metadata,
 logout, SLO)

The SAML handler functions existed but were never registered in
setupRoutes(), causing 404s for all SAML authentication flows.
Adds /api/saml/ prefix route with dispatcher for all 5 endpoints.
---
 internal/api/router.go | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/internal/api/router.go b/internal/api/router.go
index 084cc3913..3a973032b 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -597,6 +597,30 @@ func (r *Router) setupRoutes() {
 	r.mux.HandleFunc("/api/security/sso/providers/test", RequireAdmin(r.config, r.handleTestSSOProvider))
 	r.mux.HandleFunc("/api/security/sso/providers/metadata/preview", RequireAdmin(r.config, r.handleMetadataPreview))
 	r.mux.HandleFunc("/api/security/sso/providers/", RequireAdmin(r.config, r.handleSSOProvider))
+
+	// SAML login flow routes (unauthenticated - these are login/callback endpoints)
+	r.mux.HandleFunc("/api/saml/", func(w http.ResponseWriter, req *http.Request) {
+		parts := strings.Split(strings.TrimPrefix(req.URL.Path, "/"), "/")
+		if len(parts) < 4 {
+			http.NotFound(w, req)
+			return
+		}
+		switch parts[3] {
+		case "login":
+			r.handleSAMLLogin(w, req)
+		case "acs":
+			r.handleSAMLACS(w, req)
+		case "metadata":
+			r.handleSAMLMetadata(w, req)
+		case "logout":
+			r.handleSAMLLogout(w, req)
+		case "slo":
+			r.handleSAMLSLO(w, req)
+		default:
+			http.NotFound(w, req)
+		}
+	})
+
 	r.mux.HandleFunc("/api/security/tokens", RequirePermission(r.config, r.authorizer, auth.ActionAdmin, auth.ResourceUsers, func(w http.ResponseWriter, req *http.Request) {
 		switch req.Method {
 		case http.MethodGet: