SAML SSO in Next.js: the enterprise checklist

The first time an enterprise prospect asks for SAML SSO, the right reaction is not panic, it is to verify whether your auth library has it as a paid add-on or a separate service. Rolling your own SAML parser is one of the few things in 2026 still genuinely not worth doing.

What "SAML SSO" actually means

SAML (Security Assertion Markup Language) is the protocol enterprise IT teams use to let employees log in to third-party apps through their corporate identity provider, Okta, Azure AD, Google Workspace, OneLogin, Ping. The advantages for the enterprise customer are real: one place to deprovision when an employee leaves, MFA enforced at the IdP, and an audit log of who accessed what.

Two flow shapes:

• SP-initiated. User visits your app's /login, your app redirects to the IdP, the IdP authenticates, the IdP redirects back to your app's ACS (Assertion Consumer Service) URL with a signed assertion. Your app verifies the signature, creates a session, and sends the user to the dashboard.
• IdP-initiated. User clicks your app's tile in their Okta dashboard, Okta sends a signed assertion directly to your ACS URL. Same verification, same session, but the user never visited your /login.

A serious SSO implementation handles both. Many implementations only handle SP-initiated, which means the Okta tile experience is broken, annoying, but flagged in procurement as a half-implementation.

The enterprise checklist

What enterprise procurement actually asks for, in order:

1. SAML 2.0 with signed assertions. Mandatory.
2. SP- and IdP-initiated flows. Mandatory; many teams skip IdP-initiated and regret it.
3. Just-in-time (JIT) provisioning. A new user who logs in via SSO should get an account on first login, not a "contact your admin" error.
4. SCIM provisioning. A separate protocol from SAML for syncing the user directory. Mid-market customers ask for it less often; enterprise customers expect it.
5. Audit log. Every login, every config change, every privileged action. This is what the security review actually reads.
6. Multi-tenant SSO config. Each customer workspace has its own SAML config (IdP metadata, ACS URL). A flat "one SSO config for the whole app" does not work for B2B.
7. Backup login. A break-glass admin account that still works when the IdP is down. Document this, it is the question the security review asks last.

The libraries to use

Three sensible paths:

• BoxyHQ Jackson. Open source, self-hostable SAML / OAuth bridge. The flexible option if you want SSO inside your own infrastructure.
• WorkOS. Hosted SSO + SCIM as a service. Polished, expensive at scale, fast to integrate.
• Stytch / Auth0 / Clerk Enterprise. All offer SAML as part of higher tiers. Picking one ties you to that auth provider's other primitives.

The wrong path is parsing the SAML XML yourself. The protocol's edge cases (signed assertions vs signed responses, encrypted assertions, the certificate rotation flow, the various NameID formats) are a tax someone else should pay.

Wiring it into a Next.js app

The integration in App Router is small once the library is picked:

• A POST /api/auth/saml/acs/route.ts that receives the assertion, verifies it through the SAML library, creates a session cookie, and redirects to the dashboard.
• A GET /api/auth/saml/login/route.ts that initiates the SP-initiated flow by generating the AuthnRequest and redirecting to the IdP.
• A workspace-level admin UI for uploading IdP metadata, setting the SAML callback URLs, and downloading SP metadata to give to the customer's IT team.
• An audit log row on every successful and failed SAML login, scoped to the workspace.

/saasforge-core ships SAML SSO hooks and the audit log primitive as part of the enterprise tier, the workspace-level config UI and the WorkOS / Jackson integration shape are wired. A deeper SAML walkthrough with the working integration patterns lives on the (future) /features/saml-sso-nextjs page. For multi-tenant primitives plus the audit log SSO depends on, /saasforge-core is the shortest path to a SAML-ready SaaS.