feat(saml): validate SAML crypto algorithms during initial phase (#6785)

docs/content/docs/plugins/sso.mdx

@@ -1071,6 +1071,39 @@ sso({
 - **"SAML assertion has expired"** — Current time is after the `NotOnOrAfter` timestamp (plus clock skew)
 - **"SAML assertion missing required timestamp conditions"** — Assertion has no timestamps and `requireTimestamps` is enabled
 
+### Algorithm Validation
+
+Better Auth validates SAML cryptographic algorithms and warns about deprecated ones (SHA-1, RSA 1.5, 3DES) by default.
+
+```ts title="auth.ts"
+sso({
+    saml: {
+        algorithms: {
+            // "warn" (default) | "reject" | "allow"
+            onDeprecated: "warn",
+        },
+    },
+})
+```
+
+| Value | Behavior |
+|-------|----------|
+| `"warn"` | Log warning, allow authentication (default) |
+| `"reject"` | Throw error, block authentication |
+| `"allow"` | Silent, no validation |
+
+For strict security (production):
+
+```ts title="auth.ts"
+sso({
+    saml: {
+        algorithms: {
+            onDeprecated: "reject",
+        },
+    },
+})
+```
+
 ## Domain verification
 
 Domain verification allows your application to automatically trust a new SSO provider
@@ -1365,6 +1398,18 @@ If you want to allow account linking for specific trusted providers, enable the
                 type: "boolean",
                 default: false,
             },
+            algorithms: {
+                description: "Algorithm validation options.",
+                type: "object",
+                properties: {
+                    onDeprecated: {
+                        description: "Behavior for deprecated algorithms (SHA-1, RSA 1.5, 3DES).",
+                        type: "string",
+                        enum: ["reject", "warn", "allow"],
+                        default: "warn",
+                    },
+                },
+            },
         },
     },
     modelName: {