[GH-ISSUE #7052] SSO SAML acsEndpoint uses case-sensitive email lookup, causing login failures #10716

New Issue

GiteaMirror · 2026-04-13T07:01:27-05:00

GiteaMirror commented

2026-04-13 07:01:27 -05:00

Originally created by @penguine-ip on GitHub (Dec 29, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7052

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

Yes, this is suited for github

To Reproduce

User signs up via SAML SSO - email stored as user@example.com (lowercase)
IdP (Okta) sends User@Example.com (mixed case) on subsequent login
acsEndpoint queries for User@Example.com - no match found (PostgreSQL is case-sensitive)
Code falls into else block and tries to create a new user
Fails with Unique constraint failed on the fields: (email)

Error

PrismaClientKnownRequestError: 
Invalid `prisma.user.create()` invocation:
Unique constraint failed on the fields: (`email`)

Current vs. Expected behavior

Current Behavior

acsEndpoint searches for users using the email exactly as received from the IdP
PostgreSQL performs case-sensitive string comparison
User lookup fails when IdP sends User@Example.com but database has user@example.com
System attempts to create a new user, which fails due to unique constraint

Expected Behavior

The user lookup in acsEndpoint should be consistent with how the user was originally created
Since handleOAuthUserInfo lowercases emails when creating users, acsEndpoint should also lowercase emails when looking them up

Suggested Fix

Either:

Option A: Lowercase the email before the user lookup in acsEndpoint:

const existingUser = await ctx.context.adapter.findOne({
  model: "user",
  where: [{
    field: "email",
    value: userInfo.email.toLowerCase()  // Add .toLowerCase()
  }]
});

This should also be applied to userInfo.email when creating accounts and any other email comparisons in the SSO plugin.

Option B: Refactor acsEndpoint to use handleOAuthUserInfo instead of implementing its own user lookup/creation logic, ensuring consistent behavior across all OAuth/SSO flows.

What version of Better Auth are you using?

better-auth: 1.4.3 - @better-auth/sso: 1.4.3

System info

Database: PostgreSQL

Which area(s) are affected? (Select all that apply)

Package

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

There is an inconsistency between how users are created and how they are looked up in the SAML flow.

User Creation Flow

When a new user signs up via SAML SSO, acsEndpoint eventually stores the user with a lowercased email (either directly or through internal adapters). For example, a user signing up as User@Example.com gets stored as user@example.com.

User Lookup Flow (the bug)

On subsequent logins, acsEndpoint searches for the user using the email exactly as received from the IdP:

const existingUser = await ctx.context.adapter.findOne({
  model: "user",
  where: [{
    field: "email",
    value: userInfo.email  // ❌ Not lowercased - uses "User@Example.com"
  }]
});

Since PostgreSQL string comparison is case-sensitive:

Query searches for: User@Example.com
Database has: user@example.com
No match found

The code then falls into the else block and attempts to create a new user, which fails with a unique constraint error.

Comparison with `handleOAuthUserInfo`

The core handleOAuthUserInfo function (used by OIDC SSO, social OAuth, etc.) handles this correctly by lowercasing the email:

const dbUser = await c.context.internalAdapter.findOAuthUser(
  userInfo.email.toLowerCase(),  // ✅ Lowercased
  account.accountId,
  account.providerId
)

Why does `acsEndpoint` behave differently?

handleOAuthUserInfo is used by OIDC SSO callback, social OAuth providers, and generic OAuth flows
acsEndpoint (SAML callback at /sso/saml2/sp/acs/:providerId) implements its own user lookup logic instead of delegating to handleOAuthUserInfo

This custom implementation in acsEndpoint doesn't lowercase the email, causing the inconsistency between user creation and lookup.

I'm happy to submit a PR for this fix. What is your release cycle? We're currently experiencing this issue in production and need the fix urgently.

Thanks!

Originally created by @penguine-ip on GitHub (Dec 29, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7052 Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce ## To Reproduce 1. User signs up via SAML SSO - email stored as `user@example.com` (lowercase) 2. IdP (Okta) sends `User@Example.com` (mixed case) on subsequent login 3. `acsEndpoint` queries for `User@Example.com` - no match found (PostgreSQL is case-sensitive) 4. Code falls into `else` block and tries to create a new user 5. Fails with `Unique constraint failed on the fields: (email)` ### Error ``` PrismaClientKnownRequestError: Invalid `prisma.user.create()` invocation: Unique constraint failed on the fields: (`email`) ``` ### Current vs. Expected behavior ### Current Behavior - `acsEndpoint` searches for users using the email exactly as received from the IdP - PostgreSQL performs case-sensitive string comparison - User lookup fails when IdP sends `User@Example.com` but database has `user@example.com` - System attempts to create a new user, which fails due to unique constraint ### Expected Behavior - The user lookup in `acsEndpoint` should be consistent with how the user was originally created - Since `handleOAuthUserInfo` lowercases emails when creating users, `acsEndpoint` should also lowercase emails when looking them up ### Suggested Fix Either: **Option A:** Lowercase the email before the user lookup in `acsEndpoint`: ```javascript const existingUser = await ctx.context.adapter.findOne({ model: "user", where: [{ field: "email", value: userInfo.email.toLowerCase() // Add .toLowerCase() }] }); ``` This should also be applied to `userInfo.email` when creating accounts and any other email comparisons in the SSO plugin. **Option B:** Refactor `acsEndpoint` to use `handleOAuthUserInfo` instead of implementing its own user lookup/creation logic, ensuring consistent behavior across all OAuth/SSO flows. ### What version of Better Auth are you using? `better-auth`: 1.4.3 - `@better-auth/sso`: 1.4.3 ### System info ```bash Database: PostgreSQL ``` ### Which area(s) are affected? (Select all that apply) Package ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context There is an inconsistency between how users are created and how they are looked up in the SAML flow. ### User Creation Flow When a new user signs up via SAML SSO, `acsEndpoint` eventually stores the user with a lowercased email (either directly or through internal adapters). For example, a user signing up as `User@Example.com` gets stored as `user@example.com`. ### User Lookup Flow (the bug) On subsequent logins, `acsEndpoint` searches for the user using the email exactly as received from the IdP: ```javascript const existingUser = await ctx.context.adapter.findOne({ model: "user", where: [{ field: "email", value: userInfo.email // ❌ Not lowercased - uses "User@Example.com" }] }); ``` Since PostgreSQL string comparison is case-sensitive: - Query searches for: `User@Example.com` - Database has: `user@example.com` - **No match found** The code then falls into the `else` block and attempts to create a new user, which fails with a unique constraint error. ### Comparison with `handleOAuthUserInfo` The core `handleOAuthUserInfo` function (used by OIDC SSO, social OAuth, etc.) handles this correctly by lowercasing the email: ```javascript const dbUser = await c.context.internalAdapter.findOAuthUser( userInfo.email.toLowerCase(), // ✅ Lowercased account.accountId, account.providerId ) ``` ### Why does `acsEndpoint` behave differently? - **`handleOAuthUserInfo`** is used by OIDC SSO callback, social OAuth providers, and generic OAuth flows - **`acsEndpoint`** (SAML callback at `/sso/saml2/sp/acs/:providerId`) implements its **own user lookup logic** instead of delegating to `handleOAuthUserInfo` This custom implementation in `acsEndpoint` doesn't lowercase the email, causing the inconsistency between user creation and lookup. I'm happy to submit a PR for this fix. What is your release cycle? We're currently experiencing this issue in production and need the fix urgently. Thanks!

GiteaMirror added the locked bug labels 2026-04-13 07:01:28 -05:00

GiteaMirror closed this issue

2026-04-13 07:01:28 -05:00

GiteaMirror commented

2026-04-13 07:01:29 -05:00

@better-auth-agent[bot] commented on GitHub (Dec 29, 2025):

It looks like you've encountered an issue with the SAML SSO acsEndpoint where email lookups are case-sensitive, leading to login failures. This inconsistency arises because the email is stored in lowercase, but the IdP may send it in mixed case.

To address this problem, you can implement one of the following solutions:

Lowercase the email before performing the user lookup in acsEndpoint:

const existingUser = await ctx.context.adapter.findOne({
  model: "user",
  where: [{
    field: "email",
    value: userInfo.email.toLowerCase()
  }]
});

Refactor acsEndpoint to utilize handleOAuthUserInfo, maintaining consistency in how emails are handled.

It's important to note that there's an open issue related to this behavior, highlighting that the acsEndpoint should align with user creation practices to prevent such errors from occurring [1], [2].

Regarding your question about submitting a PR, it’s recommended to check in with the Better Auth team to get clarity on the release cycle and urgency for fixes, since production issues can require swift resolutions.

Have you considered detailing your experience with the issue in your PR to ensure it gets prioritized?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Dec 29, 2025): It looks like you've encountered an issue with the SAML SSO `acsEndpoint` where email lookups are case-sensitive, leading to login failures. This inconsistency arises because the email is stored in lowercase, but the IdP may send it in mixed case. To address this problem, you can implement one of the following solutions: 1. **Lowercase the email** before performing the user lookup in `acsEndpoint`: ```javascript const existingUser = await ctx.context.adapter.findOne({ model: "user", where: [{ field: "email", value: userInfo.email.toLowerCase() }] }); ``` 2. **Refactor `acsEndpoint`** to utilize `handleOAuthUserInfo`, maintaining consistency in how emails are handled. It's important to note that there's an open issue related to this behavior, highlighting that the `acsEndpoint` should align with user creation practices to prevent such errors from occurring [[1]](https://github.com/better-auth/better-auth/issues/3615), [[2]](https://www.better-auth.com/docs/guides/saml-sso-with-okta). Regarding your question about submitting a PR, it’s recommended to check in with the Better Auth team to get clarity on the release cycle and urgency for fixes, since production issues can require swift resolutions. Have you considered detailing your experience with the issue in your PR to ensure it gets prioritized? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) • [Discord](https://discord.gg/fG2XXEuQX3) • [GitHub](https://github.com/Skyvern-AI/Skyvern) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/skyvern_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/fG2XXEuQX3) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/Skyvern-AI/Skyvern)

GiteaMirror commented

2026-04-13 07:01:30 -05:00

@bytaesu commented on GitHub (Jan 14, 2026):

@Paola3stefania could you check this 🙏

@bytaesu commented on GitHub (Jan 14, 2026): @Paola3stefania could you check this 🙏

GiteaMirror commented

2026-04-13 07:01:30 -05:00

@Paola3stefania commented on GitHub (Jan 19, 2026):

@penguine-ip thank you for raising this, working on it atm

@Paola3stefania commented on GitHub (Jan 19, 2026): @penguine-ip thank you for raising this, working on it atm

GiteaMirror commented

2026-04-13 07:01:31 -05:00

@penguine-ip commented on GitHub (Jan 20, 2026):

Hey @Paola3stefania no problem thanks for the fix - could you let me know when this change is out on a new release? Thank you.

@penguine-ip commented on GitHub (Jan 20, 2026): Hey @Paola3stefania no problem thanks for the fix - could you let me know when this change is out on a new release? Thank you.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#10716

[GH-ISSUE #7052] SSO SAML acsEndpoint uses case-sensitive email lookup, causing login failures #10716

Is this suited for github?

To Reproduce

To Reproduce

Error

Current vs. Expected behavior

Current Behavior

Expected Behavior

Suggested Fix

What version of Better Auth are you using?

System info

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

User Creation Flow

User Lookup Flow (the bug)

Comparison with handleOAuthUserInfo

Why does acsEndpoint behave differently?

[GH-ISSUE #7052] SSO SAML `acsEndpoint` uses case-sensitive email lookup, causing login failures #10716

Comparison with `handleOAuthUserInfo`

Why does `acsEndpoint` behave differently?