disableImplicitSignUp not used for for SAML-based SSO providers #2300

New Issue

GiteaMirror · 2026-03-13T09:42:27-05:00

GiteaMirror commented

2026-03-13 09:42:27 -05:00

Originally created by @kanarian on GitHub (Nov 13, 2025).

Is this suited for github?

Yes, this is suited for github

To Reproduce

Install the @better-auth/sso plugin.
In your auth configurations, add a SAML-based defaultSSO provider such as DummyIDP.
Inside of your auth configurations, set disableImplictSignUp to true.
Use the Identity Provider to login to your application using an email-address that does not exist in your database.

Current vs. Expected behavior

Following the previous steps, I expected that, since the email-address did not exist and disableImplicitSignUp is true, that the user would not be allowed to login, because they do not have an account and implicit sign up is disabled.

However, to my surprise, an Account entry and a User entry do get created for this email-address.

It seems like disableImplicitSignUp is ignored.

I found that the callbackSSOSAML function does not check for disableImplicitSignUp when creating a User or Account if one does not exist (e.g. here in the source code).

I noticed that the callbackSSO function does not directly create a User or Account, but uses the handleOAuthUserInfo function. handleOAuthUserInfo then uses implicitDisableSignUp to ensure that neither an Account nor a User is created.

Is there any reason as to why the callbackSSOSAML does not use the handleOAuthUserInfo function? Could be a way to fix the bug I reckon. Thanks!

What version of Better Auth are you using?

1.3.34

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:21 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T8103",
    "release": "23.6.0",
    "cpuCount": 8,
    "cpuModel": "Apple M1",
    "totalMemory": "16.00 GB",
    "freeMemory": "0.12 GB"
  },
  "node": {
    "version": "v22.15.1",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.6.2"
  },
  "frameworks": [
    {
      "name": "next",
      "version": "^15.5.5"
    },
    {
      "name": "react",
      "version": "18.2.0"
    }
  ],
  "databases": [
    {
      "name": "@prisma/client",
      "version": "^6.18.0"
    }
  ],
  "betterAuth": {
    "version": "^1.3.34",
    "config": {
      "logger": {
        "level": "debug"
      },
      "trustedOrigins": [LIST_OF_TRUSTED_ORIGINS],
      "emailAndPassword": {
        "enabled": true,
        "requireEmailVerification": true,
        "minPasswordLength": 12,
        "autoSignIn": true,
        "password": {}
      },
      "emailVerification": {
        "enabled": true,
        "sendOnSignUp": true,
        "autoSignInAfterVerification": false,
        "expiresIn": 3600
      },
      "hooks": {},
      "account": {
        "modelName": "Account",
        "accountLinking": {
          "enabled": true,
          "trustedProviders": [
            "sso"
          ]
        }
      },
      "session": {
        "modelName": "Session",
        "cookieCache": {
          "enabled": false
        }
      },
      "user": {
        "modelName": "User",
        "fields": {
          "emailVerified": "emailVerifiedBoolean"
        },
        "additionalFields": {
          "language": {
            "type": "string",
            "required": true,
            "default": "NL",
            "enum": [
              "NL",
              "EN"
            ]
          },
          "firstName": {
            "type": "string",
            "required": true
          },
          "lastName": {
            "type": "string",
            "required": true
          },
          "codeUsedToRegister": {
            "type": "string",
            "required": false
          }
        }
      },
      "verification": {
        "modelName": "Verification"
      },
      "plugins": [
        {
          "name": "sso",
          "config": {
            "id": "sso",
            "endpoints": {},
            "schema": {
              "ssoProvider": {
                "fields": {
                  "issuer": {
                    "type": "string",
                    "required": true
                  },
                  "oidcConfig": {
                    "type": "string",
                    "required": false
                  },
                  "samlConfig": {
                    "type": "string",
                    "required": false
                  },
                  "userId": {
                    "type": "string",
                    "references": {
                      "model": "user",
                      "field": "id"
                    }
                  },
                  "providerId": {
                    "type": "string",
                    "required": true,
                    "unique": true
                  },
                  "organizationId": {
                    "type": "string",
                    "required": false
                  },
                  "domain": {
                    "type": "string",
                    "required": true
                  }
                }
              }
            }
          }
        },
        {
          "name": "custom-session",
          "config": {
            "id": "custom-session",
            "hooks": {
              "after": [
                {}
              ]
            },
            "endpoints": {}
          }
        },
        {
          "name": "email-otp",
          "config": {
            "id": "email-otp",
            "endpoints": {},
            "hooks": {
              "after": [
                {}
              ]
            },
            "$ERROR_CODES": {
              "OTP_EXPIRED": "otp expired",
              "INVALID_OTP": "Invalid OTP",
              "INVALID_EMAIL": "Invalid email",
              "USER_NOT_FOUND": "User not found",
              "TOO_MANY_ATTEMPTS": "Too many attempts"
            },
            "rateLimit": [
              {
                "window": 60,
                "max": 3
              },
              {
                "window": 60,
                "max": 3
              },
              {
                "window": 60,
                "max": 3
              },
              {
                "window": 60,
                "max": 3
              }
            ]
          }
        },
        {
          "name": "admin",
          "config": {
            "id": "admin",
            "hooks": {
              "after": [
                {}
              ]
            },
            "endpoints": {},
            "$ERROR_CODES": {
              "FAILED_TO_CREATE_USER": "Failed to create user",
              "USER_ALREADY_EXISTS": "User already exists.",
              "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL": "User already exists. Use another email.",
              "YOU_CANNOT_BAN_YOURSELF": "You cannot ban yourself",
              "YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE": "You are not allowed to change users role",
              "YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS": "You are not allowed to create users",
              "YOU_ARE_NOT_ALLOWED_TO_LIST_USERS": "You are not allowed to list users",
              "YOU_ARE_NOT_ALLOWED_TO_LIST_USERS_SESSIONS": "You are not allowed to list users sessions",
              "YOU_ARE_NOT_ALLOWED_TO_BAN_USERS": "You are not allowed to ban users",
              "YOU_ARE_NOT_ALLOWED_TO_IMPERSONATE_USERS": "You are not allowed to impersonate users",
              "YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS": "You are not allowed to revoke users sessions",
              "YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS": "You are not allowed to delete users",
              "YOU_ARE_NOT_ALLOWED_TO_SET_USERS_PASSWORD": "[REDACTED]",
              "BANNED_USER": "You have been banned from this application",
              "YOU_ARE_NOT_ALLOWED_TO_GET_USER": "You are not allowed to get user",
              "NO_DATA_TO_UPDATE": "No data to update",
              "YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS": "You are not allowed to update users",
              "YOU_CANNOT_REMOVE_YOURSELF": "You cannot remove yourself",
              "YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE": "You are not allowed to set a non-existent role value"
            },
            "schema": {
              "user": {
                "fields": {
                  "role": {
                    "type": "string",
                    "required": false,
                    "input": false
                  },
                  "banned": {
                    "type": "boolean",
                    "defaultValue": false,
                    "required": false,
                    "input": false
                  },
                  "banReason": {
                    "type": "string",
                    "required": false,
                    "input": false
                  },
                  "banExpires": {
                    "type": "date",
                    "required": false,
                    "input": false
                  }
                }
              },
              "session": {
                "fields": {
                  "impersonatedBy": {
                    "type": "string",
                    "required": false
                  }
                }
              }
            },
            "options": {
              "adminRoles": [
                "ADMIN"
              ],
              "defaultRole": "USER",
              "roles": {
                "COACH": {
                  "statements": {
                    "user": [
                      "create"
                    ]
                  }
                }
              }
            }
          }
        },
        {
          "name": "next-cookies",
          "config": {
            "id": "next-cookies",
            "hooks": {
              "after": [
                {}
              ]
            }
          }
        }
      ]
    }
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

Additional context

No response

Originally created by @kanarian on GitHub (Nov 13, 2025). ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. Install the `@better-auth/sso` plugin. 2. In your auth configurations, add a **SAML-based** `defaultSSO` provider such as [DummyIDP](https://dummyidp.com/). 3. Inside of your auth configurations, set `disableImplictSignUp` to `true`. 4. Use the Identity Provider to login to your application using an email-address that does not exist in your database. ### Current vs. Expected behavior Following the previous steps, I expected that, since the email-address did not exist and `disableImplicitSignUp` is true, that the user would not be allowed to login, because they do not have an account and implicit sign up is disabled. However, to my surprise, an Account entry and a User entry do get created for this email-address. It seems like `disableImplicitSignUp` is ignored. I found that the [`callbackSSOSAML` function](https://github.com/better-auth/better-auth/blob/ea1cf04d76cd45105a99363b62069f33dbbf2a42/packages/sso/src/routes/sso.ts#L1280) does not check for `disableImplicitSignUp` when creating a User or Account if one does not exist (e.g. [here in the source code](https://github.com/better-auth/better-auth/blob/ea1cf04d76cd45105a99363b62069f33dbbf2a42/packages/sso/src/routes/sso.ts#L1587)). I noticed that the `callbackSSO` function does not directly create a User or Account, but uses the `handleOAuthUserInfo` function. `handleOAuthUserInfo` then uses `implicitDisableSignUp` to ensure that neither an Account nor a User is created. Is there any reason as to why the `callbackSSOSAML` does not use the `handleOAuthUserInfo` function? Could be a way to fix the bug I reckon. Thanks! ### What version of Better Auth are you using? 1.3.34 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 23.6.0: Mon Jul 29 21:14:21 PDT 2024; root:xnu-10063.141.2~1/RELEASE_ARM64_T8103", "release": "23.6.0", "cpuCount": 8, "cpuModel": "Apple M1", "totalMemory": "16.00 GB", "freeMemory": "0.12 GB" }, "node": { "version": "v22.15.1", "env": "development" }, "packageManager": { "name": "npm", "version": "11.6.2" }, "frameworks": [ { "name": "next", "version": "^15.5.5" }, { "name": "react", "version": "18.2.0" } ], "databases": [ { "name": "@prisma/client", "version": "^6.18.0" } ], "betterAuth": { "version": "^1.3.34", "config": { "logger": { "level": "debug" }, "trustedOrigins": [LIST_OF_TRUSTED_ORIGINS], "emailAndPassword": { "enabled": true, "requireEmailVerification": true, "minPasswordLength": 12, "autoSignIn": true, "password": {} }, "emailVerification": { "enabled": true, "sendOnSignUp": true, "autoSignInAfterVerification": false, "expiresIn": 3600 }, "hooks": {}, "account": { "modelName": "Account", "accountLinking": { "enabled": true, "trustedProviders": [ "sso" ] } }, "session": { "modelName": "Session", "cookieCache": { "enabled": false } }, "user": { "modelName": "User", "fields": { "emailVerified": "emailVerifiedBoolean" }, "additionalFields": { "language": { "type": "string", "required": true, "default": "NL", "enum": [ "NL", "EN" ] }, "firstName": { "type": "string", "required": true }, "lastName": { "type": "string", "required": true }, "codeUsedToRegister": { "type": "string", "required": false } } }, "verification": { "modelName": "Verification" }, "plugins": [ { "name": "sso", "config": { "id": "sso", "endpoints": {}, "schema": { "ssoProvider": { "fields": { "issuer": { "type": "string", "required": true }, "oidcConfig": { "type": "string", "required": false }, "samlConfig": { "type": "string", "required": false }, "userId": { "type": "string", "references": { "model": "user", "field": "id" } }, "providerId": { "type": "string", "required": true, "unique": true }, "organizationId": { "type": "string", "required": false }, "domain": { "type": "string", "required": true } } } } } }, { "name": "custom-session", "config": { "id": "custom-session", "hooks": { "after": [ {} ] }, "endpoints": {} } }, { "name": "email-otp", "config": { "id": "email-otp", "endpoints": {}, "hooks": { "after": [ {} ] }, "$ERROR_CODES": { "OTP_EXPIRED": "otp expired", "INVALID_OTP": "Invalid OTP", "INVALID_EMAIL": "Invalid email", "USER_NOT_FOUND": "User not found", "TOO_MANY_ATTEMPTS": "Too many attempts" }, "rateLimit": [ { "window": 60, "max": 3 }, { "window": 60, "max": 3 }, { "window": 60, "max": 3 }, { "window": 60, "max": 3 } ] } }, { "name": "admin", "config": { "id": "admin", "hooks": { "after": [ {} ] }, "endpoints": {}, "$ERROR_CODES": { "FAILED_TO_CREATE_USER": "Failed to create user", "USER_ALREADY_EXISTS": "User already exists.", "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL": "User already exists. Use another email.", "YOU_CANNOT_BAN_YOURSELF": "You cannot ban yourself", "YOU_ARE_NOT_ALLOWED_TO_CHANGE_USERS_ROLE": "You are not allowed to change users role", "YOU_ARE_NOT_ALLOWED_TO_CREATE_USERS": "You are not allowed to create users", "YOU_ARE_NOT_ALLOWED_TO_LIST_USERS": "You are not allowed to list users", "YOU_ARE_NOT_ALLOWED_TO_LIST_USERS_SESSIONS": "You are not allowed to list users sessions", "YOU_ARE_NOT_ALLOWED_TO_BAN_USERS": "You are not allowed to ban users", "YOU_ARE_NOT_ALLOWED_TO_IMPERSONATE_USERS": "You are not allowed to impersonate users", "YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS": "You are not allowed to revoke users sessions", "YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS": "You are not allowed to delete users", "YOU_ARE_NOT_ALLOWED_TO_SET_USERS_PASSWORD": "[REDACTED]", "BANNED_USER": "You have been banned from this application", "YOU_ARE_NOT_ALLOWED_TO_GET_USER": "You are not allowed to get user", "NO_DATA_TO_UPDATE": "No data to update", "YOU_ARE_NOT_ALLOWED_TO_UPDATE_USERS": "You are not allowed to update users", "YOU_CANNOT_REMOVE_YOURSELF": "You cannot remove yourself", "YOU_ARE_NOT_ALLOWED_TO_SET_NON_EXISTENT_VALUE": "You are not allowed to set a non-existent role value" }, "schema": { "user": { "fields": { "role": { "type": "string", "required": false, "input": false }, "banned": { "type": "boolean", "defaultValue": false, "required": false, "input": false }, "banReason": { "type": "string", "required": false, "input": false }, "banExpires": { "type": "date", "required": false, "input": false } } }, "session": { "fields": { "impersonatedBy": { "type": "string", "required": false } } } }, "options": { "adminRoles": [ "ADMIN" ], "defaultRole": "USER", "roles": { "COACH": { "statements": { "user": [ "create" ] } } } } } }, { "name": "next-cookies", "config": { "id": "next-cookies", "hooks": { "after": [ {} ] } } } ] } } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_

GiteaMirror added the bug label 2026-03-13 09:42:27 -05:00

GiteaMirror closed this issue

2026-03-13 09:42:27 -05:00

GiteaMirror commented

2026-03-13 09:42:30 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 13, 2025):

(tag @better-auth-agent if you would like an answer from the Agent)

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 13, 2025): (tag @better-auth-agent if you would like an answer from the Agent)  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 09:42:30 -05:00

@kanarian commented on GitHub (Nov 13, 2025):

@better-auth-agent

@kanarian commented on GitHub (Nov 13, 2025): @better-auth-agent

GiteaMirror commented

2026-03-13 09:42:31 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 13, 2025):

Thanks for reporting this! It appears that when using a SAML-based SSO provider with the SSO plugin, the callback route for SAML is bypassing the usual user creation flow that respects the disableImplicitSignUp flag. Instead of calling the shared handleOAuthUserInfo function—which properly checks for disableImplicitSignUp—the callbackSSOSAML function directly creates a user and account, leading to implicit sign up even when it should be disabled [1][2].

As a next step, we’re looking into aligning the SAML callback with the expected behavior of handleOAuthUserInfo. In the meantime, you might consider intercepting the callback or adding additional middleware to verify the flag before completing the sign-in process as a temporary workaround.

Tag @better-auth-agent if you would like an answer from the Agent. Is there any additional context or a specific scenario you’re encountering that might help us further troubleshoot this issue?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 13, 2025): Thanks for reporting this! It appears that when using a SAML-based SSO provider with the SSO plugin, the callback route for SAML is bypassing the usual user creation flow that respects the disableImplicitSignUp flag. Instead of calling the shared handleOAuthUserInfo function—which properly checks for disableImplicitSignUp—the callbackSSOSAML function directly creates a user and account, leading to implicit sign up even when it should be disabled [[1]](https://github.com/better-auth/better-auth/issues/4125)[[2]](https://github.com/better-auth/better-auth/issues/1852). As a next step, we’re looking into aligning the SAML callback with the expected behavior of handleOAuthUserInfo. In the meantime, you might consider intercepting the callback or adding additional middleware to verify the flag before completing the sign-in process as a temporary workaround. Tag @better-auth-agent if you would like an answer from the Agent. Is there any additional context or a specific scenario you’re encountering that might help us further troubleshoot this issue?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-03-13 09:42:31 -05:00

@rovertrack commented on GitHub (Nov 13, 2025):

while doing this did you have something like

await client.signIn.social({
		
			requestSignUp: true, // if true user gets created 
		
		});

@rovertrack commented on GitHub (Nov 13, 2025): while doing this did you have something like ``` await client.signIn.social({ requestSignUp: true, // if true user gets created }); ```

GiteaMirror commented

2026-03-13 09:42:31 -05:00

@kanarian commented on GitHub (Nov 13, 2025):

while doing this did you have something like
await client.signIn.social({
		
			requestSignUp: true, // if true user gets created 
		
		});

I did not, since I'm testing IdP-initiated SAML flows

@kanarian commented on GitHub (Nov 13, 2025): > while doing this did you have something like > > ``` > await client.signIn.social({ > > requestSignUp: true, // if true user gets created > > }); > ``` I did not, since I'm testing IdP-initiated SAML flows

GiteaMirror commented

2026-03-13 09:42:32 -05:00

@rovertrack commented on GitHub (Nov 13, 2025):

try once with requestsignup false

@rovertrack commented on GitHub (Nov 13, 2025): try once with requestsignup false

GiteaMirror commented

2026-03-13 09:42:32 -05:00

@kanarian commented on GitHub (Nov 13, 2025):

try once with requestsignup false

I set up a SP-initiated SAML flow with the following action:

const result = await authClient.signIn.sso({
          providerId: "sso",
          callbackURL: "/dashboard",
          requestSignUp: false,
});

but unfortunately, this still causes implicit sign-ups.

@kanarian commented on GitHub (Nov 13, 2025): > try once with requestsignup false I set up a SP-initiated SAML flow with the following action: ```ts const result = await authClient.signIn.sso({ providerId: "sso", callbackURL: "/dashboard", requestSignUp: false, }); ``` but unfortunately, this still causes implicit sign-ups.

GiteaMirror commented

2026-03-13 09:42:32 -05:00

@kanarian commented on GitHub (Nov 14, 2025):

Closing this issue since my PR with a fix got merged

https://github.com/better-auth/better-auth/pull/5966

@kanarian commented on GitHub (Nov 14, 2025): Closing this issue since my PR with a fix got merged https://github.com/better-auth/better-auth/pull/5966

GiteaMirror referenced this issue

2026-03-13 11:39:25 -05:00

[PR #2300] [MERGED] Corrections #4252

GiteaMirror referenced this issue

2026-04-13 08:25:23 -05:00

[PR #2300] [MERGED] Corrections #12499

GiteaMirror referenced this issue

2026-04-15 20:10:36 -05:00

[PR #2300] [MERGED] Corrections #21153

GiteaMirror referenced this issue

2026-04-17 21:06:19 -05:00

[PR #2300] [MERGED] Corrections #29853

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#2300

disableImplicitSignUp not used for for SAML-based SSO providers #2300

Is this suited for github?

To Reproduce

Current vs. Expected behavior

What version of Better Auth are you using?

System info

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

`disableImplicitSignUp` not used for for SAML-based SSO providers #2300