From 78d83c50790b5882228f2e343a7663bbf70eb51e Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Sun, 19 Apr 2026 01:49:25 -0700
Subject: [PATCH] Pin Zulip SAML ACS to https

---
 nixos/modules/burrow-zulip.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixos/modules/burrow-zulip.nix b/nixos/modules/burrow-zulip.nix
index 25d553d..e26cc3d 100644
--- a/nixos/modules/burrow-zulip.nix
+++ b/nixos/modules/burrow-zulip.nix
@@ -352,6 +352,15 @@ services:
         USE_X_FORWARDED_HOST = True
         SESSION_COOKIE_SECURE = True
         CSRF_COOKIE_SECURE = True
+        SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
+        SOCIAL_AUTH_SAML_REDIRECT_IS_HTTPS = True
+        SOCIAL_AUTH_SAML_SP_ENTITY_ID = "https://${cfg.domain}"
+        SOCIAL_AUTH_SAML_SP_EXTRA = {
+            "assertionConsumerService": {
+                "url": "https://${cfg.domain}/complete/saml/",
+                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+            },
+        }
         SOCIAL_AUTH_SAML_ORG_INFO = {
             "en-US": {
                 "displayname": "Burrow Zulip",