You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ex_saml currently emits no :telemetry events. The only observability seam is the :on_error parse hook added in #29. Operators integrating SSO need first-class visibility into authentication outcomes (success, failure reasons, signature/replay/decrypt failures) to feed dashboards, alerting and SIEM/OCSF pipelines — without ex_saml owning the formatting.
Goal
Emit a documented set of :telemetry events across the SSO lifecycle, generalising the ad-hoc :on_error hook into a coherent observability layer.
Context
ex_samlcurrently emits no:telemetryevents. The only observability seam is the:on_errorparse hook added in #29. Operators integrating SSO need first-class visibility into authentication outcomes (success, failure reasons, signature/replay/decrypt failures) to feed dashboards, alerting and SIEM/OCSF pipelines — withoutex_samlowning the formatting.Goal
Emit a documented set of
:telemetryevents across the SSO lifecycle, generalising the ad-hoc:on_errorhook into a coherent observability layer.Proposed events
[:ex_saml, :signin, :start | :stop | :exception]— SP-initiated request build.[:ex_saml, :assertion, :consume, :start | :stop | :exception]— ACS processing, withidp_id, outcome, and failure reason on stop.[:ex_saml, :signature, :verify]— result (:ok/ reason atom), algorithm, idp_id.[:ex_saml, :replay, :rejected]— anti-replay hit.[:ex_saml, :decrypt, :exception]— encrypted-assertion failures.[:ex_saml, :logout, :start | :stop].Measurements carry durations where meaningful; metadata carries
idp_id,sp_id, outcome, and a stablereasonatom (never raw payloads).Proposed scope
:telemetryas a dependency and a thinExSaml.Telemetryemit helper.AuthHandler,Core.Sp,Dsig, and the relay-state / replay path.:on_errorhook working (or route it through telemetry) for backward compatibility.Why
ex_saml.reasonatoms double as a contract for alerting on auth failures.Relates to #29.