Skip to content

✨ Feature / IdP provider presets with safe defaults (apply_defaults/2) #42

Description

@docJerem

Context

The README advertises support for many IdP families (ADFS, Azure AD / Entra, Google Workspace, Okta, OneLogin, PingFederate, Keycloak…), but that support is documentation-only: operators must hand-assemble every IdP config option correctly. Subtle per-vendor defaults (NameID format, request signing, redirect vs POST binding, signed-assertion expectations) are a frequent source of misconfiguration.

Goal

Provide first-class provider presets that fill safe, vendor-appropriate defaults underneath user-supplied settings, reducing operator error.

Proposed API

config =
  ExSaml.Provider.apply_defaults(:okta, [
    id: "okta_main",
    sp_id: "my_sp",
    base_url: "https://app.example.com",
    metadata_file: "priv/okta_metadata.xml"
  ])

apply_defaults/2 merges preset defaults under the caller's explicit keys (caller always wins).

Proposed scope

  • Presets for the most common families to start: :okta, :entra, :google_workspace, :adfs.
  • Each preset encodes verified defaults (NameID format, sign_requests, redirect/POST choice, signed-assertion / signed-envelope expectations).
  • A generic fallback documenting how to configure the remaining families.
  • Tests asserting that explicit caller keys override preset defaults and that each preset is internally consistent.

Why

  • Removes the most common class of "works with tolerant IdP, breaks with strict IdP" misconfiguration.
  • Complements the metadata-validation effort (✨ Feature / SAML metadata validation #17): presets reduce errors at config time, validation catches them at import time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions