You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README advertises support for many IdP families (ADFS, Azure AD / Entra, Google Workspace, Okta, OneLogin, PingFederate, Keycloak…), but that support is documentation-only: operators must hand-assemble every IdP config option correctly. Subtle per-vendor defaults (NameID format, request signing, redirect vs POST binding, signed-assertion expectations) are a frequent source of misconfiguration.
Goal
Provide first-class provider presets that fill safe, vendor-appropriate defaults underneath user-supplied settings, reducing operator error.
apply_defaults/2 merges preset defaults under the caller's explicit keys (caller always wins).
Proposed scope
Presets for the most common families to start: :okta, :entra, :google_workspace, :adfs.
Each preset encodes verified defaults (NameID format, sign_requests, redirect/POST choice, signed-assertion / signed-envelope expectations).
A generic fallback documenting how to configure the remaining families.
Tests asserting that explicit caller keys override preset defaults and that each preset is internally consistent.
Why
Removes the most common class of "works with tolerant IdP, breaks with strict IdP" misconfiguration.
Complements the metadata-validation effort (✨ Feature / SAML metadata validation #17): presets reduce errors at config time, validation catches them at import time.
Context
The README advertises support for many IdP families (ADFS, Azure AD / Entra, Google Workspace, Okta, OneLogin, PingFederate, Keycloak…), but that support is documentation-only: operators must hand-assemble every IdP config option correctly. Subtle per-vendor defaults (NameID format, request signing, redirect vs POST binding, signed-assertion expectations) are a frequent source of misconfiguration.
Goal
Provide first-class provider presets that fill safe, vendor-appropriate defaults underneath user-supplied settings, reducing operator error.
Proposed API
apply_defaults/2merges preset defaults under the caller's explicit keys (caller always wins).Proposed scope
:okta,:entra,:google_workspace,:adfs.sign_requests, redirect/POST choice, signed-assertion / signed-envelope expectations).Why