Skip to content

✨ Feature / mix ex_saml.diagnostic — configuration sanity check task #44

Description

@docJerem

Context

Diagnosing a broken SAML integration today means reading logs and inferring what ex_saml saw. There is no single command that validates an operator's configuration and surfaces obvious problems before the first SSO attempt.

Goal

A mix ex_saml.diagnostic task that inspects the loaded configuration and reports an actionable, human-readable summary.

Proposed scope

  • Resolve and print each configured SP and IdP (with id / sp_id wiring).
  • For each SP: validate cert/key load, key/cert match, and certificate expiry window.
  • For each IdP: parse metadata, list signing/encryption certs and their expiry, report SSO/SLO endpoints and bindings, and flag missing NameIDFormat.
  • Re-use the metadata-validation rules from ✨ Feature / SAML metadata validation #17 to surface structural / interop warnings.
  • Non-zero exit on hard errors so it can run in CI; warnings printed but non-fatal.

Why

  • Turns "it doesn't work" into a concrete checklist before contacting the IdP admin.
  • Cheap operational win once the metadata-validation effort (✨ Feature / SAML metadata validation #17) lands, since it can reuse those rules.

Notes

  • Read-only: never mutates config or performs network calls unless an explicit --fetch flag is passed for remote metadata.

Relates to #17.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions