{"id":19427423,"url":"https://github.com/codesandbox/ueberauth_saml","last_synced_at":"2026-04-11T16:41:03.834Z","repository":{"id":231131029,"uuid":"777971984","full_name":"codesandbox/ueberauth_saml","owner":"codesandbox","description":"Ueberauth strategy for SAML-based identity providers","archived":false,"fork":false,"pushed_at":"2024-05-06T15:53:31.000Z","size":19,"stargazers_count":1,"open_issues_count":1,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-12-17T14:47:43.962Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codesandbox.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-26T20:57:20.000Z","updated_at":"2025-06-27T04:08:51.000Z","dependencies_parsed_at":"2024-04-02T16:30:08.157Z","dependency_job_id":"a80017b4-029d-419d-ac55-4c06752af79d","html_url":"https://github.com/codesandbox/ueberauth_saml","commit_stats":null,"previous_names":["codesandbox/ueberauth_saml"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/codesandbox/ueberauth_saml","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codesandbox%2Fueberauth_saml","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codesandbox%2Fueberauth_saml/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codesandbox%2Fueberauth_saml/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codesandbox%2Fueberauth_saml/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codesandbox","download_url":"https://codeload.github.com/codesandbox/ueberauth_saml/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codesandbox%2Fueberauth_saml/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31687881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-11T13:07:20.380Z","status":"ssl_error","status_checked_at":"2026-04-11T13:06:47.903Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T14:11:42.969Z","updated_at":"2026-04-11T16:41:03.813Z","avatar_url":"https://github.com/codesandbox.png","language":"Elixir","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ueberauth SAML\n\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)\n\nUeberauth plugin for SAML-based identity providers\n\n## What is this?\n\n[Ueberauth](https://github.com/ueberauth/ueberauth) is an authentication framework for Elixir applications that specializes in [OAuth](https://oauth.net/).\nThis library is one of many [plugins](https://github.com/ueberauth/ueberauth/wiki/List-of-Strategies) (called Strategies) that allow Ueberauth to integrate with different identity providers.\nSpecifically, this one adapts Ueberauth to integrate with SAML-based identity providers.\nSAML is a separate protocol from OAuth that can also be used for single sign-on applications.\n\nThis library does not provide a full SAML service or identity provider implementation.\nFor that, see [Samly](https://hex.pm/package/samly).\n\n## Installation\n\nThis application is not currently available on `Hex.pm`.\nIn the meantime, install it directly from GitHub:\n\n```elixir\ndef deps do\n  [\n    {:ueberauth_saml, github: \"codesandbox/ueberauth_saml\"}\n  ]\nend\n```\n\n## Configuration\n\nThis strategy uses [Samly](https://hex.pm/package/samly) and its sub-dependency [esaml](https://hex.pm/package/esaml) to interact with SAML Identity Providers.\nAs a result, using this strategy requires two sets of configuration.\n\n### Strategy Configuration\n\nFirst, configure this strategy as an Ueberauth provider.\nThis configuration should occur **at compile time**:\n\n```elixir\n# config/config.exs\n\nconfig :ueberauth, Ueberauth,\n  providers: [\n    # ...\n    saml:\n      {Ueberauth.Strategy.SAML,\n       [\n         allow_idp_initiated_flow: true,\n         callback_methods: [\"POST\"]\n       ]}\n  ]\n```\n\nHere, the `saml` key is the provider ID that will be used in routes (for example `/auth/saml`).\nThis provider ID **must** match an identity provider ID used in the next configuration block.\n\nBelow are the available configuration keys that can be passed directly to the strategy:\n\n| Key | Type | Description |\n| --- | ---- | ----------- |\n| `allow_idp_initiated_flow` | boolean | Whether to allow logins that start from the Identity Provider (ex. Google app sheet or Okta tile). Defaults to `false`. |\n| `callback_methods` | List of HTTP verbs | HTTP methods used by the Identity Provider to complete a login. Many providers require `[\"POST\"]`. Defaults to `[\"GET\"]`. |\n\n## Samly Configuration\n\nSecond, configure the Samly library.\nThis requires configuring the service provider (your app) and identity provider(s) (like Google, Okta, etc.).\nRuntime configuration is often appropriate for this:\n\n```elixir\n# config/runtime.exs\n\nconfig :samly, Samly.Provider,\n  service_providers: [\n    %{\n      id: \"my_app\",\n      entity_id: \"urn:example.com:production\",\n      certfile: \"/path/to/cert.pem\",\n      keyfile: \"/path/to/key.pem\",\n      contact_name: \"My Company Support\",\n      contact_email: \"support@example.com\",\n      org_name: \"My Company\",\n      org_displayname: \"My Co.\",\n      org_url: \"https://example.com\"\n    }\n  ],\n  identity_providers: [\n    %{\n      id: \"google_saml\",\n      sp_id: \"my_app\",\n      metadata_file: \"/path/to/idp-metadata.xml\",\n      sign_requests: true,\n      signed_assertion_in_resp: false,\n      signed_envelopes_in_resp: false\n    }\n  ]\n```\n\nRemember that the identity provider `id` must match the provider ID given to Ueberauth.\nMeanwhile, the `sp_id` given to the identity provider should match the `id` of a service provider above.\n\nNote that not all Samly configuration is useful with this strategy.\nThe following keys are used:\n\n#### Service Provider\n\nAt least one service provider must be configured.\n\n| Key | Type | Example | Description |\n| --- | ---- | ------- | ----------- |\n| `id` | string | `\"my_app\"` | **Required**. Identifier for your application. |\n| `entity_id` | string | `\"urn:example.com:production\"` | **Required**. Unique identifier for your application across all service providers configured with your identity provider. Must match the entity provider configured with your identity provider. |\n| `certfile` | file path | `\"/path/to/cert.pem\"` | Path to a PEM-formatted certificate that will be used to sign data from your application to the identity provider. Setting this is **strongly recommended** for production deployments. If unset, ensure the identity provider is configured with `sign_requests: false`. |\n| `keyfile` | file path | `\"/path/to/key.pem\"` | Path to a PEM-formatted private key that will be used to sign data form your application to the identity provider. Setting this is **strongly recommended** for production deployments. If unset, ensure the identity provider is configured with `sign_requests: false`. |\n| `contact_name` | string | `My Company Support` | Optional technical contact name for your application. |\n| `contact_email` | string | `support@example.com` | Optional technical contact email for your application. |\n| `org_name` | string | `My Company` | Optional name of your application's organization. |\n| `org_displayname` | string | `My Co.` | Optional display name of your application's organization. |\n| `org_url` | string | `My Co.` | Optional web URL of your application's organization. |\n\n#### Identity Provider\n\nOne identity provider should be configured for each Ueberauth provider (with the same `id`).\n\n| Key | Type | Example | Description |\n| --- | ---- | ------- | ----------- |\n| `id` | string | `\"google_saml\"` | **Required**. Identifier for the identity provider. Must match the name of the corresponding provider configured with Ueberauth. |\n| `sp_id` | string | `\"my_app\"` | **Required**. Identifier for your application / the service provider to use with this identity provider. Must match an `id` given to a service provider above. |\n| `metadata_file` | file path | `\"/path/to/idp-metadata.xml\"` | **Required** if `metadata` is not set. Path to an XML file provided by your identity provider with information about the provider. |\n| `metadata` | string | XML contents | **Required** if `metadata_file` is not set. Inline XML contents provided by your identity provider with information about the provider. |\n| `sign_requests` | boolean | `true` | Whether to sign requests sent from your application to the identity provider. This may be required by your identity provider, and is strongly recommended for production deployments. Must be `false` if a `certfile` and `keyfile` are not provided in the corresponding service provider. Defaults to `true`. |\n| `signed_assertion_in_resp` | boolean | `true` | Whether your application should expect the identity provider to sign assertions in its responses. Identity providers may sign the envelope without signing the assertion. Defaults to `true`. |\n| `signed_envelopes_in_resp` | boolean | `true` | Whether your application should expect the identity provider to sign the envelopes of its responses. Identity providers may sign the envelope without signing the assertion. Defaults to `true`. |\n\nFor example configurations, see [configuration](guides/configuration.md).\n\n## Attribute Mapping\n\nSAML allows communicating additional information via mapped attributes.\nThe following attribute names will be passed through to the Ueberauth `Auth` struct:\n\n* `birthday`\n* `description`\n* `email` (if not mapped, and the SAML Name ID format is email, then the SAML name will be used instead)\n* `first_name`\n* `last_name`\n* `location`\n* `name` (if `first_name` and `last_name` are mapped, these will be used instead)\n* `nickname`\n* `phone`\n\n## Acknowledgments\n\nThank you to [CodeSandbox](https://github.com/codesandbox/) for updates and maintenance of this library.\n\n## License\n\nPlease see [LICENSE](LICENSE) for licensing details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodesandbox%2Fueberauth_saml","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodesandbox%2Fueberauth_saml","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodesandbox%2Fueberauth_saml/lists"}