Relyra

Relyra is a strict-by-default SAML 2.0 Service Provider library for Elixir and Phoenix. It is for teams that need enterprise SSO without becoming SAML experts.

Start Here

Use one Day-1 route:

1. Install the library and scaffold the host app with mix relyra.install.
2. Follow Getting Started.
3. Prove a local sign-in with Relyra.TestSupport.FakeIdP.
4. Choose exactly one first-class provider runbook.
5. Return to the production follow-ons after the first provider is working.

The README is the router. The full onboarding narrative lives in guides/getting_started.md.

If you want the high-level map of what this library is helping you get done, read Jobs To Be Done And User Flows after Getting Started.

Batteries Included Support

Relyra ships 4 first-class presets plus a generic SAML runbook covering 7 IdP families.

First-class batteries-included support (shipped preset module + verified runbook):

• Okta
• Microsoft Entra ID
• Google Workspace
• ADFS

In this repo, "batteries included" means the provider has a shipped preset module, a repo-native runbook, provider-specific field vocabulary, and Day-1 guidance that ends in a concrete receipt.

Use these runbooks only after you complete the local FakeIdP proof in Getting Started:

• Okta runbook
• Microsoft Entra ID runbook
• Google Workspace runbook
• ADFS runbook

Custom SAML And Generic Runbook Providers

• Generic SAML runbook: Supported for IdP families without a first-class preset. The operator runbook at guides/recipes/generic_saml.md covers Ping, OneLogin, Shibboleth, Keycloak, IBM Security Verify, CyberArk, and Oracle Access Manager with vendor decoder tables and field-mapping guidance. Use it after the local FakeIdP proof and before you start translating your provider's admin vocabulary.
• Custom SAML: Supported when you bring your own IdP-specific field mapping and operator verification beyond the generic runbook tables.
• Not yet shipped: Any provider without a shipped preset module and verified runbook is not first-class batteries-included support.

Relyra does not claim batteries-included support beyond the four first-class presets and the generic SAML runbook families named above.

What Ships In The Library

• Strict SP-initiated login and ACS validation.
• Hardened XML, signature, and protocol checks.
• Provider presets for Okta, Microsoft Entra ID, Google Workspace, and ADFS, plus a generic SAML runbook for seven additional IdP families.
• Relyra.TestSupport and Relyra.TestSupport.FakeIdP for local proof.
• mix relyra.install for minimal host-app scaffolding.
• Optional LiveAdmin, metadata lifecycle, certificate lifecycle, telemetry, audit seams, scheduled refresh, and diagnostic surfaces for later-stage operator workflows.

What Does Not Ship

• OIDC or OAuth flows.
• A hosted broker runtime.
• SCIM lifecycle ownership.
• First-class batteries-included support for providers beyond the four shipped presets and the generic SAML runbook families.

Day-2 And Operator Guides

These surfaces matter after Day-1, but they should not compete with onboarding:

• Getting Started for the canonical Day-1 path.
• Identity Mapping And Provisioning for the host-owned decision about local account anchors, login-time JIT, and the Relyra.UserMapper seam after the first provider works.
• Jobs To Be Done And User Flows for the implementation-level mental model of the adoption and operations journey.
• Security policy for supported algorithms, disclosure, and release posture.
• Security review packet for auditors and release review.

LiveAdmin is optional. Metadata refresh, certificate rollover, audit review, telemetry wiring, and diagnostic bundles belong after the first successful provider login, not before it.