Samly - Add SAML SSO to your Phoenix application (now with multiple identity provider support)

Your Libraries & OS Mentoring Libraries
41

Samly v1.0.0-rc.1

CHANGELOG.md

Will release v1.0.0 if there are no significant issues.

42

Samly v1.0.0 Released!

Samly is a Plug library that can be used to enable SAML Single-Sign-On authentication in Phoenix applications. It makes use of the esaml library for core SAML request/response handling.

This has been used successfuly to work with the following Identity Providers:

  • Okta

  • Ping Identity

  • OneLogin

  • ADFS

  • Nexus GO

  • Shibboleth

  • SimpleSAMLphp

Hopefully, this library provides some help in successful adoption of Elixir in Enterprise/Intranet.

Many thanks to the following contributors (samly and esaml):

  • @peterox

  • @mxgrn

  • @hoodunit

  • @calvinb

  • @hodak

  • @brianmay

  • @zwilias

  • @tcrossland

  • @samterrell

Many others also contributed by using this library, opening Github issues and providing feedback in DM. Please continue to open issues and submit PRs to improve Samly further. Also, share your experience in getting Samly to work with your IdP so others in the community can benefit as well.

Repos:

Samly: https://github.com/handnot2/samly

esaml: https://github.com/handnot2/esaml

Docker based Identity Providers for development purposes:

SimpleSAMLphp: https://github.com/handnot2/samly_simplesaml

Shibboleth: https://github.com/handnot2/samly_shibboleth

Development Assistance:

Phoenix Application showing Samly usage: https://github.com/handnot2/samly_howto

8 Likes
43

Pre 1.0.0 versions retired

All Samly versions prior to v1.0.0 are marked as ā€œretiredā€ in Hex. Hopefully whoever is using Samly is on v1.0.0. If you are still using earlier versions, you might see a mix warning message. It should not break your usage though.

Moving forward, v1.0.0 and above will be active.

1 Like
44

@handnot2 Hi, weā€™re considering using Samly for a project, but were wondering about its maintenance status. Would it be better for us to fork and maintain separately or is Samly still considered actively maintained?

2 Likes
45

For what itā€™s worth, Iā€™m aware of two active forks of both esaml and samly:

3 Likes
46

Hey everyone,

the EEF CNA just published a CVE for esaml:
https://cna.erlef.org/cves/CVE-2026-28809.html

Itā€™s an XXE issue in the SAML handling that can lead to local file reads and potentially SSRF.

We tried reaching out to the maintainers but unfortunately didnā€™t get a response, and thereā€™s currently no patch available.

If youā€™re using this library in production, itā€™s probably worth taking a closer look. And if someone here is interested in stepping up: this might be a good candidate to take over maintenance (fork, patch, and coordinate with the Hex.pm team to transfer ownership).

If a fix gets released, please let us know so we can update the advisory and mark affected versions correctly:
https://cna.erlef.org/contact

8 Likes
47

If anyone is actively working on a fix in their own fork, please say here. I am going to fork and try to fix as a temporary band-aid for the CVE. I donā€™t have bandwidth to be a maintainer.

1 Like
48

Here is Jumpā€™s fork of esaml: GitHub - Jump-App/esaml: Erlang SAML library, SSO and SLO, with Cowboy integration Ā· GitHub

3 Likes
49

Thanks for writing a patch. Iā€™ve updated the CVE to include it.

1 Like