{
  "feature": "saml-2-identity-provider",
  "version": "1.0.0",
  "description": "SAML 2.0 identity provider with assertions and metadata",
  "category": "auth",
  "tags": [
    "saml2",
    "identity-provider"
  ],
  "fields": [
    {
      "name": "issuer_entity_id",
      "type": "text",
      "required": true,
      "label": "Issuer Entity ID",
      "validation": [
        {
          "type": "required",
          "message": "Issuer required"
        }
      ]
    },
    {
      "name": "assertion_consumer_url",
      "type": "url",
      "required": true,
      "label": "Assertion Consumer URL",
      "validation": [
        {
          "type": "required",
          "message": "URL required"
        },
        {
          "type": "url",
          "message": "Must be valid URL"
        }
      ]
    }
  ],
  "rules": {
    "core": "SAML protocol compliance"
  },
  "outcomes": {
    "assertion_issued": {
      "priority": 5,
      "given": [
        {
          "field": "issuer_entity_id",
          "operator": "exists",
          "value": null
        }
      ],
      "then": [
        {
          "action": "emit_event",
          "event": "saml.assertion_created",
          "payload": [
            "assertion_id"
          ]
        }
      ],
      "result": "SAML assertion issued"
    }
  },
  "errors": [
    {
      "code": "INVALID_ISSUER",
      "status": 400,
      "message": "Invalid issuer"
    }
  ],
  "events": [
    {
      "name": "saml.assertion_created",
      "description": "SAML assertion created",
      "payload": [
        "assertion_id"
      ]
    }
  ],
  "related": [],
  "agi": {
    "goals": [
      {
        "id": "reliable_saml_2_identity_provider",
        "description": "SAML 2.0 identity provider with assertions and metadata",
        "success_metrics": [
          {
            "metric": "unauthorized_access_rate",
            "target": "0%",
            "measurement": "Failed authorization attempts that succeed"
          },
          {
            "metric": "response_time_p95",
            "target": "< 500ms",
            "measurement": "95th percentile response time"
          }
        ],
        "constraints": [
          {
            "type": "security",
            "description": "Follow OWASP security recommendations",
            "negotiable": false
          }
        ]
      }
    ],
    "autonomy": {
      "level": "supervised",
      "human_checkpoints": [
        "before making irreversible changes"
      ],
      "escalation_triggers": [
        "error_rate > 5",
        "consecutive_failures > 3"
      ]
    },
    "safety": {
      "action_permissions": [
        {
          "action": "assertion_issued",
          "permission": "autonomous"
        }
      ]
    },
    "tradeoffs": [
      {
        "prefer": "security",
        "over": "performance",
        "reason": "authentication must prioritize preventing unauthorized access"
      }
    ],
    "verification": {
      "invariants": [
        "error messages never expose internal system details"
      ]
    }
  },
  "extensions": {
    "source": {
      "repo": "https://github.com/keycloak/keycloak",
      "project": "Keycloak",
      "tech_stack": "Java"
    }
  }
}