Skip to content

Commit

Permalink
Minor tweaks after feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
sergiught committed Jun 30, 2023
1 parent bacf44e commit 848ab5f
Show file tree
Hide file tree
Showing 6 changed files with 502 additions and 324 deletions.
8 changes: 4 additions & 4 deletions docs/resources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,21 +319,21 @@ Optional:
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier.
- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`
Expand Down
8 changes: 4 additions & 4 deletions docs/resources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -262,21 +262,21 @@ Optional:
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier.
- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`
Expand Down
4 changes: 4 additions & 0 deletions internal/auth0/client/expand.go
Original file line number Diff line number Diff line change
Expand Up @@ -740,6 +740,10 @@ func expandClientAddonSAMLP(samlpCfg cty.Value) *management.SAML2ClientAddon {
samlpAddon.PassthroughClaimsWithNoMapping = auth0.Bool(true)
}

if samlpAddon.TypedAttributes == nil {
samlpAddon.TypedAttributes = auth0.Bool(true)
}

return stop
})

Expand Down
22 changes: 12 additions & 10 deletions internal/auth0/client/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -1204,10 +1204,11 @@ func NewResource() *schema.Resource {
"or callback URL if there was no SAMLRequest.",
},
"lifetime_in_seconds": {
Type: schema.TypeInt,
Optional: true,
Default: 3600,
Description: "Number of seconds during which the token is valid.",
Type: schema.TypeInt,
Optional: true,
Default: 3600,
Description: "Number of seconds during which the token is valid. " +
"Defaults to `3600` seconds.",
},
"sign_response": {
Type: schema.TypeBool,
Expand All @@ -1216,10 +1217,11 @@ func NewResource() *schema.Resource {
"instead of the SAML Assertion.",
},
"name_identifier_format": {
Type: schema.TypeString,
Optional: true,
Default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
Description: "Format of the name identifier.",
Type: schema.TypeString,
Optional: true,
Default: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
Description: "Format of the name identifier. " +
"Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.",
},
"name_identifier_probes": {
Type: schema.TypeList,
Expand All @@ -1240,15 +1242,15 @@ func NewResource() *schema.Resource {
Default: true,
Description: "Indicates whether or not we should infer the `xs:type` " +
"of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, " +
"and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. " +
"and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. " +
"Defaults to `true`.",
},
"include_attribute_name_format": {
Type: schema.TypeBool,
Optional: true,
Default: true,
Description: "Indicates whether or not we should infer the NameFormat " +
"based on the attribute name. If set to false, the attribute " +
"based on the attribute name. If set to `false`, the attribute " +
"NameFormat is not set in the assertion. Defaults to `true`.",
},
"logout": {
Expand Down
28 changes: 28 additions & 0 deletions internal/auth0/client/resource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1079,8 +1079,13 @@ resource "auth0_client" "my_client" {
map_unknown_claims_as_is = false
map_identities = false
typed_attributes = false
sign_response = false
include_attribute_name_format = false
recipient = "https://tableau-server-test.domain.eu.com/recipient-different"
signing_cert = "-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n"
signature_algorithm = "rsa-sha256"
authn_context_class_ref = "context"
binding = "binding"
mappings = {
email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Expand All @@ -1096,6 +1101,15 @@ resource "auth0_client" "my_client" {
}
`

const testAccUpdateClientWithAddonsRemoved = `
resource "auth0_client" "my_client" {
name = "Acceptance Test - SSO Integration - {{.testName}}"
app_type = "sso_integration"
addons {}
}
`

func TestAccClientAddons(t *testing.T) {
acctest.Test(t, resource.TestCase{
Steps: []resource.TestStep{
Expand Down Expand Up @@ -1351,15 +1365,29 @@ func TestAccClientAddons(t *testing.T) {
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.map_unknown_claims_as_is", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.map_identities", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.typed_attributes", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.sign_response", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.include_attribute_name_format", "false"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.recipient", "https://tableau-server-test.domain.eu.com/recipient-different"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.signing_cert", "-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.signature_algorithm", "rsa-sha256"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.authn_context_class_ref", "context"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.binding", "binding"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.%", "2"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.logout.0.callback", "https://example.com/callback"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.logout.0.slo_enabled", "true"),
),
},
{
Config: acctest.ParseTestName(testAccUpdateClientWithAddonsRemoved, t.Name()),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - SSO Integration - %s", t.Name())),
resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "sso_integration"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.#", "1"),
resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.#", "0"),
),
},
},
})
}
Expand Down
Loading

0 comments on commit 848ab5f

Please sign in to comment.