Skip to content

Commit

Permalink
Reintroduce support for samlp client addon
Browse files Browse the repository at this point in the history
  • Loading branch information
sergiught committed Jun 29, 2023
1 parent f79423e commit 9a3acb7
Show file tree
Hide file tree
Showing 9 changed files with 903 additions and 250 deletions.
38 changes: 38 additions & 0 deletions docs/data-sources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ Read-Only:
- `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
- `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
- `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
- `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
- `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
- `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
Expand Down Expand Up @@ -242,6 +243,43 @@ Read-Only:
- `principal` (String)


<a id="nestedobjatt--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Read-Only:

- `audience` (String)
- `authn_context_class_ref` (String)
- `binding` (String)
- `create_upn_claim` (Boolean)
- `destination` (String)
- `digest_algorithm` (String)
- `include_attribute_name_format` (Boolean)
- `issuer` (String)
- `lifetime_in_seconds` (Number)
- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
- `map_identities` (Boolean)
- `map_unknown_claims_as_is` (Boolean)
- `mappings` (Map of String)
- `name_identifier_format` (String)
- `name_identifier_probes` (List of String)
- `passthrough_claims_with_no_mapping` (Boolean)
- `recipient` (String)
- `sign_response` (Boolean)
- `signature_algorithm` (String)
- `signing_cert` (String)
- `typed_attributes` (Boolean)

<a id="nestedobjatt--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Read-Only:

- `callback` (String)
- `slo_enabled` (Boolean)



<a id="nestedobjatt--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/data-sources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ Read-Only:
- `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
- `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
- `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
- `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
- `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
- `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
Expand Down Expand Up @@ -231,6 +232,43 @@ Read-Only:
- `principal` (String)


<a id="nestedobjatt--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Read-Only:

- `audience` (String)
- `authn_context_class_ref` (String)
- `binding` (String)
- `create_upn_claim` (Boolean)
- `destination` (String)
- `digest_algorithm` (String)
- `include_attribute_name_format` (Boolean)
- `issuer` (String)
- `lifetime_in_seconds` (Number)
- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
- `map_identities` (Boolean)
- `map_unknown_claims_as_is` (Boolean)
- `mappings` (Map of String)
- `name_identifier_format` (String)
- `name_identifier_probes` (List of String)
- `passthrough_claims_with_no_mapping` (Boolean)
- `recipient` (String)
- `sign_response` (Boolean)
- `signature_algorithm` (String)
- `signing_cert` (String)
- `typed_attributes` (Boolean)

<a id="nestedobjatt--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Read-Only:

- `callback` (String)
- `slo_enabled` (Boolean)



<a id="nestedobjatt--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/resources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ Optional:
- `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
- `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
- `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
- `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
- `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
- `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
Expand Down Expand Up @@ -307,6 +308,43 @@ Optional:
- `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.


<a id="nestedblock--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Optional:

- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
- `authn_context_class_ref` (String) Class reference of the authentication context.
- `binding` (String) Protocol binding used for SAML logout responses.
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Optional:

- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.



<a id="nestedblock--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/resources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ Optional:
- `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
- `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
- `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
- `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
- `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
- `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
Expand Down Expand Up @@ -250,6 +251,43 @@ Optional:
- `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.


<a id="nestedblock--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Optional:

- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
- `authn_context_class_ref` (String) Class reference of the authentication context.
- `binding` (String) Protocol binding used for SAML logout responses.
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Optional:

- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.



<a id="nestedblock--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
90 changes: 90 additions & 0 deletions internal/auth0/client/expand.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package client

import (
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
"github.com/hashicorp/go-cty/cty"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
Expand Down Expand Up @@ -267,6 +268,7 @@ func expandClientAddons(d *schema.ResourceData) *management.ClientAddons {
addons.Zendesk = expandClientAddonZendesk(addonsCfg.GetAttr("zendesk"))
addons.Zoom = expandClientAddonZoom(addonsCfg.GetAttr("zoom"))
addons.SSOIntegration = expandClientAddonSSOIntegration(addonsCfg.GetAttr("sso_integration"))
addons.SAML2 = expandClientAddonSAMLP(addonsCfg.GetAttr("samlp"))
return stop
})

Expand Down Expand Up @@ -656,6 +658,94 @@ func expandClientAddonSSOIntegration(ssoCfg cty.Value) *management.SSOIntegratio
return &ssoAddon
}

func expandClientAddonSAMLP(samlpCfg cty.Value) *management.SAML2ClientAddon {
var samlpAddon management.SAML2ClientAddon

samlpCfg.ForEachElement(func(_ cty.Value, samlpCfg cty.Value) (stop bool) {
samlpAddon = management.SAML2ClientAddon{
Mappings: value.MapOfStrings(samlpCfg.GetAttr("mappings")),
Audience: value.String(samlpCfg.GetAttr("audience")),
Recipient: value.String(samlpCfg.GetAttr("recipient")),
CreateUPNClaim: value.Bool(samlpCfg.GetAttr("create_upn_claim")),
MapUnknownClaimsAsIs: value.Bool(samlpCfg.GetAttr("map_unknown_claims_as_is")),
PassthroughClaimsWithNoMapping: value.Bool(samlpCfg.GetAttr("passthrough_claims_with_no_mapping")),
MapIdentities: value.Bool(samlpCfg.GetAttr("map_identities")),
SignatureAlgorithm: value.String(samlpCfg.GetAttr("signature_algorithm")),
DigestAlgorithm: value.String(samlpCfg.GetAttr("digest_algorithm")),
Issuer: value.String(samlpCfg.GetAttr("issuer")),
Destination: value.String(samlpCfg.GetAttr("destination")),
LifetimeInSeconds: value.Int(samlpCfg.GetAttr("lifetime_in_seconds")),
SignResponse: value.Bool(samlpCfg.GetAttr("sign_response")),
NameIdentifierFormat: value.String(samlpCfg.GetAttr("name_identifier_format")),
NameIdentifierProbes: value.Strings(samlpCfg.GetAttr("name_identifier_probes")),
AuthnContextClassRef: value.String(samlpCfg.GetAttr("authn_context_class_ref")),
TypedAttributes: value.Bool(samlpCfg.GetAttr("typed_attributes")),
IncludeAttributeNameFormat: value.Bool(samlpCfg.GetAttr("include_attribute_name_format")),
Binding: value.String(samlpCfg.GetAttr("binding")),
SigningCert: value.String(samlpCfg.GetAttr("signing_cert")),
}

var logout management.SAML2ClientAddonLogout

samlpCfg.GetAttr("logout").ForEachElement(func(_ cty.Value, logoutCfg cty.Value) (stop bool) {
logout = management.SAML2ClientAddonLogout{
Callback: value.String(logoutCfg.GetAttr("callback")),
SLOEnabled: value.Bool(logoutCfg.GetAttr("slo_enabled")),
}

return stop
})

if logout != (management.SAML2ClientAddonLogout{}) {
samlpAddon.Logout = &logout
}

if samlpAddon.DigestAlgorithm == nil {
samlpAddon.DigestAlgorithm = auth0.String("sha1")
}

if samlpAddon.NameIdentifierFormat == nil {
samlpAddon.NameIdentifierFormat = auth0.String("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
}

if samlpAddon.SignatureAlgorithm == nil {
samlpAddon.SignatureAlgorithm = auth0.String("rsa-sha1")
}

if samlpAddon.LifetimeInSeconds == nil {
samlpAddon.LifetimeInSeconds = auth0.Int(3600)
}

if samlpAddon.CreateUPNClaim == nil {
samlpAddon.CreateUPNClaim = auth0.Bool(true)
}

if samlpAddon.IncludeAttributeNameFormat == nil {
samlpAddon.IncludeAttributeNameFormat = auth0.Bool(true)
}

if samlpAddon.MapIdentities == nil {
samlpAddon.MapIdentities = auth0.Bool(true)
}

if samlpAddon.MapUnknownClaimsAsIs == nil {
samlpAddon.MapUnknownClaimsAsIs = auth0.Bool(false)
}

if samlpAddon.PassthroughClaimsWithNoMapping == nil {
samlpAddon.PassthroughClaimsWithNoMapping = auth0.Bool(true)
}

return stop
})

if samlpAddon == (management.SAML2ClientAddon{}) {
return nil
}

return &samlpAddon
}

func clientHasChange(c *management.Client) bool {
return c.String() != "{}"
}
34 changes: 34 additions & 0 deletions internal/auth0/client/flatten.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ func flattenClientAddons(addons *management.ClientAddons) []interface{} {
"zendesk": nil,
"zoom": nil,
"sso_integration": nil,
"samlp": nil,
}

if addons.GetAWS() != nil {
Expand Down Expand Up @@ -344,5 +345,38 @@ func flattenClientAddons(addons *management.ClientAddons) []interface{} {
}
}

if addons.GetSAML2() != nil {
m["samlp"] = []interface{}{
map[string]interface{}{
"mappings": addons.GetSAML2().GetMappings(),
"audience": addons.GetSAML2().GetAudience(),
"recipient": addons.GetSAML2().GetRecipient(),
"create_upn_claim": addons.GetSAML2().GetCreateUPNClaim(),
"map_unknown_claims_as_is": addons.GetSAML2().GetMapUnknownClaimsAsIs(),
"passthrough_claims_with_no_mapping": addons.GetSAML2().GetPassthroughClaimsWithNoMapping(),
"map_identities": addons.GetSAML2().GetMapIdentities(),
"signature_algorithm": addons.GetSAML2().GetSignatureAlgorithm(),
"digest_algorithm": addons.GetSAML2().GetDigestAlgorithm(),
"issuer": addons.GetSAML2().GetIssuer(),
"destination": addons.GetSAML2().GetDestination(),
"lifetime_in_seconds": addons.GetSAML2().GetLifetimeInSeconds(),
"sign_response": addons.GetSAML2().GetSignResponse(),
"name_identifier_format": addons.GetSAML2().GetNameIdentifierFormat(),
"name_identifier_probes": addons.GetSAML2().GetNameIdentifierProbes(),
"authn_context_class_ref": addons.GetSAML2().GetAuthnContextClassRef(),
"typed_attributes": addons.GetSAML2().GetTypedAttributes(),
"include_attribute_name_format": addons.GetSAML2().GetIncludeAttributeNameFormat(),
"binding": addons.GetSAML2().GetBinding(),
"signing_cert": addons.GetSAML2().GetSigningCert(),
"logout": []interface{}{
map[string]interface{}{
"callback": addons.GetSAML2().GetLogout().GetCallback(),
"slo_enabled": addons.GetSAML2().GetLogout().GetSLOEnabled(),
},
},
},
}
}

return []interface{}{m}
}
Loading

0 comments on commit 9a3acb7

Please sign in to comment.