Minor tweaks after feedback

docs/resources/client.md

@@ -319,21 +319,21 @@ Optional:
 - `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
 - `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
 - `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
-- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
+- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
 - `issuer` (String) Issuer of the SAML Assertion.
-- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
+- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
 - `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
 - `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
 - `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
 - `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
-- `name_identifier_format` (String) Format of the name identifier.
+- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
 - `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
 - `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
 - `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
 - `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
 - `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
 - `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
-- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
+- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.
 
 <a id="nestedblock--addons--samlp--logout"></a>
 ### Nested Schema for `addons.samlp.logout`

docs/resources/global_client.md

@@ -262,21 +262,21 @@ Optional:
 - `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
 - `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
 - `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
-- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
+- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
 - `issuer` (String) Issuer of the SAML Assertion.
-- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
+- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
 - `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
 - `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
 - `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
 - `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
-- `name_identifier_format` (String) Format of the name identifier.
+- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
 - `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
 - `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
 - `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
 - `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
 - `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
 - `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
-- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
+- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.
 
 <a id="nestedblock--addons--samlp--logout"></a>
 ### Nested Schema for `addons.samlp.logout`

internal/auth0/client/expand.go

@@ -740,6 +740,10 @@ func expandClientAddonSAMLP(samlpCfg cty.Value) *management.SAML2ClientAddon {
 			samlpAddon.PassthroughClaimsWithNoMapping = auth0.Bool(true)
 		}
 
+		if samlpAddon.TypedAttributes == nil {
+			samlpAddon.TypedAttributes = auth0.Bool(true)
+		}
+
 		return stop
 	})
 

internal/auth0/client/resource.go

@@ -1204,10 +1204,11 @@ func NewResource() *schema.Resource {
 											"or callback URL if there was no SAMLRequest.",
 									},
 									"lifetime_in_seconds": {
-										Type:        schema.TypeInt,
-										Optional:    true,
-										Default:     3600,
-										Description: "Number of seconds during which the token is valid.",
+										Type:     schema.TypeInt,
+										Optional: true,
+										Default:  3600,
+										Description: "Number of seconds during which the token is valid. " +
+											"Defaults to `3600` seconds.",
 									},
 									"sign_response": {
 										Type:     schema.TypeBool,
@@ -1216,10 +1217,11 @@ func NewResource() *schema.Resource {
 											"instead of the SAML Assertion.",
 									},
 									"name_identifier_format": {
-										Type:        schema.TypeString,
-										Optional:    true,
-										Default:     "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
-										Description: "Format of the name identifier.",
+										Type:     schema.TypeString,
+										Optional: true,
+										Default:  "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+										Description: "Format of the name identifier. " +
+											"Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.",
 									},
 									"name_identifier_probes": {
 										Type:     schema.TypeList,
@@ -1240,15 +1242,15 @@ func NewResource() *schema.Resource {
 										Default:  true,
 										Description: "Indicates whether or not we should infer the `xs:type` " +
 											"of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, " +
-											"and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. " +
+											"and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. " +
 											"Defaults to `true`.",
 									},
 									"include_attribute_name_format": {
 										Type:     schema.TypeBool,
 										Optional: true,
 										Default:  true,
 										Description: "Indicates whether or not we should infer the NameFormat " +
-											"based on the attribute name. If set to false, the attribute " +
+											"based on the attribute name. If set to `false`, the attribute " +
 											"NameFormat is not set in the assertion. Defaults to `true`.",
 									},
 									"logout": {

internal/auth0/client/resource_test.go

@@ -1079,8 +1079,13 @@ resource "auth0_client" "my_client" {
 			map_unknown_claims_as_is           = false
 			map_identities                     = false
 			typed_attributes                   = false
+			sign_response                      = false
+			include_attribute_name_format      = false
 			recipient                          = "https://tableau-server-test.domain.eu.com/recipient-different"
 			signing_cert                       = "-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n"
+			signature_algorithm                = "rsa-sha256"
+			authn_context_class_ref            = "context"
+			binding                            = "binding"
 
 			mappings = {
 				email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
@@ -1096,6 +1101,15 @@ resource "auth0_client" "my_client" {
 }
 `
 
+const testAccUpdateClientWithAddonsRemoved = `
+resource "auth0_client" "my_client" {
+	name = "Acceptance Test - SSO Integration - {{.testName}}"
+	app_type = "sso_integration"
+
+	addons {}
+}
+`
+
 func TestAccClientAddons(t *testing.T) {
 	acctest.Test(t, resource.TestCase{
 		Steps: []resource.TestStep{
@@ -1351,15 +1365,29 @@ func TestAccClientAddons(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.map_unknown_claims_as_is", "false"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.map_identities", "false"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.typed_attributes", "false"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.sign_response", "false"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.include_attribute_name_format", "false"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.recipient", "https://tableau-server-test.domain.eu.com/recipient-different"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.signing_cert", "-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.signature_algorithm", "rsa-sha256"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.authn_context_class_ref", "context"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.binding", "binding"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.%", "2"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.mappings.name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.logout.0.callback", "https://example.com/callback"),
 					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.0.logout.0.slo_enabled", "true"),
 				),
 			},
+			{
+				Config: acctest.ParseTestName(testAccUpdateClientWithAddonsRemoved, t.Name()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_client.my_client", "name", fmt.Sprintf("Acceptance Test - SSO Integration - %s", t.Name())),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "app_type", "sso_integration"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.#", "1"),
+					resource.TestCheckResourceAttr("auth0_client.my_client", "addons.0.samlp.#", "0"),
+				),
+			},
 		},
 	})
 }