[22/X] DXCDT-441: Reintroduce support for samlp client addon

docs/data-sources/client.md

@@ -87,6 +87,7 @@ Read-Only:
 - `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
 - `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
 - `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
+- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
 - `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
 - `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
 - `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
@@ -242,6 +243,43 @@ Read-Only:
 - `principal` (String)
 
 
+<a id="nestedobjatt--addons--samlp"></a>
+### Nested Schema for `addons.samlp`
+
+Read-Only:
+
+- `audience` (String)
+- `authn_context_class_ref` (String)
+- `binding` (String)
+- `create_upn_claim` (Boolean)
+- `destination` (String)
+- `digest_algorithm` (String)
+- `include_attribute_name_format` (Boolean)
+- `issuer` (String)
+- `lifetime_in_seconds` (Number)
+- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
+- `map_identities` (Boolean)
+- `map_unknown_claims_as_is` (Boolean)
+- `mappings` (Map of String)
+- `name_identifier_format` (String)
+- `name_identifier_probes` (List of String)
+- `passthrough_claims_with_no_mapping` (Boolean)
+- `recipient` (String)
+- `sign_response` (Boolean)
+- `signature_algorithm` (String)
+- `signing_cert` (String)
+- `typed_attributes` (Boolean)
+
+<a id="nestedobjatt--addons--samlp--logout"></a>
+### Nested Schema for `addons.samlp.logout`
+
+Read-Only:
+
+- `callback` (String)
+- `slo_enabled` (Boolean)
+
+
+
 <a id="nestedobjatt--addons--sap_api"></a>
 ### Nested Schema for `addons.sap_api`
 

docs/data-sources/global_client.md

@@ -76,6 +76,7 @@ Read-Only:
 - `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
 - `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
 - `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
+- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
 - `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
 - `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
 - `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
@@ -231,6 +232,43 @@ Read-Only:
 - `principal` (String)
 
 
+<a id="nestedobjatt--addons--samlp"></a>
+### Nested Schema for `addons.samlp`
+
+Read-Only:
+
+- `audience` (String)
+- `authn_context_class_ref` (String)
+- `binding` (String)
+- `create_upn_claim` (Boolean)
+- `destination` (String)
+- `digest_algorithm` (String)
+- `include_attribute_name_format` (Boolean)
+- `issuer` (String)
+- `lifetime_in_seconds` (Number)
+- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
+- `map_identities` (Boolean)
+- `map_unknown_claims_as_is` (Boolean)
+- `mappings` (Map of String)
+- `name_identifier_format` (String)
+- `name_identifier_probes` (List of String)
+- `passthrough_claims_with_no_mapping` (Boolean)
+- `recipient` (String)
+- `sign_response` (Boolean)
+- `signature_algorithm` (String)
+- `signing_cert` (String)
+- `typed_attributes` (Boolean)
+
+<a id="nestedobjatt--addons--samlp--logout"></a>
+### Nested Schema for `addons.samlp.logout`
+
+Read-Only:
+
+- `callback` (String)
+- `slo_enabled` (Boolean)
+
+
+
 <a id="nestedobjatt--addons--sap_api"></a>
 ### Nested Schema for `addons.sap_api`
 

docs/resources/client.md

@@ -149,6 +149,7 @@ Optional:
 - `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
 - `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
 - `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
+- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
 - `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
 - `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
 - `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
@@ -307,6 +308,43 @@ Optional:
 - `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.
 
 
+<a id="nestedblock--addons--samlp"></a>
+### Nested Schema for `addons.samlp`
+
+Optional:
+
+- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
+- `authn_context_class_ref` (String) Class reference of the authentication context.
+- `binding` (String) Protocol binding used for SAML logout responses.
+- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
+- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
+- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
+- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
+- `issuer` (String) Issuer of the SAML Assertion.
+- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
+- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
+- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
+- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
+- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
+- `name_identifier_format` (String) Format of the name identifier.
+- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
+- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
+- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
+- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
+- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
+- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
+- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
+
+<a id="nestedblock--addons--samlp--logout"></a>
+### Nested Schema for `addons.samlp.logout`
+
+Optional:
+
+- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
+- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.
+
+
+
 <a id="nestedblock--addons--sap_api"></a>
 ### Nested Schema for `addons.sap_api`
 

docs/resources/global_client.md

@@ -92,6 +92,7 @@ Optional:
 - `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
 - `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
 - `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
+- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
 - `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
 - `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
 - `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
@@ -250,6 +251,43 @@ Optional:
 - `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.
 
 
+<a id="nestedblock--addons--samlp"></a>
+### Nested Schema for `addons.samlp`
+
+Optional:
+
+- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
+- `authn_context_class_ref` (String) Class reference of the authentication context.
+- `binding` (String) Protocol binding used for SAML logout responses.
+- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
+- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
+- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
+- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false, the attribute NameFormat is not set in the assertion. Defaults to `true`.
+- `issuer` (String) Issuer of the SAML Assertion.
+- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid.
+- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
+- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
+- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
+- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
+- `name_identifier_format` (String) Format of the name identifier.
+- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
+- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
+- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
+- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
+- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
+- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
+- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to false, all `xs:type` are `xs:anyType`. Defaults to `true`.
+
+<a id="nestedblock--addons--samlp--logout"></a>
+### Nested Schema for `addons.samlp.logout`
+
+Optional:
+
+- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
+- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.
+
+
+
 <a id="nestedblock--addons--sap_api"></a>
 ### Nested Schema for `addons.sap_api`
 

internal/auth0/client/expand.go

@@ -1,6 +1,7 @@
 package client
 
 import (
+	"github.com/auth0/go-auth0"
 	"github.com/auth0/go-auth0/management"
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -267,6 +268,7 @@ func expandClientAddons(d *schema.ResourceData) *management.ClientAddons {
 		addons.Zendesk = expandClientAddonZendesk(addonsCfg.GetAttr("zendesk"))
 		addons.Zoom = expandClientAddonZoom(addonsCfg.GetAttr("zoom"))
 		addons.SSOIntegration = expandClientAddonSSOIntegration(addonsCfg.GetAttr("sso_integration"))
+		addons.SAML2 = expandClientAddonSAMLP(addonsCfg.GetAttr("samlp"))
 		return stop
 	})
 
@@ -656,6 +658,94 @@ func expandClientAddonSSOIntegration(ssoCfg cty.Value) *management.SSOIntegratio
 	return &ssoAddon
 }
 
+func expandClientAddonSAMLP(samlpCfg cty.Value) *management.SAML2ClientAddon {
+	var samlpAddon management.SAML2ClientAddon
+
+	samlpCfg.ForEachElement(func(_ cty.Value, samlpCfg cty.Value) (stop bool) {
+		samlpAddon = management.SAML2ClientAddon{
+			Mappings:                       value.MapOfStrings(samlpCfg.GetAttr("mappings")),
+			Audience:                       value.String(samlpCfg.GetAttr("audience")),
+			Recipient:                      value.String(samlpCfg.GetAttr("recipient")),
+			CreateUPNClaim:                 value.Bool(samlpCfg.GetAttr("create_upn_claim")),
+			MapUnknownClaimsAsIs:           value.Bool(samlpCfg.GetAttr("map_unknown_claims_as_is")),
+			PassthroughClaimsWithNoMapping: value.Bool(samlpCfg.GetAttr("passthrough_claims_with_no_mapping")),
+			MapIdentities:                  value.Bool(samlpCfg.GetAttr("map_identities")),
+			SignatureAlgorithm:             value.String(samlpCfg.GetAttr("signature_algorithm")),
+			DigestAlgorithm:                value.String(samlpCfg.GetAttr("digest_algorithm")),
+			Issuer:                         value.String(samlpCfg.GetAttr("issuer")),
+			Destination:                    value.String(samlpCfg.GetAttr("destination")),
+			LifetimeInSeconds:              value.Int(samlpCfg.GetAttr("lifetime_in_seconds")),
+			SignResponse:                   value.Bool(samlpCfg.GetAttr("sign_response")),
+			NameIdentifierFormat:           value.String(samlpCfg.GetAttr("name_identifier_format")),
+			NameIdentifierProbes:           value.Strings(samlpCfg.GetAttr("name_identifier_probes")),
+			AuthnContextClassRef:           value.String(samlpCfg.GetAttr("authn_context_class_ref")),
+			TypedAttributes:                value.Bool(samlpCfg.GetAttr("typed_attributes")),
+			IncludeAttributeNameFormat:     value.Bool(samlpCfg.GetAttr("include_attribute_name_format")),
+			Binding:                        value.String(samlpCfg.GetAttr("binding")),
+			SigningCert:                    value.String(samlpCfg.GetAttr("signing_cert")),
+		}
+
+		if samlpAddon == (management.SAML2ClientAddon{}) {
+			return true
+		}
+
+		var logout management.SAML2ClientAddonLogout
+
+		samlpCfg.GetAttr("logout").ForEachElement(func(_ cty.Value, logoutCfg cty.Value) (stop bool) {
+			logout = management.SAML2ClientAddonLogout{
+				Callback:   value.String(logoutCfg.GetAttr("callback")),
+				SLOEnabled: value.Bool(logoutCfg.GetAttr("slo_enabled")),
+			}
+
+			return stop
+		})
+
+		if logout != (management.SAML2ClientAddonLogout{}) {
+			samlpAddon.Logout = &logout
+		}
+
+		if samlpAddon.DigestAlgorithm == nil {
+			samlpAddon.DigestAlgorithm = auth0.String("sha1")
+		}
+
+		if samlpAddon.NameIdentifierFormat == nil {
+			samlpAddon.NameIdentifierFormat = auth0.String("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
+		}
+
+		if samlpAddon.SignatureAlgorithm == nil {
+			samlpAddon.SignatureAlgorithm = auth0.String("rsa-sha1")
+		}
+
+		if samlpAddon.LifetimeInSeconds == nil {
+			samlpAddon.LifetimeInSeconds = auth0.Int(3600)
+		}
+
+		if samlpAddon.CreateUPNClaim == nil {
+			samlpAddon.CreateUPNClaim = auth0.Bool(true)
+		}
+
+		if samlpAddon.IncludeAttributeNameFormat == nil {
+			samlpAddon.IncludeAttributeNameFormat = auth0.Bool(true)
+		}
+
+		if samlpAddon.MapIdentities == nil {
+			samlpAddon.MapIdentities = auth0.Bool(true)
+		}
+
+		if samlpAddon.MapUnknownClaimsAsIs == nil {
+			samlpAddon.MapUnknownClaimsAsIs = auth0.Bool(false)
+		}
+
+		if samlpAddon.PassthroughClaimsWithNoMapping == nil {
+			samlpAddon.PassthroughClaimsWithNoMapping = auth0.Bool(true)
+		}
+
+		return stop
+	})
+
+	return &samlpAddon
+}
+
 func clientHasChange(c *management.Client) bool {
 	return c.String() != "{}"
 }