Unable to Create Enterprise Application with SAML

[thebeanogamer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform: 1.1.9
AzureAD Provider: 2.22.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

data "azuread_client_config" "current" {}

resource "azuread_application" "application" {
  display_name = "Demo"
  owners       = [data.azuread_client_config.current.object_id]
  identifier_uris = ["https://example.com"]
  sign_in_audience = "AzureADMyOrg"
  prevent_duplicate_names = true

  web {
    redirect_uris = ["https://example.com/saml/acs"]
  }

  feature_tags {
    enterprise            = true
    gallery               = false
    custom_single_sign_on = true
  }
}

resource "azuread_service_principal" "application" {
  application_id                = azuread_application.application.application_id
  use_existing                  = true
  preferred_single_sign_on_mode = "saml"

  feature_tags {
    enterprise            = true
    gallery               = false
    custom_single_sign_on = true
  }
}

Debug Output

https://gist.github.com/thebeanogamer/d61a453bbead8c6d04532e3e63d45b24

Expected Behavior

Terraform should create an enterprise application with the following SAML configuration:

Actual Behavior

│ Error: Could not create application
│ 
│   with module.testing.azuread_application.application,
│   on modules/saml-application/main.tf line 8, in resource "azuread_application" "application":
│    8: resource "azuread_application" "application" {
│ 
│ ApplicationsClient.BaseClient.Post(): unexpected status 400 with OData
│ error: HostNameNotOnVerifiedDomain: Values of identifierUris property must
│ use a verified domain of the organization or its subdomain:
│ '['https://example.com']'

Steps to Reproduce

1. terraform apply

References

Based on https://docs.microsoft.com/en-us/graph/application-saml-sso-configure-api, I believe the attribute names are correct, but they may well not be.

I get the impression that Terraform might not be creating a single-tenant enterprise application, which is why Azure is rejecting it. Unfortunately I don't know enough about the Azure AD API to say for certain.

[Satak]

For single tenant applications, adding or updating the AppId URI validates that the domain in the HTTPS scheme URI is listed in the verified domain list in the customer tenant or that the value uses the default scheme (api://{appId}) provided by Azure AD. This could prevent applications from adding an AppId URI if the domain isn't in the verified domain list or the value doesn't use the default scheme. To find more information on verified domains, refer to the custom domains documentation.

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes

So change your identifier uris to follow api scheme or add the domain as verified.

[7326922]

Does the workaround described in #797 work for you?

[thebeanogamer]

@7326922 Thanks, it does indeed. I'll close this for now and put a +1 on that issue.

For my use case, I'm going to abuse sed and CI jobs to automatically add and remove that attribute. Wish me luck...

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.