doc: Change documentation for new attributes to support OIDC Identity…

… providers (#1883) * docs * mention feature is in preview * add oidc example * Update website/docs/d/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/d/federated_settings_identity_providers.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/guides/1.15.0-upgrade-guide.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: pierwill <[email protected]> * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: Agustin Bettati <[email protected]> --------- Co-authored-by: pierwill <[email protected]> Co-authored-by: Agustin Bettati <[email protected]>
mongodb · Feb 1, 2024 · 86edeed · 86edeed
1 parent 2bcc0c5
commit 86edeed
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 11 deletions.
diff --git a/examples/mongodbatlas_federated_settings_org_role_mapping/main.tf b/examples/mongodbatlas_federated_settings_org_role_mapping/main.tf
@@ -38,7 +38,7 @@ resource "mongodbatlas_federated_settings_org_config" "org_connections_import" {
   post_auth_role_grants      = ["ORG_MEMBER"]
 }
 
-resource "mongodbatlas_federated_settings_identity_provider" "identity_provider" {
+resource "mongodbatlas_federated_settings_identity_provider" "saml_identity_provider" {
   federation_settings_id       = data.mongodbatlas_federated_settings.federated_settings.id
   name                         = var.name
   associated_domains           = ["yourdomain.com"]
@@ -48,4 +48,18 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider"
   issuer_uri                   = "http://www.okta.com/exk1f716hf7f750h8"
   request_binding              = "HTTP-POST"
   response_signature_algorithm = "SHA-256"
+  protocol                     = "SAML"
+}
+
+resource "mongodbatlas_federated_settings_identity_provider" "oidc_identity_provider" {
+  federation_settings_id = data.mongodbatlas_federated_settings.federated_settings.id
+  name                   = var.name
+  associated_domains     = ["yourdomain.com"]
+  issuer_uri             = "http://www.okta.com/exk1f716hf7f750h8"
+  client_id              = "clientId"
+  audience_claim         = ["audience"]
+  requested_scopes       = ["profiles"]
+  user_claim             = "sub"
+  groups_claim           = "groups"
+  protocol               = "OIDC"
 }
diff --git a/website/docs/d/federated_settings_identity_provider.html.markdown b/website/docs/d/federated_settings_identity_provider.html.markdown
@@ -10,6 +10,7 @@ description: |-
 
 `mongodbatlas_federated_settings_identity_provider` provides a federated settings identity provider data source. Atlas federated settings identity provider provides federated settings outputs for the configured identity provider.
 
+-> **NOTE:** OIDC Workforce IdP is currently in preview. To learn more about OIDC and existing limitations see the [OIDC Authentication Documentation](https://www.mongodb.com/docs/atlas/security-oidc/)
 
 ## Example Usage
 
@@ -38,7 +39,7 @@ data "mongodbatlas_federated_settings_identity_provider" "identity_provider_ds"
 * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration.
 * `identity_provider_id` - (Required) Unique 20-hexadecimal or 24-hexadecimal digit string that identifies the IdP. 
 
-**WARNING:** Starting at terraform provider 1.16.0 the allowed format for `identity_provider_id` will only be 24-hexadecimal digit string. See more [here](../guides/1.15.0-upgrade-guide.html.markdown)
+**WARNING:** Starting from terraform provider version 1.16.0, the only allowed format for `identity_provider_id` will be 24-hexadecimal digit string. See more [here](../guides/1.15.0-upgrade-guide.html.markdown)
 
 ## Attributes Reference
 
@@ -55,6 +56,12 @@ In addition to all arguments above, the following attributes are exported:
 * `org_id` - Unique 24-hexadecimal digit string that identifies the organization that contains your projects.
 * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants.
 * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP
+* `protocol` - The protocol of the identity provider. Either SAML or OIDC.
+* `audience_claim` - Identifier of the intended recipient of the token.
+* `client_id` - Client identifier that is assigned to an application by the Identity Provider.
+* `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token.
+* `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint.
+* `user_claim` - Identifier of the claim which contains the user ID in the token.
 
   ### Role_mappings
 * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies.

diff --git a/website/docs/d/federated_settings_identity_providers.html.markdown b/website/docs/d/federated_settings_identity_providers.html.markdown
@@ -10,6 +10,7 @@ description: |-
 
 `mongodbatlas_federated_settings_identity_providers` provides an Federated Settings Identity Providers datasource. Atlas Cloud Federated Settings Identity Providers provides federated settings outputs for the configured Identity Providers.
 
+-> **NOTE:** OIDC Workforce IdP is currently in preview. To learn more about OIDC and existing limitations see the [OIDC Authentication Documentation](https://www.mongodb.com/docs/atlas/security-oidc/).
 
 ## Example Usage
 
@@ -55,6 +56,11 @@ In addition to all arguments above, the following attributes are exported:
 * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants.
 * `protocol` - The protocol of the identity provider
 * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP
+* `audience_claim` - Identifier of the intended recipient of the token.
+* `client_id` - Client identifier that is assigned to an application by the Identity Provider.
+* `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token.
+* `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint.
+* `user_claim` - Identifier of the claim which contains the user ID in the token.
 
   ### Role_mappings
 * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies.

diff --git a/website/docs/guides/1.15.0-upgrade-guide.html.markdown b/website/docs/guides/1.15.0-upgrade-guide.html.markdown
@@ -20,7 +20,7 @@ The Terraform MongoDB Atlas Provider version 1.15.0 has a number of new and exci
 - Removal of `page_num` and `items_per_page` attributes in `mongodbatlas_search_indexes` data source.
 - Format of IdP Id that uniquely identifies the identity provider when importing [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) resource and [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/data-sources/federated_settings_identity_provider) data source now accepts a different format to align with the Atlas Admin API. Details and upgrade guide can be found below: 
 
-Both the current and new IdP Id format are accepted in terraform-provider 1.15.0 version. New features for `mongodbatlas_federated_settings_identity_provider` resource and data source will only be available when using the new Id format.
+Both the current and new IdP Id format are accepted in `terraform-provider` version 1.15.x. New features for `mongodbatlas_federated_settings_identity_provider` resource and data source will only be available when using the new Id format.
 
 ***WARNING:*** Old IdP Id format will no longer be accepted starting in terraform-provider 1.16.0 version and onwards. We recommend to update to the new format as soon as possible. A warning will appear if old Id is still being used. Follow the guide below to start using the new Id format.
 

diff --git a/website/docs/r/federated_settings_identity_provider.html.markdown b/website/docs/r/federated_settings_identity_provider.html.markdown
@@ -9,6 +9,8 @@ description: |-
 # Resource: mongodbatlas_federated_settings_identity_provider
 
 `mongodbatlas_federated_settings_identity_provider` provides an Atlas federated settings identity provider resource provides a subset of settings to be maintained post import of the existing resource.
+
+-> **NOTE:** OIDC Workforce IdP is currently in preview. To learn more about OIDC and existing limitations see the [OIDC Authentication Documentation](https://www.mongodb.com/docs/atlas/security-oidc/).
 ## Example Usage
 
 ~> **IMPORTANT** You **MUST** import this resource before you can manage it with this provider. 
@@ -31,15 +33,21 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider"
 
 * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration.
 * `name` - (Required) Human-readable label that identifies the identity provider.
-* `associated_domains` - (Required) List that contains the domains associated with the identity provider.
-* `sso_debug_enabled` - (Required) Flag that indicates whether the identity provider has SSO debug enabled.
-* `status`- (Required) String enum that indicates whether the identity provider is active or not. Accepted values are ACTIVE or INACTIVE.
-* `issuer_uri` - (Required) Unique string that identifies the issuer of the SAML
-* `sso_url` - (Required) Unique string that identifies the intended audience of the SAML assertion.
-* `request_binding` - (Required) SAML Authentication Request Protocol HTTP method binding (POST or REDIRECT) that Federated Authentication uses to send the authentication request. Atlas supports the following binding values:
+* `associated_domains` - List that contains the domains associated with the identity provider.
+* `sso_debug_enabled` - Flag that indicates whether the identity provider has SSO debug enabled.
+* `status`- String enum that indicates whether the identity provider is active or not. Accepted values are ACTIVE or INACTIVE.
+* `issuer_uri` - (Required) Unique string that identifies the issuer of the IdP.
+* `sso_url` - Unique string that identifies the intended audience of the SAML assertion.
+* `request_binding` - SAML Authentication Request Protocol HTTP method binding (`POST` or `REDIRECT`) that Federated Authentication uses to send the authentication request. Atlas supports the following binding values:
     - HTTP POST
     - HTTP REDIRECT
-* `response_signature_algorithm` - (Required) Signature algorithm that Federated Authentication uses to encrypt the identity provider signature.  Valid values include SHA-1 and SHA-256.
+* `response_signature_algorithm` - Signature algorithm that Federated Authentication uses to encrypt the identity provider signature.  Valid values include `SHA-1 `and `SHA-256`.
+* `protocol` - The protocol of the identity provider. Either `SAML` or `OIDC`.
+* `audience_claim` - Identifier of the intended recipient of the token.
+* `client_id` - Client identifier that is assigned to an application by the Identity Provider.
+* `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token.
+* `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint.
+* `user_claim` - Identifier of the claim which contains the user ID in the token.
 
 ## Attributes Reference
 
@@ -59,6 +67,6 @@ Identity Provider **must** be imported before using federation_settings_id-idp_i
 $ terraform import mongodbatlas_federated_settings_identity_provider.identity_provider 6287a663c660f52b1c441c6c-0oad4fas87jL5Xnk1297
 ```
 
-**WARNING:** Starting from terraform provider version 1.16.0, to import Identity Provider, `id` a 24-hexadecimal digit string that identifies the IdP, will have to be used instead of `okta_idp_id`. See more [here](../guides/1.15.0-upgrade-guide.html.markdown)
+**WARNING:** Starting from terraform provider version 1.16.0, to import the resource a 24-hexadecimal digit string that identifies the IdP (`idp_id`) will have to be used instead of `okta_idp_id`. See more [here](../guides/1.15.0-upgrade-guide.html.markdown)
 
 For more information see: [MongoDB Atlas API Reference.](https://www.mongodb.com/docs/atlas/reference/api/federation-configuration/)