Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[22/X] DXCDT-441: Reintroduce support for samlp client addon #681

Merged
merged 2 commits into from
Jun 30, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/data-sources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ Read-Only:
- `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
- `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
- `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
- `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
- `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
- `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
Expand Down Expand Up @@ -242,6 +243,43 @@ Read-Only:
- `principal` (String)


<a id="nestedobjatt--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Read-Only:

- `audience` (String)
- `authn_context_class_ref` (String)
- `binding` (String)
- `create_upn_claim` (Boolean)
- `destination` (String)
- `digest_algorithm` (String)
- `include_attribute_name_format` (Boolean)
- `issuer` (String)
- `lifetime_in_seconds` (Number)
- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
- `map_identities` (Boolean)
- `map_unknown_claims_as_is` (Boolean)
- `mappings` (Map of String)
- `name_identifier_format` (String)
- `name_identifier_probes` (List of String)
- `passthrough_claims_with_no_mapping` (Boolean)
- `recipient` (String)
- `sign_response` (Boolean)
- `signature_algorithm` (String)
- `signing_cert` (String)
- `typed_attributes` (Boolean)

<a id="nestedobjatt--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Read-Only:

- `callback` (String)
- `slo_enabled` (Boolean)



<a id="nestedobjatt--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/data-sources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ Read-Only:
- `salesforce` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce))
- `salesforce_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_api))
- `salesforce_sandbox_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--salesforce_sandbox_api))
- `samlp` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp))
- `sap_api` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sap_api))
- `sentry` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sentry))
- `sharepoint` (List of Object) (see [below for nested schema](#nestedobjatt--addons--sharepoint))
Expand Down Expand Up @@ -231,6 +232,43 @@ Read-Only:
- `principal` (String)


<a id="nestedobjatt--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Read-Only:

- `audience` (String)
- `authn_context_class_ref` (String)
- `binding` (String)
- `create_upn_claim` (Boolean)
- `destination` (String)
- `digest_algorithm` (String)
- `include_attribute_name_format` (Boolean)
- `issuer` (String)
- `lifetime_in_seconds` (Number)
- `logout` (List of Object) (see [below for nested schema](#nestedobjatt--addons--samlp--logout))
- `map_identities` (Boolean)
- `map_unknown_claims_as_is` (Boolean)
- `mappings` (Map of String)
- `name_identifier_format` (String)
- `name_identifier_probes` (List of String)
- `passthrough_claims_with_no_mapping` (Boolean)
- `recipient` (String)
- `sign_response` (Boolean)
- `signature_algorithm` (String)
- `signing_cert` (String)
- `typed_attributes` (Boolean)

<a id="nestedobjatt--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Read-Only:

- `callback` (String)
- `slo_enabled` (Boolean)



<a id="nestedobjatt--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/resources/client.md
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@ Optional:
- `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
- `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
- `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
- `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
- `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
- `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
Expand Down Expand Up @@ -307,6 +308,43 @@ Optional:
- `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.


<a id="nestedblock--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Optional:

- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
- `authn_context_class_ref` (String) Class reference of the authentication context.
- `binding` (String) Protocol binding used for SAML logout responses.
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Optional:

- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.



<a id="nestedblock--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
38 changes: 38 additions & 0 deletions docs/resources/global_client.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ Optional:
- `salesforce` (Block List, Max: 1) Salesforce SSO configuration. (see [below for nested schema](#nestedblock--addons--salesforce))
- `salesforce_api` (Block List, Max: 1) Salesforce API addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_api))
- `salesforce_sandbox_api` (Block List, Max: 1) Salesforce Sandbox addon configuration. (see [below for nested schema](#nestedblock--addons--salesforce_sandbox_api))
- `samlp` (Block List, Max: 1) Configuration settings for a SAML add-on. (see [below for nested schema](#nestedblock--addons--samlp))
- `sap_api` (Block List, Max: 1) SAP API addon configuration. (see [below for nested schema](#nestedblock--addons--sap_api))
- `sentry` (Block List, Max: 1) Sentry SSO configuration. (see [below for nested schema](#nestedblock--addons--sentry))
- `sharepoint` (Block List, Max: 1) SharePoint SSO configuration. (see [below for nested schema](#nestedblock--addons--sharepoint))
Expand Down Expand Up @@ -250,6 +251,43 @@ Optional:
- `principal` (String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example `email`.


<a id="nestedblock--addons--samlp"></a>
### Nested Schema for `addons.samlp`

Optional:

- `audience` (String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.
- `authn_context_class_ref` (String) Class reference of the authentication context.
- `binding` (String) Protocol binding used for SAML logout responses.
- `create_upn_claim` (Boolean) Indicates whether a UPN claim should be created. Defaults to `true`.
- `destination` (String) Destination of the SAML Response. If not specified, it will be `AssertionConsumerUrl` of SAMLRequest or callback URL if there was no SAMLRequest.
- `digest_algorithm` (String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include `sha1` and `sha256`. Defaults to `sha1`.
- `include_attribute_name_format` (Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to `false`, the attribute NameFormat is not set in the assertion. Defaults to `true`.
- `issuer` (String) Issuer of the SAML Assertion.
- `lifetime_in_seconds` (Number) Number of seconds during which the token is valid. Defaults to `3600` seconds.
- `logout` (Block List, Max: 1) Configuration settings for logout. (see [below for nested schema](#nestedblock--addons--samlp--logout))
- `map_identities` (Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the `access_token`, if available. Defaults to `true`.
- `map_unknown_claims_as_is` (Boolean) Indicates whether to add a prefix of `http://schema.auth0.com` to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to `false`.
- `mappings` (Map of String) Mappings between the Auth0 user profile property name (`name`) and the output attributes on the SAML attribute in the assertion (`value`).
- `name_identifier_format` (String) Format of the name identifier. Defaults to `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
- `name_identifier_probes` (List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.
- `passthrough_claims_with_no_mapping` (Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to `true`.
- `recipient` (String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is `AssertionConsumerUrl` on SAMLRequest or callback URL if no SAMLRequest was sent.
- `sign_response` (Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.
- `signature_algorithm` (String) Algorithm used to sign the SAML Assertion or response. Options include `rsa-sha1` and `rsa-sha256`. Defaults to `rsa-sha1`.
- `signing_cert` (String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be `-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n`.
- `typed_attributes` (Boolean) Indicates whether or not we should infer the `xs:type` of the element. Types include `xs:string`, `xs:boolean`, `xs:double`, and `xs:anyType`. When set to `false`, all `xs:type` are `xs:anyType`. Defaults to `true`.

<a id="nestedblock--addons--samlp--logout"></a>
### Nested Schema for `addons.samlp.logout`

Optional:

- `callback` (String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.
- `slo_enabled` (Boolean) Controls whether Auth0 should notify service providers of session termination.



<a id="nestedblock--addons--sap_api"></a>
### Nested Schema for `addons.sap_api`

Expand Down
94 changes: 94 additions & 0 deletions internal/auth0/client/expand.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package client

import (
"github.com/auth0/go-auth0"
"github.com/auth0/go-auth0/management"
"github.com/hashicorp/go-cty/cty"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
Expand Down Expand Up @@ -267,6 +268,7 @@ func expandClientAddons(d *schema.ResourceData) *management.ClientAddons {
addons.Zendesk = expandClientAddonZendesk(addonsCfg.GetAttr("zendesk"))
addons.Zoom = expandClientAddonZoom(addonsCfg.GetAttr("zoom"))
addons.SSOIntegration = expandClientAddonSSOIntegration(addonsCfg.GetAttr("sso_integration"))
addons.SAML2 = expandClientAddonSAMLP(addonsCfg.GetAttr("samlp"))
return stop
})

Expand Down Expand Up @@ -656,6 +658,98 @@ func expandClientAddonSSOIntegration(ssoCfg cty.Value) *management.SSOIntegratio
return &ssoAddon
}

func expandClientAddonSAMLP(samlpCfg cty.Value) *management.SAML2ClientAddon {
var samlpAddon management.SAML2ClientAddon

samlpCfg.ForEachElement(func(_ cty.Value, samlpCfg cty.Value) (stop bool) {
samlpAddon = management.SAML2ClientAddon{
Mappings: value.MapOfStrings(samlpCfg.GetAttr("mappings")),
Audience: value.String(samlpCfg.GetAttr("audience")),
Recipient: value.String(samlpCfg.GetAttr("recipient")),
CreateUPNClaim: value.Bool(samlpCfg.GetAttr("create_upn_claim")),
MapUnknownClaimsAsIs: value.Bool(samlpCfg.GetAttr("map_unknown_claims_as_is")),
PassthroughClaimsWithNoMapping: value.Bool(samlpCfg.GetAttr("passthrough_claims_with_no_mapping")),
MapIdentities: value.Bool(samlpCfg.GetAttr("map_identities")),
SignatureAlgorithm: value.String(samlpCfg.GetAttr("signature_algorithm")),
DigestAlgorithm: value.String(samlpCfg.GetAttr("digest_algorithm")),
Issuer: value.String(samlpCfg.GetAttr("issuer")),
Destination: value.String(samlpCfg.GetAttr("destination")),
LifetimeInSeconds: value.Int(samlpCfg.GetAttr("lifetime_in_seconds")),
SignResponse: value.Bool(samlpCfg.GetAttr("sign_response")),
NameIdentifierFormat: value.String(samlpCfg.GetAttr("name_identifier_format")),
NameIdentifierProbes: value.Strings(samlpCfg.GetAttr("name_identifier_probes")),
AuthnContextClassRef: value.String(samlpCfg.GetAttr("authn_context_class_ref")),
TypedAttributes: value.Bool(samlpCfg.GetAttr("typed_attributes")),
IncludeAttributeNameFormat: value.Bool(samlpCfg.GetAttr("include_attribute_name_format")),
Binding: value.String(samlpCfg.GetAttr("binding")),
SigningCert: value.String(samlpCfg.GetAttr("signing_cert")),
}

if samlpAddon == (management.SAML2ClientAddon{}) {
return true
}

var logout management.SAML2ClientAddonLogout

samlpCfg.GetAttr("logout").ForEachElement(func(_ cty.Value, logoutCfg cty.Value) (stop bool) {
logout = management.SAML2ClientAddonLogout{
Callback: value.String(logoutCfg.GetAttr("callback")),
SLOEnabled: value.Bool(logoutCfg.GetAttr("slo_enabled")),
}

return stop
})

if logout != (management.SAML2ClientAddonLogout{}) {
samlpAddon.Logout = &logout
}

if samlpAddon.DigestAlgorithm == nil {
samlpAddon.DigestAlgorithm = auth0.String("sha1")
}

if samlpAddon.NameIdentifierFormat == nil {
samlpAddon.NameIdentifierFormat = auth0.String("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
sergiught marked this conversation as resolved.
Show resolved Hide resolved
}

if samlpAddon.SignatureAlgorithm == nil {
samlpAddon.SignatureAlgorithm = auth0.String("rsa-sha1")
}

if samlpAddon.LifetimeInSeconds == nil {
samlpAddon.LifetimeInSeconds = auth0.Int(3600)
sergiught marked this conversation as resolved.
Show resolved Hide resolved
}

if samlpAddon.CreateUPNClaim == nil {
samlpAddon.CreateUPNClaim = auth0.Bool(true)
}

if samlpAddon.IncludeAttributeNameFormat == nil {
samlpAddon.IncludeAttributeNameFormat = auth0.Bool(true)
}

if samlpAddon.MapIdentities == nil {
samlpAddon.MapIdentities = auth0.Bool(true)
}

if samlpAddon.MapUnknownClaimsAsIs == nil {
samlpAddon.MapUnknownClaimsAsIs = auth0.Bool(false)
}

if samlpAddon.PassthroughClaimsWithNoMapping == nil {
samlpAddon.PassthroughClaimsWithNoMapping = auth0.Bool(true)
}

if samlpAddon.TypedAttributes == nil {
samlpAddon.TypedAttributes = auth0.Bool(true)
}

return stop
})

return &samlpAddon
}

func clientHasChange(c *management.Client) bool {
return c.String() != "{}"
}
Loading