search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
427 stars 294 forks source link

Claims Mapping Policy - Claims Transformation #1115

Open nbaju1 opened 1 year ago

nbaju1 commented 1 year ago

Has anyone succeeded in creating a claims mapping policy with a claims transformation? Have tested many iterations, both based on MS docs and the intercepted JSON files when configuring transformations in the UI.

Current iteration which fails (the previous configuration works fine):

# azuread_claims_mapping_policy.app_claims_mapping_policy will be updated in-place
  ~ resource "azuread_claims_mapping_policy" "app_claims_mapping_policy" {
      ~ definition   = [
          - jsonencode(
                {
                  - ClaimsMappingPolicy = {
                      - ClaimsSchema          = [
                          - {
                              - Id               = "userprincipalname"
                              - SamlClaimType    = "[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier%22)
                              - SamlNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                              - Source           = "user"
                            },
                          - {
                              - Id            = "employeeid"
                              - SamlClaimType = "EmployeeID"
                              - Source        = "user"
                            },
                          - {
                              - Id            = "mail"
                              - SamlClaimType = "Email"
                              - Source        = "user"
                            },
                       ]
                      - ClaimsTransformations = []
                      - IncludeBasicClaimSet  = "true"
                      - Version               = 1
                    }
                }
            ),
          + jsonencode(
                {
                  + claimsMappingPolicy = {
                      + claimsSchema          = [
                          + {
                              + id               = "userprincipalname"
                              + samlClaimType    = "[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"](http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier%22)
                              + samlNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                              + source           = "user"
                            },
                          + {
                              + id            = "employeeid"
                              + samlClaimType = "EmployeeID"
                              + source        = "user"
                            },
                          + {
                              + id            = "mail"
                              + samlClaimType = "Email"
                              + source        = "user"
                            },
                          + {
                              + id               = "outputClaimtestRegex_id"
                              + source           = "transformation"
                              + transformationId = "testRegex_id"
                            },
                          + {
                              + id     = "surname"
                              + source = "user"
                            },
                          + {
                              + id     = "companyname"
                              + source = "user"
                            },
                        ]
                     + claimsTransformations = [
                          + {
                              + id                   = "testRegex-RegexReplace"
                              + inputClaims          = [
                                  + {
                                      + claimTypeReferenceId     = "surname"
                                      + claimTypeReferenceSource = "user"
                                      + transformationClaimType  = "sourceClaim"
                                      + treatAsMultiValue        = false
                                    },
                                  + {
                                      + claimTypeReferenceId     = "companyname"
                                      + claimTypeReferenceSource = "user"
                                      + nextTransform            = ""
                                      + transformationClaimType  = "companyname"
                                      + treatAsMultiValue        = false
                                    },
                                ]
                              + inputParameters      = [
                                  + {
                                      + id    = "regex"
                                      + value = "^.*redacted.*$"
                                    },
                                  + {
                                      + id    = "replacement"
                                      + value = "{companyname}"
                                    },
                                ]
                              + outputClaims         = [
                                  + {
                                      + claimTypeReferenceId    = "outputClaimtestRegex-RegexReplace"
                                      + transformationClaimType = "outputClaim"
                                    },
                                ]
                              + transformationMethod = "RegexReplace"
                            },
                        ]
                      + includeBasicClaimSet  = "true"
                      + version               = 1
                    }
                }
            ),
        ]
        id           = "redacted"
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

This produces the following error:

│ Error: Could not update Claims Mapping Policy with object ID ""
│ 
│   with azuread_claims_mapping_policy.d-aad-testing-sso_claims_mapping_policy,
│   on cdk.tf.json line 114, in resource.azuread_claims_mapping_policy-app_claims_mapping_policy:
│  114:       }
│ 
│ ClaimsMappingPolicy.BaseClient.Patch(): unexpected status 400 with OData
│ error: Request_BadRequest: Property definition has an invalid value.
drdamour commented 1 year ago

pretty sure your problem is case sensitivity. All the policy stuff uses PascalCase and you are using camelCase

cszlucas commented 1 week ago

Were you able to figure this out?

bwrogo commented 1 week ago

I'm also seeing the same problem. In my case the issue seems to be setting transformation as the Source for the ClaimsSchema. If I change it to another value like user (which doesn't trigger the claims transformation) I don't have any issues running the apply. 

resource "azuread_claims_mapping_policy" "test" {
  definition = [jsonencode(
    {
      ClaimsMappingPolicy = {
        Version              = 1
        IncludeBasicClaimSet = true
        ClaimsSchema = [
          {
            Source = "user"
            Id     = "extensionattribute1"
          },
          {
            Source           = "transformation"
            Id               = "DataJoin"
            TransformationId = "JoinTheData"
            JwtClaimType     = "JoinTheData"
          },
        ],
        ClaimsTransformation = [
          {
            Id                   = "JoinTheData"
            TransformationMethod = "Join"
            InputClaims = [
              {
                ClaimTypeReferenceId    = "extensionattribute1"
                TransformationClaimType = "string1"
              }
            ],
            InputParameters = [
              {
                Id    = "string2"
                Value = "ext"
              },
              {
                Id    = "separator"
                Value = "-"
            }]
            OutputClaims = [
              {
                ClaimTypeReferenceId    = "DataJoin"
                TransformationClaimType = "OutputClaim"
              }
            ]
          }
        ],
      }
    }
  )]
  display_name = "test_transformation"
}

So it seems as if Source = "transformation" is not supported.

alex-cherry-amach commented 1 day ago

Any updates on this by chance?