Error when setting identifier_uri for azuread_application or azuread_application_identifier_uri

kenchan0130 commented 6 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform v1.7.2 azuread v2.47.0

Affected Resource(s)

azuread_applications
azuread_application_identifier_uri

Terraform Configuration Files

resource "azuread_application" "box" {
  display_name = "Box"
  identifier_uris = ["box.net"]
}

or

resource "azuread_application" "box" {
  display_name = "Box"

  lifecycle {
    ignore_changes = [
      identifier_uris,
    ]
  }
}

resource "azuread_application_identifier_uri" "box" {
  application_id = azuread_application.box.id
  identifier_uri = "box.net"
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

No Errors

Actual Behavior

│ Error: URI has no host for "identifier_uri"
│ 
│   with azuread_application_identifier_uri.box,
│   on box.tf line 11, in resource "azuread_application_identifier_uri" "box":
│   11:   identifier_uri = "box.net"
│

Steps to Reproduce

terraform apply

Important Factoids

In SAML authentication, the Entity ID is configured as the identifier_uri for Entra ID applications. The Entity ID can take any value as per the specification.

In this example using Box, the Entity ID is set to box.net. When performing this configuration in the Azure Portal, the value box.net can indeed be set as the identifier_uri.

https://learn.microsoft.com/en-us/entra/identity/saas-apps/box-tutorial

References

N/A

nbaju1 commented 6 months ago

I believe this issue is caused by the Graph API using the identifierUris property on the application object for both "Application ID URI" in the "Expose an API" tab on the application registration and "Identifier (Entity ID)" in the SSO tab on the service principal.

MS introduced some syntax restrictions on the "Application ID URI" a couple of years ago, seemingly forgetting how this affects doing SAML SSO configuration with the API. You can test this by attempting to put "box.net" on the application registration, which won't work.

My current workaround for this is to handle identifier URIs separately from the TF configuration and ignore changes to identifier_uris on the application resource in the TF config.

kyogendra08 commented 6 months ago

Hi everyone, regarding this issue I recently tested with the Microsoft Graph API. I tried an unique syntax identifier URI and I don't get any Error:

POST : https://graph.microsoft.com/v1.0/applications

{ "displayName": "Test Identifier URI", "identifierUris": [ "box.net" ] }

With this specific API call the App registration does get created without any issues. So I am not sure if this is still a Microsoft Graph Issue.

kenchan0130 commented 6 months ago

This is not an error with the Microsoft Graph API, but rather a validation issue with this provider. Therefore, simply loosening the validation will resolve this problem.

hashicorp / terraform-provider-azuread