search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

Not possible to configure Saml with terraform provider #1418

Open flmmartins opened 1 week ago

flmmartins commented 1 week ago

I am configuring SSO for an application and I tried the following

data "azuread_application_template" "sso" {
  display_name = "Microsoft Entra SAML Toolkit"
}

resource "azuread_application" "sso" {
  group_membership_claims = ["All"] #Fetch all user's group
  identifier_uris         = ["https://XXX"]
  template_id  = data.azuread_application_template.pingdom_sso.template_id
  display_name = "sso"

  feature_tags {
    enterprise            = true
    gallery               = true
    custom_single_sign_on = true
  }

  web {
    logout_url    = "https://XXX/saml"
    redirect_uris = ["https://XXX/saml"]
  }

  optional_claims {
    saml2_token {
      essential             = false
      name                  = "NameID"
      source                = "user"
      additional_properties = ["user.mail"]
    }
  }
}

I got 2 issues the following error:

Optional Claim does not work for saml

│ Error: expected optional_claims.0.saml2_token.0.additional_properties.0 to be one of ["cloud_displayname" "dns_domain_and_sam_account_name" "emit_as_roles" "include_externally_authenticated_upn_without_hash" "include_externally_authenticated_upn" "max_size_limit" "netbios_domain_and_sam_account_name" "on_premise_security_identifier" "sam_account_name" "use_guid"], got user.mail

PS: This is an extra field that differs from the required claim "Name ID" (with space in between)

Entity ID and Reply URL I see that my Entity ID and Reply URL does not get filled when passing the urls.