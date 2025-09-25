Version: 18.x

variable "oidc_secret" {} resource "teleport_oidc_connector" "example" { version = "v3" metadata = { name = "example" labels = { test = "yes" } } spec = { client_id = "client" client_secret = var.oidc_secret claims_to_roles = [{ claim = "test" roles = [ "terraform" ] }] redirect_url = [ "https://example.com/redirect" ] } }

spec (Attributes) Spec is an OIDC connector specification. (see below for nested schema)

(Attributes) Spec is an OIDC connector specification. (see below for nested schema) version (String) Version is the resource version. It must be specified. Supported values are: v3 .

metadata (Attributes) Metadata holds resource metadata. (see below for nested schema)

(Attributes) Metadata holds resource metadata. (see below for nested schema) sub_kind (String) SubKind is an optional resource sub kind, used in some resources.

Optional:

acr_values (String) ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers.

(String) ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. allow_unverified_email (Boolean) AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails.

(Boolean) AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. claims_to_roles (Attributes List) ClaimsToRoles specifies a dynamic mapping from claims to roles. (see below for nested schema)

(Attributes List) ClaimsToRoles specifies a dynamic mapping from claims to roles. (see below for nested schema) client_id (String) ClientID is the id of the authentication client (Teleport Auth Service).

(String) ClientID is the id of the authentication client (Teleport Auth Service). client_redirect_settings (Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)

(Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema) client_secret (String, Sensitive) ClientSecret is used to authenticate the client.

(String, Sensitive) ClientSecret is used to authenticate the client. display (String) Display is the friendly name for this provider.

(String) Display is the friendly name for this provider. entra_id_groups_provider (Attributes) EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the groups claim source, which is sent for the "groups" claim when the user's group membership exceeds 200 max item limit. (see below for nested schema)

(Attributes) EntraIDGroupsProvider configures out-of-band user groups provider. It works by following through the groups claim source, which is sent for the "groups" claim when the user's group membership exceeds 200 max item limit. (see below for nested schema) google_admin_email (String) GoogleAdminEmail is the email of a google admin to impersonate.

(String) GoogleAdminEmail is the email of a google admin to impersonate. google_service_account (String, Sensitive) GoogleServiceAccount is a string containing google service account credentials.

(String, Sensitive) GoogleServiceAccount is a string containing google service account credentials. google_service_account_uri (String) GoogleServiceAccountURI is a path to a google service account uri.

(String) GoogleServiceAccountURI is a path to a google service account uri. issuer_url (String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com.

(String) IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. max_age (String)

(String) mfa (Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see below for nested schema)

(Attributes) MFASettings contains settings to enable SSO MFA checks through this auth connector. (see below for nested schema) pkce_mode (String) PKCEMode represents the configuration state for PKCE (Proof Key for Code Exchange). It can be "enabled" or "disabled"

(String) PKCEMode represents the configuration state for PKCE (Proof Key for Code Exchange). It can be "enabled" or "disabled" prompt (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.

(String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. provider (String) Provider is the external identity provider.

(String) Provider is the external identity provider. redirect_url (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.

(List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used. request_object_mode (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.

(String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. scope (List of String) Scope specifies additional scopes set by provider.

(List of String) Scope specifies additional scopes set by provider. user_matchers (List of String) UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.

(List of String) UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login. username_claim (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

Optional:

claim (String) Claim is a claim name.

(String) Claim is a claim name. roles (List of String) Roles is a list of static teleport roles to match.

(List of String) Roles is a list of static teleport roles to match. value (String) Value is a claim value to match.

Optional:

allowed_https_hostnames (List of String) a list of hostnames allowed for https client redirect URLs

(List of String) a list of hostnames allowed for https client redirect URLs insecure_allowed_cidr_ranges (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs

Optional:

disabled (Boolean) Disabled specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario.

(Boolean) Disabled specifies that the groups provider should be disabled even when Entra ID responds with a groups claim source. User may choose to disable it if they are using integrations such as SCIM or similar groups importer as connector based role mapping may be not needed in such a scenario. graph_endpoint (String) GraphEndpoint is a Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint.

(String) GraphEndpoint is a Microsoft Graph API endpoint. The groups claim source endpoint provided by Entra ID points to the now-retired Azure AD Graph endpoint ("https://graph.windows.net"). To convert it to the newer Microsoft Graph API endpoint, Teleport defaults to the Microsoft Graph global service endpoint ("https://graph.microsoft.com"). Update GraphEndpoint to point to a different Microsoft Graph national cloud deployment endpoint. group_type (String) GroupType is a user group type filter. Defaults to "security-groups". Value can be "security-groups", "directory-roles", "all-groups".

Optional:

acr_values (String) AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR.

(String) AcrValues are Authentication Context Class Reference values. The meaning of the ACR value is context-specific and varies for identity providers. Some identity providers support MFA specific contexts, such Okta with its "phr" (phishing-resistant) ACR. client_id (String) ClientID is the OIDC OAuth app client ID.

(String) ClientID is the OIDC OAuth app client ID. client_secret (String) ClientSecret is the OIDC OAuth app client secret.

(String) ClientSecret is the OIDC OAuth app client secret. enabled (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.

(Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false. max_age (String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.

(String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions. prompt (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.

(String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. request_object_mode (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the RequestObjectMode behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client.

Required:

name (String) Name is an object name

