Skip to main content

Reference for the teleport_saml_connector Terraform resource

Example Usage

# Teleport SAML connector
# 
# Please note that the SAML connector will work in Teleport Enterprise only.

resource "teleport_saml_connector" "example" {
  version = "v2"
  # This block will tell Terraform to never update private key from our side if a keys are managed 
  # from an outside of Terraform.

  # lifecycle {
  #   ignore_changes = [
  #     spec[0].signing_key_pair[0].cert,
  #     spec[0].signing_key_pair[0].private_key,
  #     spec[0].assertion_key_pair[0].cert,
  #     spec[0].assertion_key_pair[0].private_key,
  #   ]
  # }

  # This section tells Terraform that role example must be created before the SAML connector
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name = "example"
  }

  spec = {
    attributes_to_roles = [{
      name  = "groups"
      roles = ["example"]
      value = "okta-admin"
      },
      {
        name  = "groups"
        roles = ["example"]
        value = "okta-dev"
    }]

    acs               = "https://localhost:3025/v1/webapi/saml/acs"
    entity_descriptor = ""
  }
}

Schema

Required

  • spec (Attributes) Spec is an SAML connector specification. (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are: v2.

Optional

  • metadata (Attributes) Metadata holds resource metadata. (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources.

Nested Schema for spec

Required:

  • acs (String) AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
  • attributes_to_roles (Attributes List) AttributesToRoles is a list of mappings of attribute statements to roles. (see below for nested schema)

Optional:

  • allow_idp_initiated (Boolean) AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.
  • assertion_key_pair (Attributes) EncryptionKeyPair is a key pair used for decrypting SAML assertions. (see below for nested schema)
  • audience (String) Audience uniquely identifies our service provider.
  • cert (String, Sensitive) Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate.
  • client_redirect_settings (Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)
  • display (String) Display controls how this connector is displayed.
  • entity_descriptor (String, Sensitive) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
  • entity_descriptor_url (String) EntityDescriptorURL is a URL that supplies a configuration XML.
  • issuer (String) Issuer is the identity provider issuer.
  • provider (String) Provider is the external identity provider.
  • service_provider_issuer (String) ServiceProviderIssuer is the issuer of the service provider (Teleport).
  • signing_key_pair (Attributes) SigningKeyPair is an x509 key pair used to sign AuthnRequest. (see below for nested schema)
  • single_logout_url (String) SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.
  • sso (String) SSO is the URL of the identity provider's SSO service.

Nested Schema for spec.attributes_to_roles

Optional:

  • name (String) Name is an attribute statement name.
  • roles (List of String) Roles is a list of static teleport roles to map to.
  • value (String) Value is an attribute statement value to match.

Nested Schema for spec.assertion_key_pair

Optional:

  • cert (String) Cert is a PEM-encoded x509 certificate.
  • private_key (String, Sensitive) PrivateKey is a PEM encoded x509 private key.

Nested Schema for spec.client_redirect_settings

Optional:

  • allowed_https_hostnames (List of String) a list of hostnames allowed for https client redirect URLs
  • insecure_allowed_cidr_ranges (List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs

Nested Schema for spec.signing_key_pair

Optional:

  • cert (String) Cert is a PEM-encoded x509 certificate.
  • private_key (String, Sensitive) PrivateKey is a PEM encoded x509 private key.

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels