Hardening Infrastructure Security Against SSO Identity Provider Compromise
Jul 11
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Fork me on GitHub

Teleport

Reference for the teleport_saml_connector Terraform resource

Version 16.x

Example Usage 

# Teleport SAML connector
# 
# Please note that SAML connector will work in Enterprise version only. Check the setup docs:
# https://goteleport.com/docs/enterprise/sso/okta/

resource "teleport_saml_connector" "example" {
  # This block will tell Terraform to never update private key from our side if a keys are managed 
  # from an outside of Terraform.

  # lifecycle {
  #   ignore_changes = [
  #     spec[0].signing_key_pair[0].cert,
  #     spec[0].signing_key_pair[0].private_key,
  #     spec[0].assertion_key_pair[0].cert,
  #     spec[0].assertion_key_pair[0].private_key,
  #   ]
  # }

  # This section tells Terraform that role example must be created before the SAML connector
  depends_on = [
    teleport_role.example
  ]

  metadata = {
    name = "example"
  }

  spec = {
    attributes_to_roles = [{
      name  = "groups"
      roles = ["example"]
      value = "okta-admin"
      },
      {
        name  = "groups"
        roles = ["example"]
        value = "okta-dev"
    }]

    acs               = "https://localhost:3025/v1/webapi/saml/acs"
    entity_descriptor = ""
  }
}

Schema

Required

  • spec (Attributes) Spec is an SAML connector specification. (see below for nested schema)
  • version (String) Version is the resource version. It must be specified. Supported values are: v2.

Optional

  • metadata (Attributes) Metadata holds resource metadata. (see below for nested schema)
  • sub_kind (String) SubKind is an optional resource sub kind, used in some resources.

Nested Schema for spec

Required:

  • acs (String) AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).
  • attributes_to_roles (Attributes List) AttributesToRoles is a list of mappings of attribute statements to roles. (see below for nested schema)

Optional:

  • allow_idp_initiated (Boolean) AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.
  • assertion_key_pair (Attributes) EncryptionKeyPair is a key pair used for decrypting SAML assertions. (see below for nested schema)
  • audience (String) Audience uniquely identifies our service provider.
  • cert (String, Sensitive) Cert is the identity provider certificate PEM. IDP signs <Response> responses using this certificate.
  • client_redirect_settings (Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)
  • display (String) Display controls how this connector is displayed.
  • entity_descriptor (String, Sensitive) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
  • entity_descriptor_url (String) EntityDescriptorURL is a URL that supplies a configuration XML.
  • issuer (String) Issuer is the identity provider issuer.
  • provider (String) Provider is the external identity provider.
  • service_provider_issuer (String) ServiceProviderIssuer is the issuer of the service provider (Teleport).
  • signing_key_pair (Attributes) SigningKeyPair is an x509 key pair used to sign AuthnRequest. (see below for nested schema)
  • single_logout_url (String) SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.
  • sso (String) SSO is the URL of the identity provider's SSO service.

Nested Schema for spec.attributes_to_roles

Optional:

  • name (String) Name is an attribute statement name.
  • roles (List of String) Roles is a list of static teleport roles to map to.
  • value (String) Value is an attribute statement value to match.

Nested Schema for spec.assertion_key_pair

Optional:

  • cert (String) Cert is a PEM-encoded x509 certificate.
  • private_key (String, Sensitive) PrivateKey is a PEM encoded x509 private key.

Nested Schema for spec.client_redirect_settings

Optional:

  • allowed_https_hostnames (List of String) a list of hostnames allowed for https client redirect URLs

Nested Schema for spec.signing_key_pair

Optional:

  • cert (String) Cert is a PEM-encoded x509 certificate.
  • private_key (String, Sensitive) PrivateKey is a PEM encoded x509 private key.

Nested Schema for metadata

Required:

  • name (String) Name is an object name

Optional:

  • description (String) Description is object description
  • expires (String) Expires is a global expiry time header can be set on any resource in the system.
  • labels (Map of String) Labels is a set of labels