New external SAML2 idp support

docs/data-sources/identity_appliance.md

@@ -23,6 +23,7 @@ description: |-
 
 ### Optional
 
+- `branding` (String) the name of the UI branding plugin installed in JOSSO
 - `bundles` (Set of String) list of additional OSGi bundles this appliance requires
 - `description` (String) Identity Appliance description
 

docs/index.md

@@ -10,48 +10,6 @@ description: |-
 
 
 
-The IAM.tf terreaform plugin allows you to manage identity appliances and appliance elements as terraform resources in a IAM.tf server.
-
-**main.tf**
-```
-terraform {
-  required_providers {
-    iamtf = {
-      version = "~> 0.6.0"
-      source  = "eatricore/iamtf"
-    }
-  }
-}
-
-```
-
-You can configure the plugin directly in your terraform descriptor, as follows. 
-
-**provider.tf**
-
-```
-provider "iamtf" {
-  org_name      = "my company"
-  endpoint      = "http://localhost:8081/atricore-rest/services"
-  client_id     = "idbus-f2f7244e-bbce-44ca-8b33-f5c0bde339f7"
-  client_secret = "changeme"
-}
-```
-
-You can also use environment valirables, and set minimun configuration in your plugin descriptor:
-
-```
-export JOSSO_API_CLIENT_ID=idbus-f2f7244e-bbce-44ca-8b33-f5c0bde339f7
-export JOSSO_API_CLIENT_SECRET=changeme
-export JOSSO_API_ENDPOINT=http://localhost:8081/atricore-rest/services
-```
-
-```
-provider "iamtf" {
-    org_name = "my company"
-}
-```
-
 
 
 <!-- schema generated by tfplugindocs -->
@@ -62,5 +20,6 @@ provider "iamtf" {
 - `client_id` (String) client identifier used to connect to the JOSSO server. Supports configuration from environment variable **JOSSO_API_CLIENT_ID**
 - `client_secret` (String) Secret used to connect to the JOSSO server. Supports configuration from environment variable **JOSSO_API_SECRET**
 - `endpoint` (String) JOSSO Server endpoint, for example: http://localhost:8081/atricore-rest/services/iam-deploy. Supports configuration from environment variable **JOSSO_API_ENDPOINT**
+- `import_ida` (String) Name of the identity appliance used when importing resources. Supports configuration from environment variable **JOSSO_API_APPLIANCE**
 - `org_name` (String) Organization using JOSSO. Supports configuration from environment variable **JOSSO_ORG_NAME**
 - `trace` (Boolean) Trace API traffic (See also TF_LOG and TF_PROVIDER_LOG).  Supports configuration from environment variable **JOSSO_API_TRACE**

docs/resources/app_agent.md

@@ -50,7 +50,7 @@ Required:
 
 Optional:
 
-- `alias` (String) Ceertificate and private key alias (optional)
+- `alias` (String) Certificate and private key alias (optional)
 - `key_password` (String, Sensitive) PKCS12 private key password (optional, the store password is used if not present)
 
 

docs/resources/app_sharepoint.md

@@ -46,7 +46,7 @@ Required:
 
 Optional:
 
-- `alias` (String) Ceertificate and private key alias (optional)
+- `alias` (String) Certificate and private key alias (optional)
 - `key_password` (String, Sensitive) PKCS12 private key password (optional, the store password is used if not present)
 
 

docs/resources/execenv_weblogic.md

@@ -17,7 +17,7 @@ description: |-
 
 ### Required
 
-- `domain` (String) weblogic domain
+- `domain` (String) weblogic domain path (relative to the activation path: i.e. ../../../../wldomain/base_domain/)
 - `ida` (String) identity appliane name
 - `name` (String) execution environment
 - `version` (String) Weblogic version

docs/resources/identity_appliance.md

@@ -45,6 +45,7 @@ You should configure your load balancer or reverse proxy to **ONLY forward reque
 
 ### Optional
 
+- `branding` (String) the name of the UI branding plugin installed in JOSSO
 - `bundles` (Set of String) list of additional OSGi bundles this appliance requires
 - `description` (String) Provide a description for your identity appliance.
 

docs/resources/idp.md

@@ -70,6 +70,7 @@ resource "iamtf_idp" "idp" {
 - `authn_basic` (Block List) Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source (see [below for nested schema](#nestedblock--authn_basic))
 - `authn_bind_ldap` (Block List) LDAP bind authentication settings (see [below for nested schema](#nestedblock--authn_bind_ldap))
 - `authn_client_cert` (Block List) Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source (see [below for nested schema](#nestedblock--authn_client_cert))
+- `authn_custom` (Block List) Custom authentication mechanism (see [below for nested schema](#nestedblock--authn_custom))
 - `authn_oauth2_pre` (Block List) Basic authentication settings. JOSSO will verify user provided credentials (username, password) with stored values in an identity source (see [below for nested schema](#nestedblock--authn_oauth2_pre))
 - `authn_wia` (Block List) Windows Integrated Authentication. JOSSO will verify identity by contacting a domain controller (see [below for nested schema](#nestedblock--authn_wia))
 - `branding` (String) the name of the UI branding plugin installed in JOSSO
@@ -83,8 +84,8 @@ resource "iamtf_idp" "idp" {
 - `oidc` (Block List, Max: 1) OpenID Connect protocol settings.  This is the recommended SSO protocol. You must combine this with **iamtf_app_odic** resources (Applications) (see [below for nested schema](#nestedblock--oidc))
 - `saml2` (Block List, Max: 1) IDP SAML2 protocol settings (see [below for nested schema](#nestedblock--saml2))
 - `session_timeout` (Number) SSO session timeout (minutes, default 30)
-- `sp` (Block List) IDP to SP SAML 2 settings (see [below for nested schema](#nestedblock--sp))
-- `subject_authn_policies` (Block List) todo add description for subject authens policies (see [below for nested schema](#nestedblock--subject_authn_policies))
+- `sp` (Block List) IDP to SP SAML 2 settings. Optional, only required is specific SAML IdP settings are required by the SP (see [below for nested schema](#nestedblock--sp))
+- `subject_authn_policies` (Block List) subject authentication policies (see [below for nested schema](#nestedblock--subject_authn_policies))
 
 ### Read-Only
 
@@ -101,7 +102,7 @@ Required:
 
 Optional:
 
-- `alias` (String) Ceertificate and private key alias (optional)
+- `alias` (String) Certificate and private key alias (optional)
 - `key_password` (String, Sensitive) PKCS12 private key password (optional, the store password is used if not present)
 
 
@@ -238,7 +239,6 @@ Optional:
 - `extension` (Block List) Allows you to use a custom component for a given resource.  Components are installed as OSGi bundles in the server.  You can refer to a component instance or create a new instance based on its class (see [below for nested schema](#nestedblock--authn_client_cert--extension))
 - `ocsp_enabled` (Boolean) authentiacation priority compared to other mechanisms (ascening order)
 - `ocsp_server` (String) authentiacation priority compared to other mechanisms (ascening order)
-- `ocspserver` (String) authentiacation priority compared to other mechanisms (ascening order)
 - `priority` (Number) authentiacation priority compared to other mechanisms (ascening order)
 - `uid` (String) authentiacation priority compared to other mechanisms (ascening order)
 
@@ -266,6 +266,46 @@ Required:
 
 
 
+<a id="nestedblock--authn_custom"></a>
+### Nested Schema for `authn_custom`
+
+Required:
+
+- `claim_names` (String) name of the claim to be used, depends on claim type
+- `claim_type` (String) Claim type
+- `saml_authn_ctx` (String) SAML authentication context
+- `type` (String) Authentication type: BASIC, 2FA, PRE_AUTHN
+
+Optional:
+
+- `extension` (Block List) Allows you to use a custom component for a given resource.  Components are installed as OSGi bundles in the server.  You can refer to a component instance or create a new instance based on its class (see [below for nested schema](#nestedblock--authn_custom--extension))
+- `external_service` (String) URL to external authentication service to collect claims
+- `inject_id_source` (Boolean) Inject identity source into custom authenticator (must have proper setter)
+
+<a id="nestedblock--authn_custom--extension"></a>
+### Nested Schema for `authn_custom.extension`
+
+Required:
+
+- `fqcn` (String) component java FQCN. Refers to the OSGi component type or Java class to be instantiated
+
+Optional:
+
+- `osgi_filter` (String) filter to locate the OSGi service (Only when extension type is SERVICE).
+- `property` (Block Set) list of configuration properties and its values (only when extension type is INSTANCE) (see [below for nested schema](#nestedblock--authn_custom--extension--property))
+- `type` (String) extension type: SERVICE (for OSGi service references) or INSTANCE (for creating a new instance).
+
+<a id="nestedblock--authn_custom--extension--property"></a>
+### Nested Schema for `authn_custom.extension.property`
+
+Required:
+
+- `name` (String) Name as the property
+- `value` (String) Value as the property
+
+
+
+
 <a id="nestedblock--authn_oauth2_pre"></a>
 ### Nested Schema for `authn_oauth2_pre`
 
@@ -309,7 +349,7 @@ Required:
 - `domain` (String) windows domain
 - `domain_controller` (String) domain controller server
 - `host` (String) JOSSO hostname
-- `keytab` (String) Kerberos keytab file
+- `keytab` (String, Sensitive) Kerberos keytab file
 - `port` (Number) JOSSO server port
 - `priority` (Number) authentiacation priority compared to other mechanisms (ascening order)
 - `protocol` (String) JOSSO server protocol (http/https)
@@ -447,6 +487,6 @@ Optional:
 
 Required:
 
-- `name` (String) Todo
+- `name` (String) Name of the authentication policy
 
 

docs/resources/vp.md

@@ -34,7 +34,7 @@ description: |-
 - `saml2_idp` (Block List, Max: 1) IDP SAML2 protocol settings (see [below for nested schema](#nestedblock--saml2_idp))
 - `saml2_sp` (Block List) SP SAML 2 settings (see [below for nested schema](#nestedblock--saml2_sp))
 - `session_timeout` (Number) SSO session timeout (minutes, default 30)
-- `sp` (Block List) IDP to SP SAML 2 settings (see [below for nested schema](#nestedblock--sp))
+- `sp` (Block List) IDP to SP SAML 2 settings. Optional, only required is specific SAML IdP settings are required by the SP (see [below for nested schema](#nestedblock--sp))
 - `subject_authn_policies` (Block List) todo add description for subject authens policies (see [below for nested schema](#nestedblock--subject_authn_policies))
 
 ### Read-Only
@@ -52,7 +52,7 @@ Required:
 
 Optional:
 
-- `alias` (String) Ceertificate and private key alias (optional)
+- `alias` (String) Certificate and private key alias (optional)
 - `key_password` (String, Sensitive) PKCS12 private key password (optional, the store password is used if not present)
 
 

go.mod

@@ -3,8 +3,8 @@ module github.com/atricore/terraform-provider-iamtf
 go 1.16
 
 require (
-	github.com/atricore/josso-api-go v0.5.0
-	github.com/atricore/josso-sdk-go v0.5.0
+	github.com/atricore/josso-api-go v0.5.1
+	github.com/atricore/josso-sdk-go v0.5.2
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-hclog v1.2.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0

go.sum

@@ -67,10 +67,10 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/atricore/josso-api-go v0.5.0 h1:sywK9PZO0r05x0kgxsy3sDjjAzNsmTGhIn9kvmnFEi0=
-github.com/atricore/josso-api-go v0.5.0/go.mod h1:Oys9D0y1x+bvyIsnRFl6JOYiIV7KQkuToIQa+jxeuHs=
-github.com/atricore/josso-sdk-go v0.5.0 h1:4EiUY7F7rdWqAyrRWsezNsymFUS8G8YlGh9U7eWyXAY=
-github.com/atricore/josso-sdk-go v0.5.0/go.mod h1:lQ1GHEP3BFlfuyO514wDYeAwfZpUci7QrxD5ABmQ324=
+github.com/atricore/josso-api-go v0.5.1 h1:gHckHT+858afWLOkRKD1mOVAehoRsPAw5ZJ5dp4bzp0=
+github.com/atricore/josso-api-go v0.5.1/go.mod h1:Oys9D0y1x+bvyIsnRFl6JOYiIV7KQkuToIQa+jxeuHs=
+github.com/atricore/josso-sdk-go v0.5.2 h1:W4a/WTLJhEMxk1sPAHesOOOpLYqT2DwEPaZGW/9YaUY=
+github.com/atricore/josso-sdk-go v0.5.2/go.mod h1:E8mi1w6Jf+ah3CQnFAgyStAkz6Hopou4fHUIX9ldDko=
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=

iamtf/provider.go

@@ -14,6 +14,7 @@ const (
 	identityAppliance = "iamtf_identity_appliance"
 	idp               = "iamtf_idp"
 	vp                = "iamtf_vp"
+	idpSaml2          = "iamtf_idp_saml2"
 	idpFacebook       = "iamtf_idp_facebook"
 	idpAzure          = "iamtf_idp_azure"
 	idpGoogle         = "iamtf_idp_google"
@@ -93,6 +94,7 @@ func Provider() *schema.Provider {
 			php:               ResourcePhpExecenv(),
 			spoint:            ResourceSharePoint(),
 			weblogic:          ResourceWebLogicExecenv(),
+			idpSaml2:          ResourceIdPSaml2(),
 			idpFacebook:       ResourceIdFacebook(),
 			idpAzure:          ResourceidAzure(),
 			idpGoogle:         ResourceidGoogle(),

iamtf/resource_iamtf_app_saml2.go

@@ -200,7 +200,7 @@ func buildExtSaml2SpResource(idaName string, d *schema.ResourceData, dto api.Ext
 	_ = d.Set("metadata", m.GetValue())
 
 	// Federated connections / idps
-	idps, err := convertExtSaml2_IdPFederatedConnectionsToMapArr(dto.FederatedConnectionsB)
+	idps, err := convertExtSaml2SP_IdPFederatedConnectionsToMapArr(dto.FederatedConnectionsB)
 	if err != nil {
 		return err
 	}
@@ -209,7 +209,7 @@ func buildExtSaml2SpResource(idaName string, d *schema.ResourceData, dto api.Ext
 	return nil
 }
 
-func convertExtSaml2_IdPFederatedConnectionsToMapArr(fcs []api.FederatedConnectionDTO) ([]map[string]interface{}, error) {
+func convertExtSaml2SP_IdPFederatedConnectionsToMapArr(fcs []api.FederatedConnectionDTO) ([]map[string]interface{}, error) {
 
 	result := make([]map[string]interface{}, 0)