Teleport
Reference for the teleport_saml_connector Terraform resource
Version preview- Older Versions
Example Usage
# Teleport SAML connector
#
# Please note that the SAML connector will work in Teleport Enterprise only.
resource "teleport_saml_connector" "example" {
version = "v2"
# This block will tell Terraform to never update private key from our side if a keys are managed
# from an outside of Terraform.
# lifecycle {
# ignore_changes = [
# spec[0].signing_key_pair[0].cert,
# spec[0].signing_key_pair[0].private_key,
# spec[0].assertion_key_pair[0].cert,
# spec[0].assertion_key_pair[0].private_key,
# ]
# }
# This section tells Terraform that role example must be created before the SAML connector
depends_on = [
teleport_role.example
]
metadata = {
name = "example"
}
spec = {
attributes_to_roles = [{
name = "groups"
roles = ["example"]
value = "okta-admin"
},
{
name = "groups"
roles = ["example"]
value = "okta-dev"
}]
acs = "https://localhost:3025/v1/webapi/saml/acs"
entity_descriptor = ""
}
}
Schema
Required
spec
(Attributes) Spec is an SAML connector specification. (see below for nested schema)version
(String) Version is the resource version. It must be specified. Supported values are:v2
.
Optional
metadata
(Attributes) Metadata holds resource metadata. (see below for nested schema)sub_kind
(String) SubKind is an optional resource sub kind, used in some resources.
Nested Schema for spec
Required:
acs
(String) AssertionConsumerService is a URL for assertion consumer service on the service provider (Teleport's side).attributes_to_roles
(Attributes List) AttributesToRoles is a list of mappings of attribute statements to roles. (see below for nested schema)
Optional:
allow_idp_initiated
(Boolean) AllowIDPInitiated is a flag that indicates if the connector can be used for IdP-initiated logins.assertion_key_pair
(Attributes) EncryptionKeyPair is a key pair used for decrypting SAML assertions. (see below for nested schema)audience
(String) Audience uniquely identifies our service provider.cert
(String, Sensitive) Cert is the identity provider certificate PEM. IDP signs<Response>
responses using this certificate.client_redirect_settings
(Attributes) ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. (see below for nested schema)display
(String) Display controls how this connector is displayed.entity_descriptor
(String, Sensitive) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.entity_descriptor_url
(String) EntityDescriptorURL is a URL that supplies a configuration XML.issuer
(String) Issuer is the identity provider issuer.provider
(String) Provider is the external identity provider.service_provider_issuer
(String) ServiceProviderIssuer is the issuer of the service provider (Teleport).signing_key_pair
(Attributes) SigningKeyPair is an x509 key pair used to sign AuthnRequest. (see below for nested schema)single_logout_url
(String) SingleLogoutURL is the SAML Single log-out URL to initiate SAML SLO (single log-out). If this is not provided, SLO is disabled.sso
(String) SSO is the URL of the identity provider's SSO service.
Nested Schema for spec.attributes_to_roles
Optional:
name
(String) Name is an attribute statement name.roles
(List of String) Roles is a list of static teleport roles to map to.value
(String) Value is an attribute statement value to match.
Nested Schema for spec.assertion_key_pair
Optional:
cert
(String) Cert is a PEM-encoded x509 certificate.private_key
(String, Sensitive) PrivateKey is a PEM encoded x509 private key.
Nested Schema for spec.client_redirect_settings
Optional:
allowed_https_hostnames
(List of String) a list of hostnames allowed for https client redirect URLsinsecure_allowed_cidr_ranges
(List of String) a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
Nested Schema for spec.signing_key_pair
Optional:
cert
(String) Cert is a PEM-encoded x509 certificate.private_key
(String, Sensitive) PrivateKey is a PEM encoded x509 private key.
Nested Schema for metadata
Required:
name
(String) Name is an object name
Optional:
description
(String) Description is object descriptionexpires
(String) Expires is a global expiry time header can be set on any resource in the system.labels
(Map of String) Labels is a set of labels