Add resource 'platform_saml_settings'

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.11.0 (August 9, 2024). Tested on Artifactory 7.90.7 with Terraform 1.9.4 and OpenTofu 1.8.1
+
+FEATURES:
+
+**New Resource:** `platform_saml_settings` - Resource to manage SAML SSO settings. PR: [#118](https://github.com/jfrog/terraform-provider-platform/pull/118)
+
 ## 1.10.0 (July 21, 2024). Tested on Artifactory 7.84.17 with Terraform 1.9.2 and OpenTofu 1.7.3
 
 NOTES:

docs/index.md

@@ -170,6 +170,6 @@ provider "platform" {
 
 - `access_token` (String, Sensitive) This is a access token that can be given to you by your admin under `Platform Configuration -> User Management -> Access Tokens`. This can also be sourced from the `JFROG_ACCESS_TOKEN` environment variable.
 - `check_license` (Boolean, Deprecated) Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.
-- `myjfrog_api_token` (String, Sensitive) MyJFrog API token that allows you to make changes to your JFrog account. See [Generate a Token in MyJFrog](https://jfrog.com/help/r/jfrog-hosting-models-documentation/generate-a-token-in-myjfrog) for more details. This can also be sourced from the `JFROG_MYJFROG_API_TOKEN` environment variable.
+- `myjfrog_api_token` (String, Sensitive, Deprecated) MyJFrog API token that allows you to make changes to your JFrog account. See [Generate a Token in MyJFrog](https://jfrog.com/help/r/jfrog-hosting-models-documentation/generate-a-token-in-myjfrog) for more details. This can also be sourced from the `JFROG_MYJFROG_API_TOKEN` environment variable.
 - `oidc_provider_name` (String) OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details.
 - `url` (String) JFrog Platform URL. This can also be sourced from the `JFROG_URL` environment variable.

docs/resources/saml_settings.md

@@ -0,0 +1,68 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "platform_saml_settings Resource - terraform-provider-platform"
+subcategory: ""
+description: |-
+  Provides a JFrog SAML SSO Settings https://jfrog.com/help/r/jfrog-platform-administration-documentation/saml-sso resource.
+  ~>Only available for self-hosted instances.
+---
+
+# platform_saml_settings (Resource)
+
+Provides a JFrog [SAML SSO Settings](https://jfrog.com/help/r/jfrog-platform-administration-documentation/saml-sso) resource.
+
+~>Only available for self-hosted instances.
+
+## Example Usage
+
+```terraform
+resource "platform_saml_settings" "my-okta-saml-settings" {
+  name                         = "my-okta-saml-settings"
+  enable                       = true
+  certificate                  = "MIICTjCCA...gPRXbm49Mz4o1nbwH"
+  email_attribute              = "email"
+  group_attribute              = "group"
+  name_id_attribute            = "id"
+  login_url                    = "http://tempurl.org/saml"
+  logout_url                   = "https://myaccount.okta.com"
+  no_auto_user_creation        = false
+  service_provider_name        = "okta"
+  allow_user_to_access_profile = true
+  auto_redirect                = true
+  sync_groups                  = true
+  verify_audience_restriction  = true
+  use_encrypted_assertion      = false
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `certificate` (String) The certificate for SAML Authentication in Base64 format. NOTE! The certificate must contain the public key to allow Artifactory to verify sign-in requests.
+- `login_url` (String) The identity provider login URL (when you try to login, the service provider redirects to this URL).
+- `logout_url` (String) The identity provider logout URL (when you try to logout, the service provider redirects to this URL).
+- `name` (String) SAML Settings name.
+- `service_provider_name` (String) The SAML service provider name. This should be a URI that is also known as the entityID, providerID, or entity identity.
+
+### Optional
+
+- `allow_user_to_access_profile` (Boolean) When set, auto created users will have access to their profile page and will be able to perform actions such as generating an API key. Default value is `false`.
+- `auto_redirect` (Boolean) When set, clicking on the login link will direct users to the configured SAML login URL. Default value is `false`.
+- `email_attribute` (String) If `no_auto_user_creation` is diabled or an internal user exists, the system will set the user's email to the value in this attribute that is returned by the SAML login XML response..
+- `enable` (Boolean) When set, SAML integration is enabled and users may be authenticated via a SAML server. Default value is `true`.
+- `group_attribute` (String) The group attribute in the SAML login XML response. Note that the system will search for a case-sensitive match to an existing group..
+- `name_id_attribute` (String) The username attribute used to configure the SSO URL for the identity provider.
+- `no_auto_user_creation` (Boolean) When disabled, the system will automatically create new users for those who have logged in using SAML, and assign them to the default groups. Default value is `false`.
+- `sync_groups` (Boolean) When set, in addition to the groups the user is already associated with, he will also be associated with the groups returned in the SAML login response. Note that the user's association with the returned groups is not persistent. It is only valid for the current login session. Default value is `false`.
+- `use_encrypted_assertion` (Boolean) When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response. Default value is `false`.
+- `verify_audience_restriction` (Boolean) Set this flag to specify who the assertion is intended for. The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data. Default value is `true`.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import platform_saml_settings.my-okta-saml-settings my-okta-saml-settings
+```

examples/resources/platform_saml_settings/import.sh

@@ -0,0 +1 @@
+terraform import platform_saml_settings.my-okta-saml-settings my-okta-saml-settings

examples/resources/platform_saml_settings/resource.tf

@@ -0,0 +1,17 @@
+resource "platform_saml_settings" "my-okta-saml-settings" {
+  name                         = "my-okta-saml-settings"
+  enable                       = true
+  certificate                  = "MIICTjCCA...gPRXbm49Mz4o1nbwH"
+  email_attribute              = "email"
+  group_attribute              = "group"
+  name_id_attribute            = "id"
+  login_url                    = "http://tempurl.org/saml"
+  logout_url                   = "https://myaccount.okta.com"
+  no_auto_user_creation        = false
+  service_provider_name        = "okta"
+  allow_user_to_access_profile = true
+  auto_redirect                = true
+  sync_groups                  = true
+  verify_audience_restriction  = true
+  use_encrypted_assertion      = false
+}

pkg/platform/provider.go

@@ -209,6 +209,7 @@ func (p *PlatformProvider) Resources(ctx context.Context) []func() resource.Reso
 		NewMyJFrogIPAllowListResource,
 		NewPermissionResource,
 		NewReverseProxyResource,
+		NewSAMLSettingsResource,
 		NewWorkerServiceResource,
 	}
 }