auth0 · developerkunal · Jul 15, 2024 · Jun 11, 2024 · Jun 11, 2024 · Jun 11, 2024
@@ -63,9 +63,9 @@ Read-Only:
 - `enable_legacy_profile` (Boolean)
 - `enable_pipeline2` (Boolean)
 - `enable_public_signup_user_exists_error` (Boolean)
+- `enable_sso` (Boolean)
 - `mfa_show_factor_list_on_enrollment` (Boolean)
 - `no_disclose_enterprise_connections` (Boolean)
-- `require_pushed_authorization_requests` (Boolean)
 - `revoke_refresh_token_grant` (Boolean)
 - `use_scope_descriptions_for_consent` (Boolean)
 

@@ -94,9 +94,9 @@ Optional:
 - `enable_legacy_profile` (Boolean) Whether ID tokens and the userinfo endpoint includes a complete user profile (true) or only OpenID Connect claims (false).
 - `enable_pipeline2` (Boolean) Indicates whether advanced API Authorization scenarios are enabled.
 - `enable_public_signup_user_exists_error` (Boolean) Indicates whether the public sign up process shows a `user_exists` error if the user already exists.
+- `enable_sso` (Boolean) Flag indicating whether users will not be prompted to confirm log in before SSO redirection. This flag applies to existing tenants only; new tenants have it enforced as true.
 - `mfa_show_factor_list_on_enrollment` (Boolean) Used to allow users to pick which factor to enroll with from the list of available MFA factors.
 - `no_disclose_enterprise_connections` (Boolean) Do not Publish Enterprise Connections Information with IdP domains on the lock configuration file.
-- `require_pushed_authorization_requests` (Boolean) Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant. This feature currently needs to be enabled on the tenant in order to make use of it.
 - `revoke_refresh_token_grant` (Boolean) Delete underlying grant when a refresh token is revoked via the Authentication API.
 - `use_scope_descriptions_for_consent` (Boolean) Indicates whether to use scope descriptions for consent.
 

@@ -50,6 +50,7 @@ func expandTenantFlags(config cty.Value) *management.TenantFlags {
 			EnablePipeline2:                    value.Bool(flags.GetAttr("enable_pipeline2")),
 			EnableDynamicClientRegistration:    value.Bool(flags.GetAttr("enable_dynamic_client_registration")),
 			EnableCustomDomainInEmails:         value.Bool(flags.GetAttr("enable_custom_domain_in_emails")),
+			EnableSSO:                          value.Bool(flags.GetAttr("enable_sso")),
 			EnableLegacyLogsSearchV2:           value.Bool(flags.GetAttr("enable_legacy_logs_search_v2")),
 			DisableClickjackProtectionHeaders:  value.Bool(flags.GetAttr("disable_clickjack_protection_headers")),
 			EnablePublicSignupUserExistsError:  value.Bool(flags.GetAttr("enable_public_signup_user_exists_error")),
@@ -67,7 +68,6 @@ func expandTenantFlags(config cty.Value) *management.TenantFlags {
 			DashboardInsightsView:              value.Bool(flags.GetAttr("dashboard_insights_view")),
 			DisableFieldsMapFix:                value.Bool(flags.GetAttr("disable_fields_map_fix")),
 			MFAShowFactorListOnEnrollment:      value.Bool(flags.GetAttr("mfa_show_factor_list_on_enrollment")),
-			RequirePushedAuthorizationRequests: value.Bool(flags.GetAttr("require_pushed_authorization_requests")),
 		}
 
 		return stop

@@ -49,6 +49,7 @@ func flattenTenantFlags(flags *management.TenantFlags) []interface{} {
 	m["enable_pipeline2"] = flags.EnablePipeline2
 	m["enable_dynamic_client_registration"] = flags.EnableDynamicClientRegistration
 	m["enable_custom_domain_in_emails"] = flags.EnableCustomDomainInEmails
+	m["enable_sso"] = flags.EnableSSO
 	m["enable_legacy_logs_search_v2"] = flags.EnableLegacyLogsSearchV2
 	m["disable_clickjack_protection_headers"] = flags.DisableClickjackProtectionHeaders
 	m["enable_public_signup_user_exists_error"] = flags.EnablePublicSignupUserExistsError
@@ -66,7 +67,6 @@ func flattenTenantFlags(flags *management.TenantFlags) []interface{} {
 	m["dashboard_insights_view"] = flags.DashboardInsightsView
 	m["disable_fields_map_fix"] = flags.DisableFieldsMapFix
 	m["mfa_show_factor_list_on_enrollment"] = flags.MFAShowFactorListOnEnrollment
-	m["require_pushed_authorization_requests"] = flags.RequirePushedAuthorizationRequests
 
 	return []interface{}{m}
 }

@@ -145,6 +145,13 @@ func NewResource() *schema.Resource {
 							Description: "Indicates whether the tenant allows custom domains in emails. " +
 								"Before enabling this flag, you must have a custom domain with status: `ready`.",
 						},
+						"enable_sso": {
+							Type:     schema.TypeBool,
+							Optional: true,
+							Computed: true,
+							Description: "Flag indicating whether users will not be prompted to confirm log in before SSO redirection. " +
+								"This flag applies to existing tenants only; new tenants have it enforced as true.",
+						},
 						"enable_legacy_logs_search_v2": {
 							Type:        schema.TypeBool,
 							Optional:    true,
@@ -247,12 +254,6 @@ func NewResource() *schema.Resource {
 							Computed:    true,
 							Description: "Used to allow users to pick which factor to enroll with from the list of available MFA factors.",
 						},
-						"require_pushed_authorization_requests": {
-							Type:        schema.TypeBool,
-							Optional:    true,
-							Computed:    true,
-							Description: "Makes the use of Pushed Authorization Requests mandatory for all clients across the tenant. This feature currently needs to be enabled on the tenant in order to make use of it.",
-						},
 					},
 				},
 			},

@@ -83,6 +83,54 @@ func TestAccTenant(t *testing.T) {
 	})
 }
 
+// TestAccTenant_EnableSSO tests the enable_sso flag. This test is added separately because it can only be tested on existing tenants.
+// For new tenants, this flag is always set to true.
+func TestAccTenant_EnableSSO(t *testing.T) {
+	acctest.Test(t, resource.TestCase{
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEmptyTenant,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_lifetime", "168"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "idle_session_lifetime", "72"),
+				),
+			},
+			{
+				Config: testAccTenantEnableSSOConfigCreate,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_lifetime", "168"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "idle_session_lifetime", "72"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "flags.0.enable_sso", "false"),
+				),
+			},
+			{
+				Config: testAccTenantEnableSSOConfigUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_lifetime", "168"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "idle_session_lifetime", "72"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "flags.0.enable_sso", "true"),
+				),
+			},
+		},
+	})
+}
+
+const testAccTenantEnableSSOConfigCreate = `
+resource "auth0_tenant" "my_tenant" {
+	flags {
+		enable_sso = false
+	}
+}
+`
+
+const testAccTenantEnableSSOConfigUpdate = `
+resource "auth0_tenant" "my_tenant" {
+	flags {
+		enable_sso = true
+	}
+}
+`
+
 const testAccTenantConfigCreate = `
 resource "auth0_tenant" "my_tenant" {
 	default_directory       = ""
@@ -109,7 +157,6 @@ resource "auth0_tenant" "my_tenant" {
 		disable_management_api_sms_obfuscation = false
 		disable_fields_map_fix                 = false
 		mfa_show_factor_list_on_enrollment     = false
-		require_pushed_authorization_requests  = false
 	}
 
 	session_cookie {
@@ -147,7 +194,6 @@ resource "auth0_tenant" "my_tenant" {
 		disable_management_api_sms_obfuscation = true
 		disable_fields_map_fix                 = true
 		mfa_show_factor_list_on_enrollment     = true
-		require_pushed_authorization_requests  = true
 	}
 
 	session_cookie {