doc: Documentation for changes to support OIDC Workload & Workforce i…

…n `mongodbatlas_federated_settings_identity_provider` (#2330) * doc updates for OIDC Workload & Workforce * add missing attributes in data source * Update website/docs/d/federated_settings_identity_provider.html.markdown Co-authored-by: John Williams <[email protected]> * Update website/docs/d/federated_settings_identity_providers.html.markdown Co-authored-by: John Williams <[email protected]> * Update website/docs/d/federated_settings_identity_provider.html.markdown Co-authored-by: John Williams <[email protected]> * Update website/docs/d/federated_settings_identity_providers.html.markdown Co-authored-by: John Williams <[email protected]> * Update website/docs/d/federated_settings_identity_providers.html.markdown Co-authored-by: John Williams <[email protected]> * Update website/docs/guides/1.17.0-upgrade-guide.html.markdown Co-authored-by: John Williams <[email protected]> * PR comments * change verbiage * Update website/docs/r/federated_settings_identity_provider.html.markdown Co-authored-by: John Williams <[email protected]> --------- Co-authored-by: John Williams <[email protected]>
mongodb · Jun 5, 2024 · 8885cf5 · 8885cf5
1 parent 99b8080
commit 8885cf5
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 9 deletions.
diff --git a/website/docs/d/federated_settings_identity_provider.html.markdown b/website/docs/d/federated_settings_identity_provider.html.markdown
@@ -46,6 +46,8 @@ In addition to all arguments above, the following attributes are exported:
 
 ### FederatedSettingsIdentityProvider
 
+* `description` - The description of the identity provider.
+* `authorization_type` - Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`.
 * `acs_url` - Assertion consumer service URL to which the IdP sends the SAML response.
 * `associated_domains` - List that contains the configured domains from which users can log in for this IdP.
 * `associated_orgs` - List that contains the organizations from which users can log in for this IdP.
@@ -54,12 +56,13 @@ In addition to all arguments above, the following attributes are exported:
 * `org_id` - Unique 24-hexadecimal digit string that identifies the organization that contains your projects.
 * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants.
 * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP
-* `protocol` - The protocol of the identity provider. Either SAML or OIDC.
-* `audience_claim` - Identifier of the intended recipient of the token.
+* `protocol` - The protocol of the identity provider. Valid values are `SAML` or `OIDC`.
+* `audience` - Identifier of the intended recipient of the token.
 * `client_id` - Client identifier that is assigned to an application by the Identity Provider.
 * `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token.
 * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint.
 * `user_claim` - Identifier of the claim which contains the user ID in the token.
+* `idp_type` - Type of the identity provider. Valid values are `WORKFORCE` or `WORKLOAD`.
 
   ### Role_mappings
 * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies.

diff --git a/website/docs/d/federated_settings_identity_providers.html.markdown b/website/docs/d/federated_settings_identity_providers.html.markdown
@@ -36,6 +36,8 @@ data "mongodbatlas_federated_settings_identity_providers" "identitty_provider" {
 * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration.
 * `page_num` - (Optional) The page to return. Defaults to `1`. **Note**: This attribute is deprecated and not being used.
 * `items_per_page` - (Optional) Number of items to return per page, up to a maximum of 500. Defaults to `100`. **Note**: This attribute is deprecated and not being used. The implementation is currently limited to returning a maximum of 100 results.
+* `protocols` - (Optional) The protocols of the target identity providers. Valid values are `SAML` and `OIDC`.
+* `idp_types` - (Optional) The types of the target identity providers. Valid values are `WORKFORCE` and `WORKLOAD`.
 
 ## Attributes Reference
 
@@ -47,6 +49,8 @@ In addition to all arguments above, the following attributes are exported:
 ### FederatedSettingsIdentityProvider
 
 * `identity_provider_id` - Unique 24-hexadecimal digit string that identifies the federated authentication configuration.
+* `description` - The description of the identity provider.
+* `authorization_type` - Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`.
 * `acs_url` - Assertion consumer service URL to which the IdP sends the SAML response.
 * `associated_domains` - List that contains the configured domains from which users can log in for this IdP.
 * `associated_orgs` - List that contains the configured domains from which users can log in for this IdP.
@@ -56,11 +60,12 @@ In addition to all arguments above, the following attributes are exported:
 * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants.
 * `protocol` - The protocol of the identity provider
 * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP
-* `audience_claim` - Identifier of the intended recipient of the token.
+* `audience` - Identifier of the intended recipient of the token.
 * `client_id` - Client identifier that is assigned to an application by the Identity Provider.
 * `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token.
 * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint.
 * `user_claim` - Identifier of the claim which contains the user ID in the token.
+* `idp_type` - Type of the identity provider. Valid values are `WORKFORCE` or `WORKLOAD`.
 
   ### Role_mappings
 * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies.

diff --git a/website/docs/guides/1.17.0-upgrade-guide.html.markdown b/website/docs/guides/1.17.0-upgrade-guide.html.markdown
@@ -19,10 +19,11 @@ The Terraform MongoDB Atlas Provider version 1.17.0 has a number of new and exci
 
 - Attribute `audienceClaim` used in OIDC IdPs has been replaced with `audience` attribute in `mongodbatlas_federated_settings_identity_provider` [resource](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) and [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/data-sources/federated_settings_identity_provider) and [`mongodbatlas_federated_settings_identity_providers`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/data-sources/federated_settings_identity_providers) data sources. This change reflects the most recent changes in the Atlas API [Federated Authentication](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Federated-Authentication/operation/updateIdentityProvider).
     - If you have imported a OIDC Workforce IdP in previous versions of this provider, you should:
-        1. Re-import all [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) resources: 
+        1. Change `audienceClaim` to `audience` and the value from an array of strings (`["audience"]`) to a single string (`"audience"`) in your terraform configuration files.
+        2. Re-import all [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) resources: 
 			`terraform import mongodbatlas_federated_settings_identity_provider.identity_provider  <federation_settings_id>-<idp_id>`
-        2. Run `terraform plan`
-        3. Run `terraform apply`
+        3. Run `terraform plan`.
+        4. Run `terraform apply`.
 
 ### Helpful Links
 

diff --git a/website/docs/r/federated_settings_identity_provider.html.markdown b/website/docs/r/federated_settings_identity_provider.html.markdown
@@ -33,6 +33,8 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider"
 
 * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration.
 * `name` - (Required) Human-readable label that identifies the identity provider.
+* `description` - (Required for OIDC IdPs) The description of the identity provider.
+* `authorization_type` - (Required for OIDC IdPs) Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`.
 * `associated_domains` - List that contains the domains associated with the identity provider.
 * `sso_debug_enabled` - Flag that indicates whether the identity provider has SSO debug enabled.
 * `status`- String enum that indicates whether the identity provider is active or not. Accepted values are ACTIVE or INACTIVE.
@@ -43,11 +45,13 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider"
     - HTTP REDIRECT
 * `response_signature_algorithm` - Signature algorithm that Federated Authentication uses to encrypt the identity provider signature.  Valid values include `SHA-1 `and `SHA-256`.
 * `protocol` - The protocol of the identity provider. Either `SAML` or `OIDC`.
-* `audience_claim` - Identifier of the intended recipient of the token used in OIDC IdP.
+* `audience` - (Required for OIDC IdPs) Identifier of the intended recipient of the token used in OIDC IdP.
 * `client_id` - Client identifier that is assigned to an application by the OIDC Identity Provider.
-* `groups_claim` - Identifier of the claim which contains OIDC IdP Group IDs in the token.
+* `groups_claim` - (Required for OIDC IdP with `authorization_type = GROUP`) Identifier of the claim which contains OIDC IdP Group IDs in the token.
 * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint used for OIDC IdPs.
-* `user_claim` - Identifier of the claim which contains the user ID in the token used for OIDC IdPs.
+* `user_claim` - (Required for OIDC IdP) Identifier of the claim which contains the user ID in the token used for OIDC IdPs.
+userClaim is required for OIDC IdP with authorizationType GROUP and USER.
+
 
 ## Attributes Reference