diff --git a/website/docs/d/federated_settings_identity_provider.html.markdown b/website/docs/d/federated_settings_identity_provider.html.markdown index 5f0f14d2f9..6d8c77e859 100644 --- a/website/docs/d/federated_settings_identity_provider.html.markdown +++ b/website/docs/d/federated_settings_identity_provider.html.markdown @@ -46,6 +46,8 @@ In addition to all arguments above, the following attributes are exported: ### FederatedSettingsIdentityProvider +* `description` - The description of the identity provider. +* `authorization_type` - Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`. * `acs_url` - Assertion consumer service URL to which the IdP sends the SAML response. * `associated_domains` - List that contains the configured domains from which users can log in for this IdP. * `associated_orgs` - List that contains the organizations from which users can log in for this IdP. @@ -54,12 +56,13 @@ In addition to all arguments above, the following attributes are exported: * `org_id` - Unique 24-hexadecimal digit string that identifies the organization that contains your projects. * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants. * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP -* `protocol` - The protocol of the identity provider. Either SAML or OIDC. -* `audience_claim` - Identifier of the intended recipient of the token. +* `protocol` - The protocol of the identity provider. Valid values are `SAML` or `OIDC`. +* `audience` - Identifier of the intended recipient of the token. * `client_id` - Client identifier that is assigned to an application by the Identity Provider. * `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token. * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint. * `user_claim` - Identifier of the claim which contains the user ID in the token. +* `idp_type` - Type of the identity provider. Valid values are `WORKFORCE` or `WORKLOAD`. ### Role_mappings * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies. diff --git a/website/docs/d/federated_settings_identity_providers.html.markdown b/website/docs/d/federated_settings_identity_providers.html.markdown index 7a2fe5906c..8a4594ffea 100644 --- a/website/docs/d/federated_settings_identity_providers.html.markdown +++ b/website/docs/d/federated_settings_identity_providers.html.markdown @@ -36,6 +36,8 @@ data "mongodbatlas_federated_settings_identity_providers" "identitty_provider" { * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration. * `page_num` - (Optional) The page to return. Defaults to `1`. **Note**: This attribute is deprecated and not being used. * `items_per_page` - (Optional) Number of items to return per page, up to a maximum of 500. Defaults to `100`. **Note**: This attribute is deprecated and not being used. The implementation is currently limited to returning a maximum of 100 results. +* `protocols` - (Optional) The protocols of the target identity providers. Valid values are `SAML` and `OIDC`. +* `idp_types` - (Optional) The types of the target identity providers. Valid values are `WORKFORCE` and `WORKLOAD`. ## Attributes Reference @@ -47,6 +49,8 @@ In addition to all arguments above, the following attributes are exported: ### FederatedSettingsIdentityProvider * `identity_provider_id` - Unique 24-hexadecimal digit string that identifies the federated authentication configuration. +* `description` - The description of the identity provider. +* `authorization_type` - Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`. * `acs_url` - Assertion consumer service URL to which the IdP sends the SAML response. * `associated_domains` - List that contains the configured domains from which users can log in for this IdP. * `associated_orgs` - List that contains the configured domains from which users can log in for this IdP. @@ -56,11 +60,12 @@ In addition to all arguments above, the following attributes are exported: * `post_auth_role_grants` - List that contains the default roles granted to users who authenticate through the IdP in a connected organization. If you provide a postAuthRoleGrants field in the request, the array that you provide replaces the current postAuthRoleGrants. * `protocol` - The protocol of the identity provider * `idp_id` - Unique 24-hexadecimal digit string that identifies the IdP -* `audience_claim` - Identifier of the intended recipient of the token. +* `audience` - Identifier of the intended recipient of the token. * `client_id` - Client identifier that is assigned to an application by the Identity Provider. * `groups_claim` - Identifier of the claim which contains IdP Group IDs in the token. * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint. * `user_claim` - Identifier of the claim which contains the user ID in the token. +* `idp_type` - Type of the identity provider. Valid values are `WORKFORCE` or `WORKLOAD`. ### Role_mappings * `external_group_name` - Unique human-readable label that identifies the identity provider group to which this role mapping applies. diff --git a/website/docs/guides/1.17.0-upgrade-guide.html.markdown b/website/docs/guides/1.17.0-upgrade-guide.html.markdown index 937a4a6851..f4e687ec33 100644 --- a/website/docs/guides/1.17.0-upgrade-guide.html.markdown +++ b/website/docs/guides/1.17.0-upgrade-guide.html.markdown @@ -19,10 +19,11 @@ The Terraform MongoDB Atlas Provider version 1.17.0 has a number of new and exci - Attribute `audienceClaim` used in OIDC IdPs has been replaced with `audience` attribute in `mongodbatlas_federated_settings_identity_provider` [resource](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) and [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/data-sources/federated_settings_identity_provider) and [`mongodbatlas_federated_settings_identity_providers`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/data-sources/federated_settings_identity_providers) data sources. This change reflects the most recent changes in the Atlas API [Federated Authentication](https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Federated-Authentication/operation/updateIdentityProvider). - If you have imported a OIDC Workforce IdP in previous versions of this provider, you should: - 1. Re-import all [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) resources: + 1. Change `audienceClaim` to `audience` and the value from an array of strings (`["audience"]`) to a single string (`"audience"`) in your terraform configuration files. + 2. Re-import all [`mongodbatlas_federated_settings_identity_provider`](https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/federated_settings_identity_provider) resources: `terraform import mongodbatlas_federated_settings_identity_provider.identity_provider -` - 2. Run `terraform plan` - 3. Run `terraform apply` + 3. Run `terraform plan`. + 4. Run `terraform apply`. ### Helpful Links diff --git a/website/docs/r/federated_settings_identity_provider.html.markdown b/website/docs/r/federated_settings_identity_provider.html.markdown index cfc581268a..6eabd53197 100644 --- a/website/docs/r/federated_settings_identity_provider.html.markdown +++ b/website/docs/r/federated_settings_identity_provider.html.markdown @@ -33,6 +33,8 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider" * `federation_settings_id` - (Required) Unique 24-hexadecimal digit string that identifies the federated authentication configuration. * `name` - (Required) Human-readable label that identifies the identity provider. +* `description` - (Required for OIDC IdPs) The description of the identity provider. +* `authorization_type` - (Required for OIDC IdPs) Indicates whether authorization is granted based on group membership or user ID. Valid values are `GROUP` or `USER`. * `associated_domains` - List that contains the domains associated with the identity provider. * `sso_debug_enabled` - Flag that indicates whether the identity provider has SSO debug enabled. * `status`- String enum that indicates whether the identity provider is active or not. Accepted values are ACTIVE or INACTIVE. @@ -43,11 +45,13 @@ resource "mongodbatlas_federated_settings_identity_provider" "identity_provider" - HTTP REDIRECT * `response_signature_algorithm` - Signature algorithm that Federated Authentication uses to encrypt the identity provider signature. Valid values include `SHA-1 `and `SHA-256`. * `protocol` - The protocol of the identity provider. Either `SAML` or `OIDC`. -* `audience_claim` - Identifier of the intended recipient of the token used in OIDC IdP. +* `audience` - (Required for OIDC IdPs) Identifier of the intended recipient of the token used in OIDC IdP. * `client_id` - Client identifier that is assigned to an application by the OIDC Identity Provider. -* `groups_claim` - Identifier of the claim which contains OIDC IdP Group IDs in the token. +* `groups_claim` - (Required for OIDC IdP with `authorization_type = GROUP`) Identifier of the claim which contains OIDC IdP Group IDs in the token. * `requested_scopes` - Scopes that MongoDB applications will request from the authorization endpoint used for OIDC IdPs. -* `user_claim` - Identifier of the claim which contains the user ID in the token used for OIDC IdPs. +* `user_claim` - (Required for OIDC IdP) Identifier of the claim which contains the user ID in the token used for OIDC IdPs. +userClaim is required for OIDC IdP with authorizationType GROUP and USER. + ## Attributes Reference