Skip to content

feat(sso): add sysdig_sso_openid and sysdig_sso_saml resources #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tembleking wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat(sso): add sysdig_sso_openid and sysdig_sso_saml resources #688

tembleking wants to merge 3 commits into from

Conversation

@tembleking
Copy link
Member

@tembleking tembleking commented Jan 28, 2026
edited
Loading

Summary

  • Add sysdig_sso_openid resource for OpenID Connect SSO configuration
  • Add sysdig_sso_saml resource for SAML SSO configuration

Both resources use the /platform/v1/sso-settings/ endpoint with different type discriminators.

sysdig_sso_openid features:

  • Issuer URL with optional metadata discovery
  • Client ID/Secret authentication
  • Manual metadata configuration when discovery is disabled
  • Additional OAuth scopes support

sysdig_sso_saml features:

  • Metadata via URL or inline XML (mutually exclusive)
  • Email parameter mapping
  • Security settings (signature validation, signed assertions, destination verification, encryption)

Common SSO features (both resources):

  • Product selection (monitor/secure)
  • Group mapping configuration
  • Single logout support
  • Auto user creation on login
  • Optimistic locking via version field

Test plan

  • Run acceptance tests for OpenID: go test ./sysdig -v -run TestAccSSOOpenID -tags=tf_acc_sysdig_secure -timeout 120m
  • Run acceptance tests for SAML: go test ./sysdig -v -run TestAccSSOSaml -tags=tf_acc_sysdig_secure -timeout 120m
  • Verify import functionality for both resources
  • Test update operations with version-based optimistic locking

@tembleking
feat(sso): add sysdig_sso_openid resource
750d2c1 
Add new Terraform resource to manage OpenID Connect SSO configurations
via /api/v1/sso-settings/ endpoint.

Refs: ET-553
@tembleking
feat(sso): add sysdig_sso_saml resource
fd3dfdb 
Add SAML SSO configuration resource for Sysdig, allowing users to
configure SAML-based Single Sign-On via Terraform.

Features:
- Support for metadata_url or metadata_xml (mutually exclusive)
- SAML security settings (signature validation, signed assertions,
  destination verification, encryption support)
- Common SSO fields (group mapping, single logout, auto user creation)
- Full CRUD operations with optimistic locking via version field
@tembleking tembleking changed the title feat(sso): add sysdig_sso_openid resource feat(sso): add sysdig_sso_openid and sysdig_sso_saml resources Jan 28, 2026
@tembleking
fix(sso): correct Platform API endpoint and fix various issues
555cafa 
- Change endpoint from /api/v1/sso-settings to /platform/v1/sso-settings
- Move disable-before-delete logic to resource layer (API requires client_secret)
- Add ForceNew to integration_name (cannot be updated via API)
- Preserve additional_scopes from state when API returns null
- Skip WithMetadata test due to Platform API bug (returns 500 for manual metadata)
dbonf
dbonf reviewed Feb 2, 2026
View reviewed changes
website/docs/r/sso_saml.md
* `is_single_logout_enabled` - (Optional) Whether SAML Single Logout (SLO) is enabled. Default: `false`.
* `is_group_mapping_enabled` - (Optional) Whether group mapping from SAML attributes is enabled. Default: `false`.
* `group_mapping_attribute_name` - (Optional) The SAML attribute name that contains group membership information. Default: `groups`.
* `integration_name` - (Optional) A custom display name for this SSO integration.
Copy link
Collaborator

@dbonf dbonf Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the integration name, for both saml and openid, is not only affecting used to display a mnemonic name, but it should be used mostly to distinguish different IdP settings so that a customer can properly set then up, and select them in the login page, so I suggest to reword the description to something more generic like "A name to distinguish different SSO integrations".

sysdig/resource_sysdig_sso_openid.go
Default: true,
Description: "Whether to use automatic metadata discovery from the issuer URL",
},
"group_attribute_name": {
Copy link
Collaborator

@dbonf dbonf Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we have an issue with the current public api: GroupAttributeName is redundant and ignored on updates, while the correct field to use is groupMappingAttributeName (same as saml). So, we should also remove group_attribute_name here and only have group_mapping_attribute_name.

dbonf
dbonf reviewed Feb 2, 2026
View reviewed changes
Copy link
Collaborator

@dbonf dbonf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

related to sso settings we also have group mappings (/platform/v1/group-mappings, to be used when we define group mapping in this resource) and global sso settings (/platform/v1/global-sso-settings/, to enable / disable password login), are we planning also to include them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dbonf dbonf dbonf left review comments

@airadier airadier Awaiting requested review from airadier airadier is a code owner

@mateobur mateobur Awaiting requested review from mateobur mateobur is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tembleking @dbonf