Not possible to configure Saml with terraform provider

[flmmartins]

I am configuring SSO for an application and I tried the following

data "azuread_application_template" "sso" {
  display_name = "Microsoft Entra SAML Toolkit"
}


resource "azuread_application" "sso" {
  group_membership_claims = ["All"] #Fetch all user's group
  identifier_uris         = ["https://XXX"]
  template_id  = data.azuread_application_template.pingdom_sso.template_id
  display_name = "sso"

  feature_tags {
    enterprise            = true
    gallery               = true
    custom_single_sign_on = true
  }

  web {
    logout_url    = "https://XXX/saml"
    redirect_uris = ["https://XXX/saml"]
  }
    
  optional_claims {
    saml2_token {
      essential             = false
      name                  = "NameID"
      source                = "user"
      additional_properties = ["user.mail"]
    }
  }
}

I got 2 issues the following error:

Optional Claim does not work for saml

│ Error: expected optional_claims.0.saml2_token.0.additional_properties.0 to be one of ["cloud_displayname" "dns_domain_and_sam_account_name" "emit_as_roles" "include_externally_authenticated_upn_without_hash" "include_externally_authenticated_upn" "max_size_limit" "netbios_domain_and_sam_account_name" "on_premise_security_identifier" "sam_account_name" "use_guid"], got user.mail

PS: This is an extra field that differs from the required claim "Name ID" (with space in between)

Entity ID and Reply URL
I see that my Entity ID and Reply URL does not get filled when passing the urls.

[1oglop1]

@flmmartins I had the same problem but after some googling, I figured it out.

From here https://stackoverflow.com/questions/66077870/create-azure-enterprise-application-with-terraform you'll find out that what you need is a combination of application (App registration) and Service Principal https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal

then you should be able to use mapping https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/claims_mapping_policy

and the last (most likely not least) https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_token_signing_certificate - this resource doesn't even give you the federation XML URI, which is https://login.microsoftonline.com/${tenantId}/federationmetadata/2007-06/federationmetadata.xml?appid=${appId} - but the XML response always contains a different signature, so passing this to eg. aws_iam_saml_provider will cause an update on every run and I had to do the XML transformation.
I am yet to see if I can even use transformations as described https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0

[flmmartins]

@1oglop1 Thanks for the reply! Do you have an example on how you did it?