Add User ID Attribute Type for AzureAD Connections
u771385 opened this issue · 5 comments
Checklist
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
Need to be able to set the User ID Attribute Type on Azure AD Connections to oid to support SCIM. My existing connections that were provisioned through TF were all defaulted to sub.
Describe the ideal solution
One idea would be to extend the user_id_attribute used for samlp connections and allow either oid or sub for AzureAD connections.
Alternatives and current workarounds
None. Any update to the Connection will cause a null to be passed to the userid_attribute field which will reset the value back to sub - even though it retrieved the value as "oid" in the GET just before the PATCH.
Additional context
No response
This seems to be a bug rather than a feature
Agree that this is a bug.
From an API view (GET https://tenant.eu.auth0.com/api/v2/connection) the userid_atrribute property is not visible until it has been explicitly set in some way. In our case, while investigating the issue, we set the value to oid and then back to sub via the console. If we then made an API call to view the resource we can see the the userid_attribute property and can see that it is set to sub.
The next time we perform a terraform apply the property gets set back to null. Any subsequent terraform plan shows an intention to set this back to sub but it stays as null when viewed via the API.
# module.terraform-auth0-tenant.auth0_connection.connections["connection_aad"] will be updated in-place
~ resource "auth0_connection" "connections" {
id = "<redacted>"
name = "<redacted>"
# (5 unchanged attributes hidden)
~ options {
+ user_id_attribute = "sub"
# (37 unchanged attributes hidden)
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
We assume that despite this showing as null the underlying behaviour is sub.
I've just tried version 1.7.0 and even if I set up "oid" in terraform it still sets the value to "sub" during terraform apply and I have to change it manually after each CD pipeline.
In terraform we set:
user_id_attribute = "oid"
Get Connection call from Management API returns this (after I manually changed "sub" to "oid" in the dashboard)
"userid_attribute": "oid",
Is it possible it doesn't work because of a difference in properties' names?
@rwyr I tried creating a new connection with the below and then updated the value from oid to sub and it worked as expected.
The naming convention userid_attribute vs user_id_attribute is not going to be an issue, the sdk handles it correctly.
resource "auth0_connection" "azure_ad" {
name = "Acceptance-Test-Azure-AD-sample"
strategy = "waad"
show_as_button = true
options {
identity_api = "azure-active-directory-v1.0"
client_id = "123456"
client_secret = "123456"
strategy_version = 2
tenant_domain = "example.onmicrosoft.com"
domain = "example.onmicrosoft.com"
domain_aliases = [
"example.com",
"api.example.com"
]
use_wsfed = false
waad_protocol = "openid-connect"
waad_common_endpoint = false
user_id_attribute = "oid"
api_enable_users = true
scopes = [
"basic_profile",
"ext_groups",
"ext_profile"
]
set_user_root_attributes = "on_each_login"
should_trust_email_verified_connection = "never_set_emails_as_verified"
upstream_params = jsonencode({
"screen_name": {
"alias": "login_hint"
}
})
}
}Yes, it's been fixed in v1.7.1