Skip to content

googleIdentityPlatformInboundSamlConfig

Inbound SAML configuration for a Identity Toolkit project.

You must enable the Google Identity Platform in the marketplace prior to using this resource.

Open in Cloud Shell

Example Usage - Identity Platform Inbound Saml Config Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.identityPlatformInboundSamlConfig.IdentityPlatformInboundSamlConfig(
  this,
  "saml_config",
  {
    display_name: "Display Name",
    idp_config: [
      {
        idp_certificates: [
          {
            x509_certificate: '${file("test-fixtures/rsa_cert.pem")}',
          },
        ],
        idp_entity_id: "tf-idp",
        sign_request: true,
        sso_url: "https://example.com",
      },
    ],
    name: "saml.tf-config",
    sp_config: [
      {
        callback_uri: "https://example.com",
        sp_entity_id: "tf-sp",
      },
    ],
  }
);

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the InboundSamlConfig resource. Must start with 'saml.' and can only have alphanumeric characters, hyphens, underscores or periods. The part after 'saml.' must also start with a lowercase letter, end with an alphanumeric character, and have at least 2 characters.

  • displayName - (Required) Human friendly display name.

  • idpConfig - (Required) SAML IdP configuration when the project acts as the relying party Structure is documented below.

  • spConfig - (Required) SAML SP (Service Provider) configuration when the project acts as the relying party to receive and accept an authentication assertion issued by a SAML identity provider. Structure is documented below.

The idpConfig block supports:

  • idpEntityId - (Required) Unique identifier for all SAML entities

  • ssoUrl - (Required) URL to send Authentication request to.

  • signRequest - (Optional) Indicates if outbounding SAMLRequest should be signed.

  • idpCertificates - (Required) The IdP's certificate data to verify the signature in the SAMLResponse issued by the IDP. Structure is documented below.

The idpCertificates block supports:

  • x509Certificate - (Optional) The IdP's x509 certificate.

The spConfig block supports:

  • spEntityId - (Optional) Unique identifier for all SAML entities.

  • callbackUri - (Optional) Callback URI where responses from IDP are handled. Must start with https://.

  • spCertificates - (Output) The IDP's certificate data to verify the signature in the SAMLResponse issued by the IDP. Structure is documented below.

The spCertificates block contains:

  • x509Certificate - (Output) The x509 certificate

  • enabled - (Optional) If this config allows users to sign in with the provider.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/inboundSamlConfigs/{{name}}

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

InboundSamlConfig can be imported using any of these accepted formats:

$ terraform import google_identity_platform_inbound_saml_config.default projects/{{project}}/inboundSamlConfigs/{{name}}
$ terraform import google_identity_platform_inbound_saml_config.default {{project}}/{{name}}
$ terraform import google_identity_platform_inbound_saml_config.default {{name}}

User Project Overrides

This resource supports User Project Overrides.