junipermist.org.Sso
Explore with Pulumi AI
This resource manages Org API Tokens. Org API token is a unique identifier used by an application to authenticate and access a service’s API. These tokens are used to authenticate requests made to the API server and ensure secure access to the API. They are not bound to any specific user and provide access to the organization as a whole. Organization tokens support different privileges and can only be used for the specific organization they are generated for. Rate limiting is done on an individual token basis, so if one token reaches its rate limit, it does not impact other tokens.
The SSO Metadata can be retrieved with the junipermist.org.getSsoMetadata
data source.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as junipermist from "@pulumi/juniper-mist";
const ssoAdminOne = new junipermist.org.Sso("sso_admin_one", {
orgId: terraformTest.id,
name: "sso_admin_one",
customLogoutUrl: "https://idp.com/logout",
idpCert: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
idpSignAlgo: "sha512",
idpSsoUrl: "https://idp.com/login",
issuer: "my_idp_issuer",
nameidFormat: "email",
});
import pulumi
import pulumi_juniper_mist as junipermist
sso_admin_one = junipermist.org.Sso("sso_admin_one",
org_id=terraform_test["id"],
name="sso_admin_one",
custom_logout_url="https://idp.com/logout",
idp_cert="-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
idp_sign_algo="sha512",
idp_sso_url="https://idp.com/login",
issuer="my_idp_issuer",
nameid_format="email")
package main
import (
"github.com/pulumi/pulumi-junipermist/sdk/go/junipermist/org"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := org.NewSso(ctx, "sso_admin_one", &org.SsoArgs{
OrgId: pulumi.Any(terraformTest.Id),
Name: pulumi.String("sso_admin_one"),
CustomLogoutUrl: pulumi.String("https://idp.com/logout"),
IdpCert: pulumi.String("-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----"),
IdpSignAlgo: pulumi.String("sha512"),
IdpSsoUrl: pulumi.String("https://idp.com/login"),
Issuer: pulumi.String("my_idp_issuer"),
NameidFormat: pulumi.String("email"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using JuniperMist = Pulumi.JuniperMist;
return await Deployment.RunAsync(() =>
{
var ssoAdminOne = new JuniperMist.Org.Sso("sso_admin_one", new()
{
OrgId = terraformTest.Id,
Name = "sso_admin_one",
CustomLogoutUrl = "https://idp.com/logout",
IdpCert = "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
IdpSignAlgo = "sha512",
IdpSsoUrl = "https://idp.com/login",
Issuer = "my_idp_issuer",
NameidFormat = "email",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.junipermist.org.Sso;
import com.pulumi.junipermist.org.SsoArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var ssoAdminOne = new Sso("ssoAdminOne", SsoArgs.builder()
.orgId(terraformTest.id())
.name("sso_admin_one")
.customLogoutUrl("https://idp.com/logout")
.idpCert("-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----")
.idpSignAlgo("sha512")
.idpSsoUrl("https://idp.com/login")
.issuer("my_idp_issuer")
.nameidFormat("email")
.build());
}
}
resources:
ssoAdminOne:
type: junipermist:org:Sso
name: sso_admin_one
properties:
orgId: ${terraformTest.id}
name: sso_admin_one
customLogoutUrl: https://idp.com/logout
idpCert: '-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----'
idpSignAlgo: sha512
idpSsoUrl: https://idp.com/login
issuer: my_idp_issuer
nameidFormat: email
Create Sso Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Sso(name: string, args: SsoArgs, opts?: CustomResourceOptions);
@overload
def Sso(resource_name: str,
args: SsoArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Sso(resource_name: str,
opts: Optional[ResourceOptions] = None,
issuer: Optional[str] = None,
org_id: Optional[str] = None,
idp_cert: Optional[str] = None,
idp_sign_algo: Optional[str] = None,
idp_sso_url: Optional[str] = None,
custom_logout_url: Optional[str] = None,
default_role: Optional[str] = None,
name: Optional[str] = None,
role_attr_extraction: Optional[str] = None,
ignore_unmatched_roles: Optional[bool] = None,
nameid_format: Optional[str] = None,
role_attr_from: Optional[str] = None,
scim_enabled: Optional[bool] = None,
scim_secret_token: Optional[str] = None)
func NewSso(ctx *Context, name string, args SsoArgs, opts ...ResourceOption) (*Sso, error)
public Sso(string name, SsoArgs args, CustomResourceOptions? opts = null)
type: junipermist:org:Sso
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SsoArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SsoArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SsoArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SsoArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SsoArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ssoResource = new JuniperMist.Org.Sso("ssoResource", new()
{
Issuer = "string",
OrgId = "string",
IdpCert = "string",
IdpSignAlgo = "string",
IdpSsoUrl = "string",
CustomLogoutUrl = "string",
DefaultRole = "string",
Name = "string",
RoleAttrExtraction = "string",
IgnoreUnmatchedRoles = false,
NameidFormat = "string",
RoleAttrFrom = "string",
ScimEnabled = false,
ScimSecretToken = "string",
});
example, err := org.NewSso(ctx, "ssoResource", &org.SsoArgs{
Issuer: pulumi.String("string"),
OrgId: pulumi.String("string"),
IdpCert: pulumi.String("string"),
IdpSignAlgo: pulumi.String("string"),
IdpSsoUrl: pulumi.String("string"),
CustomLogoutUrl: pulumi.String("string"),
DefaultRole: pulumi.String("string"),
Name: pulumi.String("string"),
RoleAttrExtraction: pulumi.String("string"),
IgnoreUnmatchedRoles: pulumi.Bool(false),
NameidFormat: pulumi.String("string"),
RoleAttrFrom: pulumi.String("string"),
ScimEnabled: pulumi.Bool(false),
ScimSecretToken: pulumi.String("string"),
})
var ssoResource = new Sso("ssoResource", SsoArgs.builder()
.issuer("string")
.orgId("string")
.idpCert("string")
.idpSignAlgo("string")
.idpSsoUrl("string")
.customLogoutUrl("string")
.defaultRole("string")
.name("string")
.roleAttrExtraction("string")
.ignoreUnmatchedRoles(false)
.nameidFormat("string")
.roleAttrFrom("string")
.scimEnabled(false)
.scimSecretToken("string")
.build());
sso_resource = junipermist.org.Sso("ssoResource",
issuer="string",
org_id="string",
idp_cert="string",
idp_sign_algo="string",
idp_sso_url="string",
custom_logout_url="string",
default_role="string",
name="string",
role_attr_extraction="string",
ignore_unmatched_roles=False,
nameid_format="string",
role_attr_from="string",
scim_enabled=False,
scim_secret_token="string")
const ssoResource = new junipermist.org.Sso("ssoResource", {
issuer: "string",
orgId: "string",
idpCert: "string",
idpSignAlgo: "string",
idpSsoUrl: "string",
customLogoutUrl: "string",
defaultRole: "string",
name: "string",
roleAttrExtraction: "string",
ignoreUnmatchedRoles: false,
nameidFormat: "string",
roleAttrFrom: "string",
scimEnabled: false,
scimSecretToken: "string",
});
type: junipermist:org:Sso
properties:
customLogoutUrl: string
defaultRole: string
idpCert: string
idpSignAlgo: string
idpSsoUrl: string
ignoreUnmatchedRoles: false
issuer: string
name: string
nameidFormat: string
orgId: string
roleAttrExtraction: string
roleAttrFrom: string
scimEnabled: false
scimSecretToken: string
Sso Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Sso resource accepts the following input properties:
- Idp
Cert string - IDP Cert (used to verify the signed response)
- Idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- Idp
Sso stringUrl - IDP Single-Sign-On URL
- Issuer string
- IDP issuer URL
- Org
Id string - Custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- Default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- Ignore
Unmatched boolRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- Name string
- name
- Nameid
Format string - enum:
email
,unspecified
- Role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- Role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- Scim
Enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - Scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- Idp
Cert string - IDP Cert (used to verify the signed response)
- Idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- Idp
Sso stringUrl - IDP Single-Sign-On URL
- Issuer string
- IDP issuer URL
- Org
Id string - Custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- Default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- Ignore
Unmatched boolRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- Name string
- name
- Nameid
Format string - enum:
email
,unspecified
- Role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- Role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- Scim
Enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - Scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- idp
Cert String - IDP Cert (used to verify the signed response)
- idp
Sign StringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso StringUrl - IDP Single-Sign-On URL
- issuer String
- IDP issuer URL
- org
Id String - custom
Logout StringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role String - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- ignore
Unmatched BooleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- name String
- name
- nameid
Format String - enum:
email
,unspecified
- role
Attr StringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr StringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled Boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret StringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- idp
Cert string - IDP Cert (used to verify the signed response)
- idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso stringUrl - IDP Single-Sign-On URL
- issuer string
- IDP issuer URL
- org
Id string - custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- ignore
Unmatched booleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- name string
- name
- nameid
Format string - enum:
email
,unspecified
- role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- idp_
cert str - IDP Cert (used to verify the signed response)
- idp_
sign_ stralgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp_
sso_ strurl - IDP Single-Sign-On URL
- issuer str
- IDP issuer URL
- org_
id str - custom_
logout_ strurl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default_
role str - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- ignore_
unmatched_ boolroles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- name str
- name
- nameid_
format str - enum:
email
,unspecified
- role_
attr_ strextraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role_
attr_ strfrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim_
enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim_
secret_ strtoken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- idp
Cert String - IDP Cert (used to verify the signed response)
- idp
Sign StringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso StringUrl - IDP Single-Sign-On URL
- issuer String
- IDP issuer URL
- org
Id String - custom
Logout StringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role String - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- ignore
Unmatched BooleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- name String
- name
- nameid
Format String - enum:
email
,unspecified
- role
Attr StringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr StringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled Boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret StringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
Outputs
All input properties are implicitly available as output properties. Additionally, the Sso resource produces the following output properties:
- Domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - Id string
- The provider-assigned unique ID for this managed resource.
- Domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - Id string
- The provider-assigned unique ID for this managed resource.
- domain String
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - id String
- The provider-assigned unique ID for this managed resource.
- domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - id string
- The provider-assigned unique ID for this managed resource.
- domain str
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - id str
- The provider-assigned unique ID for this managed resource.
- domain String
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Sso Resource
Get an existing Sso resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SsoState, opts?: CustomResourceOptions): Sso
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
custom_logout_url: Optional[str] = None,
default_role: Optional[str] = None,
domain: Optional[str] = None,
idp_cert: Optional[str] = None,
idp_sign_algo: Optional[str] = None,
idp_sso_url: Optional[str] = None,
ignore_unmatched_roles: Optional[bool] = None,
issuer: Optional[str] = None,
name: Optional[str] = None,
nameid_format: Optional[str] = None,
org_id: Optional[str] = None,
role_attr_extraction: Optional[str] = None,
role_attr_from: Optional[str] = None,
scim_enabled: Optional[bool] = None,
scim_secret_token: Optional[str] = None) -> Sso
func GetSso(ctx *Context, name string, id IDInput, state *SsoState, opts ...ResourceOption) (*Sso, error)
public static Sso Get(string name, Input<string> id, SsoState? state, CustomResourceOptions? opts = null)
public static Sso get(String name, Output<String> id, SsoState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- Default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- Domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - Idp
Cert string - IDP Cert (used to verify the signed response)
- Idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- Idp
Sso stringUrl - IDP Single-Sign-On URL
- Ignore
Unmatched boolRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- Issuer string
- IDP issuer URL
- Name string
- name
- Nameid
Format string - enum:
email
,unspecified
- Org
Id string - Role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- Role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- Scim
Enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - Scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- Custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- Default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- Domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - Idp
Cert string - IDP Cert (used to verify the signed response)
- Idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- Idp
Sso stringUrl - IDP Single-Sign-On URL
- Ignore
Unmatched boolRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- Issuer string
- IDP issuer URL
- Name string
- name
- Nameid
Format string - enum:
email
,unspecified
- Org
Id string - Role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- Role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- Scim
Enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - Scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- custom
Logout StringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role String - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- domain String
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - idp
Cert String - IDP Cert (used to verify the signed response)
- idp
Sign StringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso StringUrl - IDP Single-Sign-On URL
- ignore
Unmatched BooleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- issuer String
- IDP issuer URL
- name String
- name
- nameid
Format String - enum:
email
,unspecified
- org
Id String - role
Attr StringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr StringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled Boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret StringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- custom
Logout stringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role string - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- domain string
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - idp
Cert string - IDP Cert (used to verify the signed response)
- idp
Sign stringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso stringUrl - IDP Single-Sign-On URL
- ignore
Unmatched booleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- issuer string
- IDP issuer URL
- name string
- name
- nameid
Format string - enum:
email
,unspecified
- org
Id string - role
Attr stringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr stringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret stringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- custom_
logout_ strurl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default_
role str - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- domain str
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - idp_
cert str - IDP Cert (used to verify the signed response)
- idp_
sign_ stralgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp_
sso_ strurl - IDP Single-Sign-On URL
- ignore_
unmatched_ boolroles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- issuer str
- IDP issuer URL
- name str
- name
- nameid_
format str - enum:
email
,unspecified
- org_
id str - role_
attr_ strextraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role_
attr_ strfrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim_
enabled bool - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim_
secret_ strtoken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
- custom
Logout StringUrl - a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is different from SP-initiated SLO process)
- default
Role String - default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role matched
- domain String
- random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
/api/v1/saml/{domain}/login
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/login
) * Single Logout URL =/api/v1/saml/{domain}/logout
(e.g.https://api.mist.com/api/v1/saml/s4t5vwv8/logout
) - idp
Cert String - IDP Cert (used to verify the signed response)
- idp
Sign StringAlgo - Signing algorithm for SAML Assertion. enum
sha1
,sha256
,sha384
,sha512
- idp
Sso StringUrl - IDP Single-Sign-On URL
- ignore
Unmatched BooleanRoles - ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
- issuer String
- IDP issuer URL
- name String
- name
- nameid
Format String - enum:
email
,unspecified
- org
Id String - role
Attr StringExtraction - custom role attribute parsing scheme\n\nSupported Role Parsing Schemes\nNameSchemecnThe expected role attribute format in SAML Assertion is “CN=cn,OU=ou1,OU=ou2,…”CN (the key) is case insensitive and exactly 1 CN is expected (or the entire entry will be ignored)E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is “cn”
- role
Attr StringFrom - name of the attribute in SAML Assertion to extract role from. Default:
Role
- scim
Enabled Boolean - if
idp_type
==oauth
, indicates if SCIM provisioning is enabled for the OAuth IDP - scim
Secret StringToken - if
idp_type
==oauth
, scim_secret_token (generated by caller, crypto-random) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
Import
Using pulumi import
, import mist_org_sso
with:
Org PSK can be imported by specifying the org_id and the sso_id
$ pulumi import junipermist:org/sso:Sso sso_admin_one 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- junipermist pulumi/pulumi-junipermist
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
mist
Terraform Provider.