Add User ID Attribute Type for AzureAD Connections

[u771385]

Checklist

• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Need to be able to set the User ID Attribute Type on Azure AD Connections to oid to support SCIM. My existing connections that were provisioned through TF were all defaulted to sub.

Describe the ideal solution

One idea would be to extend the user_id_attribute used for samlp connections and allow either oid or sub for AzureAD connections.

Alternatives and current workarounds

None. Any update to the Connection will cause a null to be passed to the userid_attribute field which will reset the value back to sub - even though it retrieved the value as "oid" in the GET just before the PATCH.

Additional context

No response

[stevemao]

This seems to be a bug rather than a feature

[michael-mcguinness]

Agree that this is a bug.

From an API view (GET https://tenant.eu.auth0.com/api/v2/connection) the userid_atrribute property is not visible until it has been explicitly set in some way. In our case, while investigating the issue, we set the value to oid and then back to sub via the console. If we then made an API call to view the resource we can see the the userid_attribute property and can see that it is set to sub.

The next time we perform a terraform apply the property gets set back to null. Any subsequent terraform plan shows an intention to set this back to sub but it stays as null when viewed via the API.

 # module.terraform-auth0-tenant.auth0_connection.connections["connection_aad"] will be updated in-place
  ~ resource "auth0_connection" "connections" {
        id                   = "<redacted>"
        name                 = "<redacted>"
        # (5 unchanged attributes hidden)

      ~ options {
          + user_id_attribute                      = "sub"
            # (37 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

We assume that despite this showing as null the underlying behaviour is sub.

[rwyr]

I've just tried version 1.7.0 and even if I set up "oid" in terraform it still sets the value to "sub" during terraform apply and I have to change it manually after each CD pipeline.

In terraform we set:

user_id_attribute      = "oid"

Get Connection call from Management API returns this (after I manually changed "sub" to "oid" in the dashboard)

"userid_attribute": "oid",

Is it possible it doesn't work because of a difference in properties' names?

[duedares-rvj]

@rwyr I tried creating a new connection with the below and then updated the value from oid to sub and it worked as expected.

The naming convention userid_attribute vs user_id_attribute is not going to be an issue, the sdk handles it correctly.

resource "auth0_connection" "azure_ad" {
    name     = "Acceptance-Test-Azure-AD-sample"
    strategy = "waad"
    show_as_button = true
    options {
        identity_api     = "azure-active-directory-v1.0"
        client_id        = "123456"
        client_secret    = "123456"
        strategy_version = 2
        tenant_domain    = "example.onmicrosoft.com"
        domain           = "example.onmicrosoft.com"
        domain_aliases = [
            "example.com",
            "api.example.com"
        ]
        use_wsfed            = false
        waad_protocol        = "openid-connect"
        waad_common_endpoint = false
        user_id_attribute    = "oid"
        api_enable_users     = true
        scopes               = [
            "basic_profile",
            "ext_groups",
            "ext_profile"
        ]
        set_user_root_attributes = "on_each_login"
        should_trust_email_verified_connection = "never_set_emails_as_verified"
        upstream_params = jsonencode({
            "screen_name": {
                "alias": "login_hint"
            }
        })
    }
}

[rwyr]

Yes, it's been fixed in v1.7.1