feat(sso): add sysdig_sso_openid and sysdig_sso_saml resources#688
Merged
tembleking merged 6 commits intomasterfrom Feb 5, 2026
Merged
feat(sso): add sysdig_sso_openid and sysdig_sso_saml resources#688tembleking merged 6 commits intomasterfrom
tembleking merged 6 commits intomasterfrom
Conversation
Add new Terraform resource to manage OpenID Connect SSO configurations via /api/v1/sso-settings/ endpoint. Refs: ET-553
Add SAML SSO configuration resource for Sysdig, allowing users to configure SAML-based Single Sign-On via Terraform. Features: - Support for metadata_url or metadata_xml (mutually exclusive) - SAML security settings (signature validation, signed assertions, destination verification, encryption support) - Common SSO fields (group mapping, single logout, auto user creation) - Full CRUD operations with optimistic locking via version field
tembleking
changed the title
- Change endpoint from /api/v1/sso-settings to /platform/v1/sso-settings - Move disable-before-delete logic to resource layer (API requires client_secret) - Add ForceNew to integration_name (cannot be updated via API) - Preserve additional_scopes from state when API returns null - Skip WithMetadata test due to Platform API bug (returns 500 for manual metadata)
dbonf
reviewed
Feb 2, 2026
dbonf
reviewed
Feb 2, 2026
Collaborator
dbonf
left a comment
dbonf
left a comment
There was a problem hiding this comment.
related to sso settings we also have group mappings (/platform/v1/group-mappings, to be used when we define group mapping in this resource) and global sso settings (/platform/v1/global-sso-settings/, to enable / disable password login), are we planning also to include them?
Member
Author
Yes, we plan to add those as well. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds SSO configuration resources for OpenID Connect and SAML authentication to the Sysdig Terraform provider, enabling users to manage single sign-on configurations declaratively through Terraform.
Changes:
- Added
sysdig_sso_openidandsysdig_sso_samlresources with full CRUD operations - Implemented client interfaces and API handlers for the
/platform/v1/sso-settings/endpoint - Added comprehensive documentation and acceptance tests for both resources
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| sysdig/provider.go | Registered new SSO resource types in provider |
| sysdig/resource_sysdig_sso_openid.go | OpenID Connect SSO resource implementation with metadata discovery support |
| sysdig/resource_sysdig_sso_saml.go | SAML SSO resource implementation with metadata URL/XML options |
| sysdig/resource_sysdig_sso_openid_test.go | Acceptance tests for OpenID SSO configurations |
| sysdig/resource_sysdig_sso_saml_test.go | Acceptance tests for SAML SSO configurations |
| sysdig/internal/client/v2/sso_openid.go | HTTP client methods for OpenID SSO API operations |
| sysdig/internal/client/v2/sso_saml.go | HTTP client methods for SAML SSO API operations |
| sysdig/internal/client/v2/model.go | Data models for SSO configurations |
| sysdig/internal/client/v2/sysdig.go | Interface registration for SSO clients |
| website/docs/r/sso_openid.md | Documentation for OpenID SSO resource |
| website/docs/r/sso_saml.md | Documentation for SAML SSO resource |
| sysdig/resource_sysdig_secure_cloud_auth_account_test.go | Removed trailing blank line |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The Platform API bug that returned 500 when creating SSO OpenID configurations with isMetadataDiscoveryEnabled=false has been fixed. Re-enable the TestAccSSOOpenID_WithMetadata test.
- Remove redundant group_attribute_name field from OpenID resource (use group_mapping_attribute_name instead) - Fix metadata validation to return error instead of ForceNew - Remove unnecessary empty validation function from SAML resource - Update integration_name description to clarify its purpose
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alecron
approved these changes
Feb 5, 2026
fcracker79
pushed a commit
that referenced
this pull request
Mar 5, 2026
## Summary - Add `sysdig_sso_openid` resource for OpenID Connect SSO configuration - Add `sysdig_sso_saml` resource for SAML SSO configuration Both resources use the `/platform/v1/sso-settings/` endpoint with different `type` discriminators. ### sysdig_sso_openid features: - Issuer URL with optional metadata discovery - Client ID/Secret authentication - Manual metadata configuration when discovery is disabled - Additional OAuth scopes support ### sysdig_sso_saml features: - Metadata via URL or inline XML (mutually exclusive) - Email parameter mapping - Security settings (signature validation, signed assertions, destination verification, encryption) ### Common SSO features (both resources): - Product selection (monitor/secure) - Group mapping configuration - Single logout support - Auto user creation on login - Optimistic locking via version field ## Test plan - [ ] Run acceptance tests for OpenID: `go test ./sysdig -v -run TestAccSSOOpenID -tags=tf_acc_sysdig_secure -timeout 120m` - [ ] Run acceptance tests for SAML: `go test ./sysdig -v -run TestAccSSOSaml -tags=tf_acc_sysdig_secure -timeout 120m` - [ ] Verify import functionality for both resources - [ ] Test update operations with version-based optimistic locking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sysdig_sso_openidresource for OpenID Connect SSO configurationsysdig_sso_samlresource for SAML SSO configurationBoth resources use the
/platform/v1/sso-settings/endpoint with differenttypediscriminators.sysdig_sso_openid features:
sysdig_sso_saml features:
Common SSO features (both resources):
Test plan
go test ./sysdig -v -run TestAccSSOOpenID -tags=tf_acc_sysdig_secure -timeout 120mgo test ./sysdig -v -run TestAccSSOSaml -tags=tf_acc_sysdig_secure -timeout 120m