Skip to content

meshcloud/terraform-custom-meshplatform-sso

BranchesTags

Repository files navigation

Terraform Custom MeshPlatform SSO

Terraform modules for configuring SAML federation between cloud providers (OVH, OCI) and identity providers (Azure AD, etc.).

These modules automate the setup of Single Sign-On (SSO) for cloud platforms, allowing users to authenticate using centralized identity providers instead of managing separate credentials for each cloud provider.

Modules

Azure AD SAML App

Configure Azure AD Enterprise Applications for SAML SSO (Identity Provider side).

Features:

  • SAML Enterprise Application creation
  • Automatic SAML metadata generation
  • Automatic group creation with customizable descriptions
  • User and group assignments
  • Configurable SAML claims (email, givenname, surname, groups)
  • Service Principal with SAML SSO enabled

Quick Start:

module "azuread_saml_app" {
  source = "./modules/azuread-saml-app"

  display_name    = "OCI Cloud SSO"
  identifier_uris = ["https://idcs-xxx.identity.oraclecloud.com"]
  redirect_uris   = ["https://idcs-xxx.identity.oraclecloud.com/fed/v1/sp/sso"]

  create_groups = {
    "OCI-Administrators" = {
      description = "Administrators for OCI Cloud"
    }
    "OCI-Users" = {}  # Uses default description
  }
}

OCI SAML SSO

Configure SAML federation in Oracle Cloud Infrastructure (Service Provider side).

⚠️ Important: Due to OCI Terraform Provider Bug #2072, the Identity Provider cannot be created automatically via Terraform. Manual configuration in OCI Console is required. See the OCI Example for detailed manual setup instructions.

What Terraform Automates:

  • ✅ OCI groups for federated users
  • ✅ IAM policies for federated users

What Requires Manual Setup:

  • ❌ SAML Identity Provider registration (must be done in OCI Console)
  • ❌ JIT provisioning configuration
  • ❌ Attribute and group mappings

Quick Start:

module "oci_saml_sso" {
  source = "./modules/oci-saml-sso"

  identity_domain_id = "ocid1.domain.oc1..xxx"
  compartment_id     = "ocid1.compartment.oc1..xxx"

  # Groups created automatically by Terraform
  group_mappings = {
    "oci-admins" = { oci_group_name = "Administrators" }
  }
}

OVH SAML SSO

Configure SAML group mappings for OVH Cloud (Service Provider side).

Note: Due to OVH Terraform provider limitations, the SAML IdP must be configured manually through OVH Control Panel. This module manages group-to-role mappings only.

Features:

  • Group-to-role mappings for SAML-authenticated users
  • Role mappings (ADMIN, REGULAR, UNPRIVILEGED, NONE)

Quick Start:

module "ovh_saml_sso" {
  source = "./modules/ovh-saml-sso"

  group_mappings = {
    "ovh-admins" = { ovh_role = "ADMIN" }
  }
}

See OVH's Azure AD SAML SSO documentation for manual IdP setup.

Use Cases

Centralized Identity Management

Use these modules when you want to:

  • Centralize authentication across multiple cloud providers
  • Use Azure AD (or other SAML IdP) as the single source of truth for user identities
  • Eliminate separate credential management for each cloud provider
  • Implement consistent access policies across cloud platforms

Example Architecture

graph TB
    subgraph Azure["Azure AD (Identity Provider)"]
        Apps["Enterprise Applications<br/>(SAML Apps)"]
        OCI_App["OCI Cloud SSO<br/>(azuread-saml-app)"]
        OVH_App["OVH Cloud SSO<br/>(azuread-saml-app)"]
        Apps --> OCI_App
        Apps --> OVH_App
    end

    subgraph OCI["OCI Cloud (Service Provider)"]
        OCI_IdP["IdP Config"]
        OCI_Groups["Group Mappings"]
        OCI_JIT["JIT Provisioning"]
    end

    subgraph OVH["OVH Cloud (Service Provider)"]
        OVH_IdP["IdP Config"]
        OVH_Groups["Group Mappings"]
        OVH_Roles["Role Mappings"]
    end

    OCI_App -->|SAML Assertion| OCI_IdP
    OVH_App -->|SAML Assertion| OVH_IdP

    classDef azureStyle fill:#0078D4,stroke:#004578,color:#fff
    classDef ociStyle fill:#F80000,stroke:#B30000,color:#fff
    classDef ovhStyle fill:#123F6D,stroke:#0A2540,color:#fff

    class Azure,Apps,OCI_App,OVH_App azureStyle
    class OCI,OCI_IdP,OCI_Groups,OCI_JIT ociStyle
    class OVH,OVH_IdP,OVH_Groups,OVH_Roles ovhStyle
Loading

Complete SSO Flow:

  1. Azure AD Module creates Enterprise Applications with SAML configuration
  2. Service Provider Modules (OCI/OVH) configure federation and group mappings
  3. Users authenticate once with Azure AD and access all configured cloud platforms

Getting Started

Prerequisites

For Azure AD (Identity Provider):

  • Azure AD tenant
  • Permissions to create Enterprise Applications
  • Required to use the azuread-saml-app module

For OCI:

  • OCI tenancy with Identity Domains enabled
  • IDCS endpoint URL and Compartment OCID
  • OCI Terraform provider credentials

For OVH:

  • OVH account with administrative access
  • OVH API credentials (Application Key, Secret, Consumer Key)
  • Manual SAML IdP setup via OVH Control Panel (provider limitation)

Installation

Clone this repository:

git clone <repository-url>
cd terraform-custom-meshplatform-sso

Example Usage

See the examples directory for complete working examples:

  • OCI Example - Complete Azure AD + OCI SAML federation setup
  • OVH Example - Complete Azure AD + OVH SAML setup (includes manual IdP step)

Configuration Flow

Each example in the examples/ directory provides a complete, end-to-end configuration for both the identity provider (Azure AD) and service provider (OCI or OVH).

Quick Start:

cd examples/oci  # or examples/ovh
terraform init
terraform apply

Follow the step-by-step deployment guides in each example's README for detailed instructions.

Option 2: Manual Azure AD Setup

If you prefer to create Enterprise Applications manually instead of using the azuread-saml-app module:

1. Create Enterprise Application:

  1. Azure Portal → Azure Active Directory → Enterprise Applications
  2. New Application → "Create your own application"
  3. Name it (e.g., "OCI Cloud SSO" or "OVH Cloud SSO")
  4. Select "Non-gallery application"
  5. Go to "Single sign-on" → Select "SAML"

2. Get Azure AD Metadata:

Copy the "App Federation Metadata Url":

https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml

3. Run Service Provider Terraform Module:

cd examples/oci  # or examples/ovh
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform apply

4. Complete Azure AD Configuration:

Use the Terraform outputs to complete Azure AD setup:

terraform output entity_id  # Use as Identifier (Entity ID)
terraform output acs_url    # Use as Reply URL

Configure these values in Azure AD Enterprise Application SAML settings.

5. Test SSO:

Test federated login through the service provider's SSO URL.

Module Documentation

Common Configuration

Azure AD SAML Claims

Both modules expect standard Azure AD SAML claims:

Claim Value
Name ID user.userprincipalname
Email user.mail
First Name user.givenname
Last Name user.surname
Groups user.groups

Group Mappings

Map Azure AD groups to cloud provider roles/groups:

OCI:

group_mappings = {
  "azure-ad-group-name" = {
    oci_group_name = "Administrators"  # OCI group
  }
}

OVH:

group_mappings = {
  "azure-ad-group-name" = {
    ovh_role = "ADMIN"  # ADMIN, REGULAR, UNPRIVILEGED, NONE
  }
}

Troubleshooting

OCI Identity Provider Cannot Be Created via Terraform

Symptom: Error: 400 BadRequest when creating Identity Provider

Cause: OCI Terraform Provider Bug #2072 - The oci_identity_domains_identity_provider resource is broken

Status: Open issue since March 2024, no fix available yet

Solution: Follow the Manual Configuration Steps in the OCI example to create the Identity Provider in OCI Console

Users Cannot Login

  1. Verify Azure AD Configuration:

    • Check Entity ID and Reply URL match Terraform outputs
    • Verify users are assigned to the Enterprise Application
    • Confirm SAML claims are configured

  2. Check Cloud Provider Logs:

    • OCI: Identity Domain → Audit Logs
    • OVH: Control Panel → My Account → Identity Management

  3. Validate Metadata:

    • Ensure metadata URL is accessible
    • Check metadata hasn't expired
    • Verify certificate validity

Group Mappings Not Working

  1. Azure AD Group Claims:

    • Ensure group claims are configured in Azure AD
    • Verify users are members of the groups
    • Check group attribute name matches configuration

  2. Cloud Provider Groups:

    • OCI: Verify groups exist in Identity Domain
    • OVH: Verify role names are correct (ADMIN, REGULAR, etc.)

Advanced Configuration

Security Considerations

  • Metadata Security: Keep SAML metadata URLs and XML content secure
  • API Credentials: Use secure storage for OVH API credentials
  • Group Claims: Consider using Azure AD group Object IDs instead of names
  • JIT Provisioning: Understand implications of automatic user creation
  • Role Assignments: Follow principle of least privilege

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Test your changes thoroughly
  4. Submit a pull request

License

[Specify your license here]

References

Support

For issues and questions:

  • Check module-specific READMEs for detailed documentation
  • Review example configurations in the examples/ directory
  • Check Terraform provider documentation for provider-specific issues

Note: These modules are designed for Azure AD as the primary IdP but can be adapted for other SAML 2.0 identity providers with appropriate attribute mapping configuration.

About

Terraform module to integrate Azure for a custom meshPlatform

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages