diff options
Diffstat (limited to 'doc/authz/SAML.md')
| -rw-r--r-- | doc/authz/SAML.md | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/doc/authz/SAML.md b/doc/authz/SAML.md new file mode 100644 index 0000000..d503dab --- /dev/null +++ b/doc/authz/SAML.md @@ -0,0 +1,70 @@ +# SAML 2.0 + +Enable instance level SAML configuration in Terraform Cloud to use HCP as the +identity provider. This allows for service provider initiated and identity +provider intiated authentication. The default set of SAML attributes that the +instance level will accept will be extened to allow capture of a subjects +current set or permissions. + +E.g. + + +```xml +<?xml version="1.0"?> +<Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="_4ca277e1-1fd9-4264-a02a-fab4fc99b6e1" Version="2.0" IssueInstant="2022-03-30T18:50:39Z" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://tfcdev-82d111f9.ngrok.io/sso/saml/samlconf-BYk3Pj4iYG6WCHFTiUSaRKHAKm7yyp/acs" InResponseTo="_44b5198d-dae0-4df7-a44b-f22ea06b1a9b"> + <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://id.terraform.io/metadata.xml</Issuer> + <Status> + <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </Status> + <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7b3914b0-ad9f-4ba8-9b0a-b4022387fb82" IssueInstant="2022-03-30T18:50:39Z" Version="2.0"> + <Issuer>https://idp.terraform.io/metadata.xml</Issuer> + <Subject> + <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">mo.khan@hashicorp.com</NameID> + <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> + <SubjectConfirmationData + InResponseTo="_44b5198d-dae0-4df7-a44b-f22ea06b1a9b" + Recipient="https://app.terraform.io/sso/saml/metadata" + NotOnOrAfter="2022-03-30T18:55:39Z"> + </SubjectConfirmationData> + </SubjectConfirmation> + </Subject> + <Conditions NotBefore="2022-03-30T18:50:39Z" NotOnOrAfter="2022-03-30T21:50:39Z"> + <AudienceRestriction> + <Audience>https://app.terraform.io/sso/saml/metadata</Audience> + </AudienceRestriction> + </Conditions> + <AuthnStatement AuthnInstant="2022-03-30T18:50:39Z" SessionIndex="_7b3914b0-ad9f-4ba8-9b0a-b4022387fb82"> + <AuthnContext> + <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> + </AuthnContext> + </AuthnStatement> + <AttributeStatement> + <Attribute Name="Permission"> + <AttributeValue>terraform.teams.create</AttributeValue> + <AttributeValue>terraform.teams.read</AttributeValue> + <AttributeValue>terraform.workspaces.read</AttributeValue> + </Attribute> + </AttributeStatement> + </Assertion> +</Response> +``` + +## TFE Approach + +<!-- In this idea, how do we prevent TFE customers from being hurt? --> + +## Coupling Assessment + +<!-- In this idea, how coupled is TFC to HCP at runtime? --> + +## Expected Benefits + +<!-- Not exhaustive, but what makes this compelling? --> + +## Expected Downsides + +<!-- Not exhaustive, but what are some initial concerns? --> + +## Investigation Goal + +<!-- What do we need to do to understand this better? Is it feedback from others, is it a technical spike, is it a document? --> |