Bug azuread_application does not support "google.com" as one of its identifier_uris

[kneekeel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

❯ terraform -v
Terraform v1.6.0
on darwin_arm64

• provider registry.terraform.io/hashicorp/azuread v2.33.0

Affected Resource(s)

• azuread_application

Terraform Configuration Files

data "azuread_application_template" "google_cloud" {
  display_name = "Google Cloud / G Suite Connector by Microsoft"
}

resource "azuread_application" "google_cloud_sso" {
  display_name = "Google Cloud / G Suite Connector by Microsoft"
  template_id  = data.azuread_application_template.google_cloud.template_id

  identifier_uris = ["google.com"]

  web {
    redirect_uris = ["https://www.google.com/"]
    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = false
    }
  }
}

Debug Output

Panic Output

Expected Behavior

Application should have been created with the schemaless URI "google.com".

Google's documentation: 4.a) requires this for SAML configuration. It is also one of the supported identifiers by Microsoft, see documentation: 6.a).

However, this is not supported by the terraform-provider-azuread: v2.33.0 or v2.43.0(latest).

Actual Behavior

Error: URI has no host
│ 
│   with ...azuread_application.google_cloud_sso,
│   on .../application.tf line 24, in resource "azuread_application" "google_cloud_sso":
│   24:   identifier_uris = ["google.com"]

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[manicminer]

Hi @kneekeel, thanks for reporting this. Unfortunately the API does not support SAML configurations for applications and this is the only configuration where schemaless URIs like this are allowed. Unfortunately we can't support this due to both an absence of API support for SAML configuration, and server-side validation which mirrors the validation we perform within the provider.

Here's a demo of the API response showing this validation:

As we already have a number of issues open relating to SAML support, I'm going to close this issue in favor of #173. Please subscribe to that issue if you'd like future updates on SAML support. Unfortunately as mentioned, there is simply no API support at this time and so we are unable to implement this. Thanks again for raising this, you may also wish to speak to your Azure account representative if this is an important feature for you.

[manicminer]

Duplicate of #173