feat: SSO MFA - add missing SAML MFA fields

api/proto/teleport/legacy/types/types.proto

@@ -4773,13 +4773,21 @@ message SAMLConnectorMFASettings {
   bool enabled = 1;
   // EntityDescriptor is XML with descriptor. It can be used to supply configuration
   // parameters in one XML file rather than supplying them in the individual elements.
+  // Usually set from EntityDescriptorUrl.
   string entity_descriptor = 2;
   // EntityDescriptorUrl is a URL that supplies a configuration XML.
   string entity_descriptor_url = 3;
   // ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is
   // treated as YES to always re-authentication for MFA checks. This should only be set to NO if the
   // IdP is setup to perform MFA checks on top of active user sessions.
   SAMLForceAuthn force_authn = 4;
+  // Issuer is the identity provider issuer. Usually set from EntityDescriptor.
+  string issuer = 5;
+  // SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.
+  string sso = 6;
+  // Cert is the identity provider certificate PEM.
+  // IDP signs `<Response>` responses using this certificate.
+  string cert = 7;
 }
 
 // SAMLForceAuthn specified whether existing SAML sessions should be accepted or re-authentication

api/types/saml.go

@@ -105,7 +105,9 @@ type SAMLConnector interface {
 	// SetSingleLogoutURL sets the SAML SLO (single logout) URL for the identity provider.
 	SetSingleLogoutURL(string)
 	// GetMFASettings returns the connector's MFA settings.
-	GetMFASettings() SAMLConnectorMFASettings
+	GetMFASettings() *SAMLConnectorMFASettings
+	// SetMFASettings sets the connector's MFA settings.
+	SetMFASettings(s *SAMLConnectorMFASettings)
 	// IsMFAEnabled returns whether the connector has MFA enabled.
 	IsMFAEnabled() bool
 	// WithMFASettings returns the connector will some settings overwritten set from MFA settings.
@@ -400,18 +402,19 @@ func (o *SAMLConnectorV2) SetSingleLogoutURL(url string) {
 }
 
 // GetMFASettings returns the connector's MFA settings.
-func (o *SAMLConnectorV2) GetMFASettings() SAMLConnectorMFASettings {
-	if o.Spec.MFASettings == nil {
-		return SAMLConnectorMFASettings{
-			Enabled: false,
-		}
-	}
-	return *o.Spec.MFASettings
+func (o *SAMLConnectorV2) GetMFASettings() *SAMLConnectorMFASettings {
+	return o.Spec.MFASettings
+}
+
+// SetMFASettings sets the connector's MFA settings.
+func (o *SAMLConnectorV2) SetMFASettings(s *SAMLConnectorMFASettings) {
+	o.Spec.MFASettings = s
 }
 
 // IsMFAEnabled returns whether the connector has MFA enabled.
 func (o *SAMLConnectorV2) IsMFAEnabled() bool {
-	return o.GetMFASettings().Enabled
+	mfa := o.GetMFASettings()
+	return mfa != nil && mfa.Enabled
 }
 
 // WithMFASettings returns the connector will some settings overwritten set from MFA settings.
@@ -422,6 +425,9 @@ func (o *SAMLConnectorV2) WithMFASettings() error {
 
 	o.Spec.EntityDescriptor = o.Spec.MFASettings.EntityDescriptor
 	o.Spec.EntityDescriptorURL = o.Spec.MFASettings.EntityDescriptorUrl
+	o.Spec.Issuer = o.Spec.MFASettings.Issuer
+	o.Spec.SSO = o.Spec.MFASettings.Sso
+	o.Spec.Cert = o.Spec.MFASettings.Cert
 
 	switch o.Spec.MFASettings.ForceAuthn {
 	case SAMLForceAuthn_FORCE_AUTHN_UNSPECIFIED:
@@ -471,6 +477,9 @@ func (o *SAMLConnectorV2) CheckAndSetDefaults() error {
 	if o.Spec.EntityDescriptorURL == "" && o.Spec.EntityDescriptor == "" && (o.Spec.Issuer == "" || o.Spec.SSO == "") {
 		return trace.BadParameter("no entity_descriptor set, either provide entity_descriptor or entity_descriptor_url in spec")
 	}
+	if o.IsMFAEnabled() && o.Spec.MFASettings.EntityDescriptorUrl == "" && o.Spec.MFASettings.EntityDescriptor == "" && (o.Spec.MFASettings.Issuer == "" || o.Spec.MFASettings.Sso == "") {
+		return trace.BadParameter("no entity_descriptor set for mfa settings, either provide entity_descriptor or entity_descriptor_url in spec")
+	}
 	// make sure claim mappings have either roles or a role template
 	for _, v := range o.Spec.AttributesToRoles {
 		if len(v.Roles) == 0 {

docs/pages/reference/operator-resources/resources.teleport.dev_samlconnectors.mdx

@@ -71,10 +71,13 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 
 |Field|Type|Description|
 |---|---|---|
+|cert|string|Cert is the identity provider certificate PEM. IDP signs `<Response>` responses using this certificate.|
 |enabled|boolean|Enabled specified whether this SAML connector supports MFA checks. Defaults to false.|
-|entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.|
+|entity_descriptor|string|EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.|
 |entity_descriptor_url|string|EntityDescriptorUrl is a URL that supplies a configuration XML.|
 |force_authn|string or integer|ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions. Can be either the string or the integer representation of each option.|
+|issuer|string|Issuer is the identity provider issuer. Usually set from EntityDescriptor.|
+|sso|string|SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.|
 
 ### spec.signing_key_pair
 

docs/pages/reference/terraform-provider/data-sources/saml_connector.mdx

@@ -78,10 +78,13 @@ Optional:
 
 Optional:
 
+- `cert` (String) Cert is the identity provider certificate PEM. IDP signs `<Response>` responses using this certificate.
 - `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false.
-- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
+- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.
 - `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML.
 - `force_authn` (Number) ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions.
+- `issuer` (String) Issuer is the identity provider issuer. Usually set from EntityDescriptor.
+- `sso` (String) SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.
 
 
 ### Nested Schema for `spec.signing_key_pair`

docs/pages/reference/terraform-provider/resources/saml_connector.mdx

@@ -123,10 +123,13 @@ Optional:
 
 Optional:
 
+- `cert` (String) Cert is the identity provider certificate PEM. IDP signs `<Response>` responses using this certificate.
 - `enabled` (Boolean) Enabled specified whether this SAML connector supports MFA checks. Defaults to false.
-- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements.
+- `entity_descriptor` (String) EntityDescriptor is XML with descriptor. It can be used to supply configuration parameters in one XML file rather than supplying them in the individual elements. Usually set from EntityDescriptorUrl.
 - `entity_descriptor_url` (String) EntityDescriptorUrl is a URL that supplies a configuration XML.
 - `force_authn` (Number) ForceAuthn specified whether re-authentication should be forced for MFA checks. UNSPECIFIED is treated as YES to always re-authentication for MFA checks. This should only be set to NO if the IdP is setup to perform MFA checks on top of active user sessions.
+- `issuer` (String) Issuer is the identity provider issuer. Usually set from EntityDescriptor.
+- `sso` (String) SSO is the URL of the identity provider's SSO service. Usually set from EntityDescriptor.
 
 
 ### Nested Schema for `spec.signing_key_pair`

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml

@@ -127,14 +127,19 @@ spec:
                   through this auth connector.
                 nullable: true
                 properties:
+                  cert:
+                    description: Cert is the identity provider certificate PEM. IDP
+                      signs `<Response>` responses using this certificate.
+                    type: string
                   enabled:
                     description: Enabled specified whether this SAML connector supports
                       MFA checks. Defaults to false.
                     type: boolean
                   entity_descriptor:
                     description: EntityDescriptor is XML with descriptor. It can be
                       used to supply configuration parameters in one XML file rather
-                      than supplying them in the individual elements.
+                      than supplying them in the individual elements. Usually set
+                      from EntityDescriptorUrl.
                     type: string
                   entity_descriptor_url:
                     description: EntityDescriptorUrl is a URL that supplies a configuration
@@ -147,6 +152,14 @@ spec:
                       NO if the IdP is setup to perform MFA checks on top of active
                       user sessions.
                     x-kubernetes-int-or-string: true
+                  issuer:
+                    description: Issuer is the identity provider issuer. Usually set
+                      from EntityDescriptor.
+                    type: string
+                  sso:
+                    description: SSO is the URL of the identity provider's SSO service.
+                      Usually set from EntityDescriptor.
+                    type: string
                 type: object
               provider:
                 description: Provider is the external identity provider.

integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml

@@ -127,14 +127,19 @@ spec:
                   through this auth connector.
                 nullable: true
                 properties:
+                  cert:
+                    description: Cert is the identity provider certificate PEM. IDP
+                      signs `<Response>` responses using this certificate.
+                    type: string
                   enabled:
                     description: Enabled specified whether this SAML connector supports
                       MFA checks. Defaults to false.
                     type: boolean
                   entity_descriptor:
                     description: EntityDescriptor is XML with descriptor. It can be
                       used to supply configuration parameters in one XML file rather
-                      than supplying them in the individual elements.
+                      than supplying them in the individual elements. Usually set
+                      from EntityDescriptorUrl.
                     type: string
                   entity_descriptor_url:
                     description: EntityDescriptorUrl is a URL that supplies a configuration
@@ -147,6 +152,14 @@ spec:
                       NO if the IdP is setup to perform MFA checks on top of active
                       user sessions.
                     x-kubernetes-int-or-string: true
+                  issuer:
+                    description: Issuer is the identity provider issuer. Usually set
+                      from EntityDescriptor.
+                    type: string
+                  sso:
+                    description: SSO is the URL of the identity provider's SSO service.
+                      Usually set from EntityDescriptor.
+                    type: string
                 type: object
               provider:
                 description: Provider is the external identity provider.

integrations/terraform/README.md

@@ -7,9 +7,9 @@ Please, refer to [official documentation](https://goteleport.com/docs/admin-guid
 ## Development
 
 1. Install [`protobuf`](https://grpc.io/docs/protoc-installation/).
-2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform).
+2. Install [`protoc-gen-terraform`](https://github.com/gravitational/protoc-gen-terraform) @v2.2.0.
 
-    ```go install github.com/gravitational/protoc-gen-terraform@main```
+    ```go install github.com/gravitational/protoc-gen-terraform@08768262d29336b8ae0915ef41bb6d9768518c66```
 
 3. Install [`Terraform`](https://learn.hashicorp.com/tutorials/terraform/install-cli) v1.1.0+. Alternatively, you can use [`tfenv`](https://github.com/tfutils/tfenv). Please note that on Mac M1 you need to specify `TFENV_ARCH` (ex: `TFENV_ARCH=arm64 tfenv install 1.1.6`).