Updating a keycloak_saml_identity_provider removes its name_id_policy_format

[MarS919]

Updating a keycloak_saml_identity_provider, for example by setting a different extra_config, removes its name_id_policy_format setting. A subsequent run will detect this and correct it.

My IdP resource:

resource "keycloak_saml_identity_provider" "idp-demo-dev_idp-myidp" {
  realm                                  = keycloak_realm.idp-demo-dev.id
  alias                                  = "idp"
  display_name                           = "My IdP"
  first_broker_login_flow_alias          = "first broker login"

  enabled                                = true
  trust_email                            = true
  store_token                            = false
  add_read_token_role_on_create          = false
  authenticate_by_default                = false
  link_only                              = false
  backchannel_supported                  = false
  post_binding_response                  = true
  post_binding_logout                    = true
  post_binding_authn_request             = true
  principal_type                         = "SUBJECT"
  name_id_policy_format                  = "Windows Domain Qualified Name"
  force_authn                            = false
  want_assertions_signed                 = true
  want_assertions_encrypted              = false
  validate_signature                     = true
  signature_algorithm                    = "RSA_SHA256"
  signing_certificate                    = local.idp_signing_cert
  sync_mode                              = "FORCE"

  entity_id                              = "idp-demo-dev"
  single_sign_on_service_url             = "https://idp.example.com"
  single_logout_service_url              = "https://idp.example.com"
  xml_sign_key_info_key_name_transformer = "CERT_SUBJECT"
  extra_config = {
    "allowedClockSkew"                   = 10
  }
}

Now after creating (which works perfectly), I'll update this resource by changing allowedClockSkew.

Terraform will perform the following actions:

  # keycloak_saml_identity_provider.idp-demo-dev_idp-myidp will be updated in-place
  ~ resource "keycloak_saml_identity_provider" "idp-demo-dev_idp-myidp" {
      ~ extra_config                           = {
          ~ "allowedClockSkew" = "10" -> "11"
        }
        id                                     = "idp"
        # (32 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

But after applying this plan, name_id_policy_formatwill be "".

keycloak_saml_identity_provider.idp-demo-dev_idp-myidp: Modifying... [id=idp]
2022-11-21T13:39:19.218+0100 [INFO]  Starting apply for keycloak_saml_identity_provider.idp-demo-dev_idp-myidp
2022-11-21T13:39:19.220+0100 [DEBUG] keycloak_saml_identity_provider.idp-demo-dev_idp-myidp: applying the planned Update change
2022-11-21T13:39:19.222+0100 [DEBUG] provider.terraform-provider-keycloak_v4.0.1: Sending request: tf_provider_addr=provider tf_req_id=57c4fd6a-7949-cfb4-eaea-49473d5b6d98 @caller=github.com/mrparkers/terraform-provider-keycloak/keycloak/keycloak_client.go:313 method=PUT path=/auth/admin/realms/idp-demo-dev/identity-provider/instances/idp tf_resource_type=keycloak_saml_identity_provider @module=provider body="{
    "internalId": "8435fa8a-dae2-4137-9f87-2d2ae52d52cb",
    "alias": "idp",
    "displayName": "My IdP",
    "providerId": "saml",
    "enabled": true,
    "storeToken": false,
    "addReadTokenRoleOnCreate": false,
    "authenticateByDefault": false,
    "linkOnly": false,
    "trustEmail": true,
    "firstBrokerLoginFlowAlias": "first broker login",
    "postBrokerLoginFlowAlias": "",
    "config": {
        "acceptsPromptNoneForwardFromClient": "false",
        "allowedClockSkew": "11",
        "authnContextClassRefs": "",
        "authnContextComparisonType": "",
        "authnContextDeclRefs": "",
        "authorizationUrl": "",
        "backchannelSupported": "false",
        "clientId": "",
        "clientSecret": "",
        "defaultScope": "",
        "disableUserInfo": "false",
        "entityId": "idp-demo-dev",
        "forceAuthn": "false",
        "guiOrder": "",
        "hideOnLoginPage": "false",
        "hostIp": "",
        "hostedDomain": "",
        "issuer": "",
        "jwksUrl": "",
        "key": "",
        "loginHint": "",
        "logoutUrl": "",
        "nameIDPolicyFormat": "",
        "offlineAccess": "false",
        "postBindingAuthnRequest": "true",
        "postBindingLogout": "true",
        "postBindingResponse": "true",
        "principalAttribute": "",
        "principalType": "SUBJECT",
        "signatureAlgorithm": "RSA_SHA256",
        "signingCertificate": "ABC[shortened]mik3A==\n",
        "singleLogoutServiceUrl": "https://idp.example.com",
        "singleSignOnServiceUrl": "https://idp.example.com",
        "syncMode": "FORCE",
        "tokenUrl": "",
        "uiLocales": "false",
        "useJwksUrl": "false",
        "userInfoUrl": "",
        "userIp": "false",
        "validateSignature": "true",
        "wantAssertionsEncrypted": "false",
        "wantAssertionsSigned": "true",
        "wantAuthnRequestsSigned": "true",
        "xmlSigKeyInfoKeyNameTransformer": "CERT_SUBJECT"
    }
}" tf_rpc=ApplyResourceChange timestamp=2022-11-21T13:39:19.222+0100
2022-11-21T13:39:20.498+0100 [DEBUG] provider.terraform-provider-keycloak_v4.0.1: Received response: @module=provider tf_provider_addr=provider tf_rpc=ApplyResourceChange @caller=github.com/mrparkers/terraform-provider-keycloak/keycloak/keycloak_client.go:360 status="204 No Content" tf_req_id=57c4fd6a-7949-cfb4-eaea-49473d5b6d98 tf_resource_type=keycloak_saml_identity_provider timestamp=2022-11-21T13:39:20.498+0100
2022-11-21T13:39:20.501+0100 [WARN]  Provider "provider[\"registry.terraform.io/mrparkers/keycloak\"]" produced an unexpected new value for keycloak_saml_identity_provider.idp-demo-dev_idp-myidp, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .name_id_policy_format: was cty.StringVal("urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"), but now cty.StringVal("")
keycloak_saml_identity_provider.idp-demo-dev_idp-myidp: Modifications complete after 2s [id=idp]

Mind the warning about an "unexpected new value".
When running terraform plan and applying it again, the setting is corrected:

Terraform will perform the following actions:

  # keycloak_saml_identity_provider.idp-demo-dev_idp-myidp will be updated in-place
  ~ resource "keycloak_saml_identity_provider" "idp-demo-dev_idp-myidp" {
        id                                     = "idp"
      + name_id_policy_format                  = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
        # (32 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Tested with version 3.7.0 and 4.0.1, same results. Keycloak versions 18 and 19, but it also happened with older versions.

[jchomat]

Got same error in production.

Unspecified value was set to X.509 without any modifications on this resources

[mrparkers]

Hi, the fix for this (thanks @pablo-ruth) will be shipped with the next release.