keycloak · mrparkers · Jul 15, 2022 · Jan 27, 2021 · Jan 29, 2021 · Jan 29, 2021
diff --git a/keycloak/extra_config.go b/keycloak/extra_config.go
@@ -28,7 +28,17 @@ func unmarshalExtraConfig(data []byte, reflectValue reflect.Value, extraConfig *
 						if err == nil {
 							field.Set(reflect.ValueOf(KeycloakBoolQuoted(boolVal)))
 						}
+					} else if field.Kind() == reflect.TypeOf([]string{}).Kind() {
+						var s KeycloakSliceQuoted
+
+						err = json.Unmarshal([]byte(configValue.(string)), &s)
+						if err != nil {
+
+						}
+
+						field.Set(reflect.ValueOf(s))
 					}
+
 					delete(*extraConfig, jsonKey)
 				}
 			}
@@ -54,6 +64,9 @@ func marshalExtraConfig(reflectValue reflect.Value, extraConfig map[string]inter
 					out[jsonKey] = field.String()
 				} else if field.Kind() == reflect.Bool {
 					out[jsonKey] = KeycloakBoolQuoted(field.Bool())
+				} else if field.Kind() == reflect.TypeOf([]string{}).Kind() {
+					s := field.Interface().(KeycloakSliceQuoted)
+					out[jsonKey] = s
 				}
 			}
 		}

diff --git a/keycloak/identity_provider.go b/keycloak/identity_provider.go
@@ -47,6 +47,9 @@ type IdentityProviderConfig struct {
 	GuiOrder                        string                 `json:"guiOrder,omitempty"`
 	SyncMode                        string                 `json:"syncMode,omitempty"`
 	ExtraConfig                     map[string]interface{} `json:"-"`
+	AuthnContextClassRefs           KeycloakSliceQuoted    `json:"authnContextClassRefs,omitempty"`
+	AuthnContextComparisonType      string                 `json:"authnContextComparisonType,omitempty"`
+	AuthnContextDeclRefs            KeycloakSliceQuoted    `json:"authnContextDeclRefs,omitempty"`
 }
 
 type IdentityProvider struct {

diff --git a/keycloak/util.go b/keycloak/util.go
@@ -2,12 +2,14 @@ package keycloak
 
 import (
 	"bytes"
+	"encoding/json"
 	"strconv"
 	"strings"
 	"time"
 )
 
 type KeycloakBoolQuoted bool
+type KeycloakSliceQuoted []string
 
 func (c KeycloakBoolQuoted) MarshalJSON() ([]byte, error) {
 	var buf bytes.Buffer
@@ -35,6 +37,27 @@ func (c *KeycloakBoolQuoted) UnmarshalJSON(in []byte) error {
 	return nil
 }
 
+func (s KeycloakSliceQuoted) MarshalJSON() ([]byte, error) {
+	var buf bytes.Buffer
+	if s == nil || len(s) == 0 {
+		buf.WriteString(`""`)
+	} else {
+		sliceAsString := make([]string, len(s))
+		for i, v := range s {
+			sliceAsString[i] = v
+		}
+
+		stringAsJSON, err := json.Marshal(sliceAsString)
+		if err != nil {
+			return nil, err
+		}
+
+		buf.WriteString(strconv.Quote(string(stringAsJSON)))
+	}
+
+	return buf.Bytes(), nil
+}
+
 func getIdFromLocationHeader(locationHeader string) string {
 	parts := strings.Split(locationHeader, "/")
 

diff --git a/provider/resource_keycloak_saml_identity_provider.go b/provider/resource_keycloak_saml_identity_provider.go
@@ -36,6 +36,13 @@ var principalTypes = []string{
 	"FRIENDLY_ATTRIBUTE",
 }
 
+var authnComparisonTypes = []string{
+	"exact",
+	"minimum",
+	"maximum",
+	"better",
+}
+
 func resourceKeycloakSamlIdentityProvider() *schema.Resource {
 	samlSchema := map[string]*schema.Schema{
 		"provider_id": {
@@ -146,6 +153,24 @@ func resourceKeycloakSamlIdentityProvider() *schema.Resource {
 			Default:     "",
 			Description: "Principal Attribute",
 		},
+		"authn_context_class_refs": {
+			Type:        schema.TypeList,
+			Elem:        &schema.Schema{Type: schema.TypeString},
+			Optional:    true,
+			Description: "AuthnContext ClassRefs",
+		},
+		"authn_context_decl_refs": {
+			Type:        schema.TypeList,
+			Elem:        &schema.Schema{Type: schema.TypeString},
+			Optional:    true,
+			Description: "AuthnContext DeclRefs",
+		},
+		"authn_context_comparison_type": {
+			Type:         schema.TypeString,
+			Optional:     true,
+			ValidateFunc: validation.StringInSlice(authnComparisonTypes, false),
+			Description:  "AuthnContext Comparison",
+		},
 	}
 	samlResource := resourceKeycloakIdentityProvider()
 	samlResource.Schema = mergeSchemas(samlResource.Schema, samlSchema)
@@ -159,6 +184,16 @@ func getSamlIdentityProviderFromData(data *schema.ResourceData) (*keycloak.Ident
 	rec, defaultConfig := getIdentityProviderFromData(data)
 	rec.ProviderId = data.Get("provider_id").(string)
 
+	var authnContextClassRefs keycloak.KeycloakSliceQuoted
+	for _, v := range data.Get("authn_context_class_refs").([]interface{}) {
+		authnContextClassRefs = append(authnContextClassRefs, v.(string))
+	}
+
+	var authnContextDeclRefs keycloak.KeycloakSliceQuoted
+	for _, v := range data.Get("authn_context_decl_refs").([]interface{}) {
+		authnContextDeclRefs = append(authnContextDeclRefs, v.(string))
+	}
+
 	samlIdentityProviderConfig := &keycloak.IdentityProviderConfig{
 		ValidateSignature:               keycloak.KeycloakBoolQuoted(data.Get("validate_signature").(bool)),
 		HideOnLoginPage:                 keycloak.KeycloakBoolQuoted(data.Get("hide_on_login_page").(bool)),
@@ -178,6 +213,9 @@ func getSamlIdentityProviderFromData(data *schema.ResourceData) (*keycloak.Ident
 		WantAssertionsEncrypted:         keycloak.KeycloakBoolQuoted(data.Get("want_assertions_encrypted").(bool)),
 		PrincipalType:                   data.Get("principal_type").(string),
 		PrincipalAttribute:              data.Get("principal_attribute").(string),
+		AuthnContextClassRefs:           authnContextClassRefs,
+		AuthnContextComparisonType:      data.Get("authn_context_comparison_type").(string),
+		AuthnContextDeclRefs:            authnContextDeclRefs,
 	}
 
 	if _, ok := data.GetOk("signature_algorithm"); ok {
@@ -214,6 +252,9 @@ func setSamlIdentityProviderData(data *schema.ResourceData, identityProvider *ke
 	data.Set("want_assertions_encrypted", identityProvider.Config.WantAssertionsEncrypted)
 	data.Set("principal_type", identityProvider.Config.PrincipalType)
 	data.Set("principal_attribute", identityProvider.Config.PrincipalAttribute)
+	data.Set("authn_context_class_refs", identityProvider.Config.AuthnContextClassRefs)
+	data.Set("authn_context_comparison_type", identityProvider.Config.AuthnContextComparisonType)
+	data.Set("authn_context_decl_refs", identityProvider.Config.AuthnContextDeclRefs)
 
 	return nil
 }
diff --git a/provider/resource_keycloak_saml_identity_provider_test.go b/provider/resource_keycloak_saml_identity_provider_test.go
@@ -173,6 +173,9 @@ func TestAccKeycloakSamlIdentityProvider_basicUpdateAll(t *testing.T) {
 			WantAssertionsEncrypted:         keycloak.KeycloakBoolQuoted(firstAssertionsEncrypted),
 			GuiOrder:                        strconv.Itoa(acctest.RandIntRange(1, 3)),
 			SyncMode:                        randomStringInSlice(syncModes),
+			AuthnContextClassRefs:           keycloak.KeycloakSliceQuoted{"foo", "bar"},
+			AuthnContextDeclRefs:            keycloak.KeycloakSliceQuoted{"foo"},
+			AuthnContextComparisonType:      "exact",
 		},
 	}
 
@@ -198,6 +201,9 @@ func TestAccKeycloakSamlIdentityProvider_basicUpdateAll(t *testing.T) {
 			WantAssertionsEncrypted:         keycloak.KeycloakBoolQuoted(!firstAssertionsEncrypted),
 			GuiOrder:                        strconv.Itoa(acctest.RandIntRange(1, 3)),
 			SyncMode:                        randomStringInSlice(syncModes),
+			AuthnContextClassRefs:           keycloak.KeycloakSliceQuoted{"foo", "hello"},
+			AuthnContextDeclRefs:            keycloak.KeycloakSliceQuoted{"baz"},
+			AuthnContextComparisonType:      "exact",
 		},
 	}
 
@@ -377,6 +383,16 @@ resource "keycloak_saml_identity_provider" "saml" {
 }
 
 func testKeycloakSamlIdentityProvider_basicFromInterface(saml *keycloak.IdentityProvider) string {
+	var authnContextClassRefs []string
+	for _, v := range saml.Config.AuthnContextClassRefs {
+		authnContextClassRefs = append(authnContextClassRefs, v)
+	}
+
+	var authnContextDeclRefs []string
+	for _, v := range saml.Config.AuthnContextDeclRefs {
+		authnContextDeclRefs = append(authnContextDeclRefs, v)
+	}
+
 	return fmt.Sprintf(`
 data "keycloak_realm" "realm" {
 	realm = "%s"
@@ -404,6 +420,10 @@ resource "keycloak_saml_identity_provider" "saml" {
 	want_assertions_encrypted  = %t
 	gui_order                  = %s
 	sync_mode                  = "%s"
+
+	authn_context_class_refs      = %v
+	authn_context_decl_refs       = %v
+	authn_context_comparison_type = "%s"
 }
-	`, testAccRealm.Realm, saml.Alias, saml.Enabled, saml.Config.EntityId, saml.Config.SingleSignOnServiceUrl, bool(saml.Config.BackchannelSupported), bool(saml.Config.ValidateSignature), bool(saml.Config.HideOnLoginPage), saml.Config.NameIDPolicyFormat, saml.Config.SingleLogoutServiceUrl, saml.Config.SigningCertificate, saml.Config.SignatureAlgorithm, saml.Config.XmlSigKeyInfoKeyNameTransformer, bool(saml.Config.PostBindingAuthnRequest), bool(saml.Config.PostBindingResponse), bool(saml.Config.PostBindingLogout), bool(saml.Config.ForceAuthn), bool(saml.Config.WantAssertionsSigned), bool(saml.Config.WantAssertionsEncrypted), saml.Config.GuiOrder, saml.Config.SyncMode)
+	`, testAccRealm.Realm, saml.Alias, saml.Enabled, saml.Config.EntityId, saml.Config.SingleSignOnServiceUrl, bool(saml.Config.BackchannelSupported), bool(saml.Config.ValidateSignature), bool(saml.Config.HideOnLoginPage), saml.Config.NameIDPolicyFormat, saml.Config.SingleLogoutServiceUrl, saml.Config.SigningCertificate, saml.Config.SignatureAlgorithm, saml.Config.XmlSigKeyInfoKeyNameTransformer, bool(saml.Config.PostBindingAuthnRequest), bool(saml.Config.PostBindingResponse), bool(saml.Config.PostBindingLogout), bool(saml.Config.ForceAuthn), bool(saml.Config.WantAssertionsSigned), bool(saml.Config.WantAssertionsEncrypted), saml.Config.GuiOrder, saml.Config.SyncMode, arrayOfStringsForTerraformResource(authnContextClassRefs), arrayOfStringsForTerraformResource(authnContextDeclRefs), saml.Config.AuthnContextComparisonType)
 }