terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

fortios_system_saml - Error 500 - "value parse error before" - default_profile

Open BluetriX opened this issue 2 years ago • 2 comments

I am trying to add SAML SSO with Azure as IDP. I am using a Fortigate (v7.0.12) from the Azure Marketplace.

My code looks like this

resource "fortios_system_saml" "azure-saml" {
  default_profile        = "super_admin"
  status                 = "enable"
  role                   = "service-provider"
  binding_protocol       = "redirect"
  default_login_page     = "normal"
  life                   = 30
  tolerance              = 5
  entity_id              = "http://${local.fgt_sso_hostname}/metadata/"
  idp_cert               = "REMOTE_Cert_3"
  idp_entity_id          = "https://sts.windows.net/<tenantid>/"
  idp_single_logout_url  = "https://login.microsoftonline.com/<tenantid>/saml2"
  idp_single_sign_on_url = "https://login.microsoftonline.com/<tenantid>/saml2"
  server_address         = local.fgt_sso_hostname
}

Terraform plan (<*> replaces sensetive information):


  # fortios_system_saml.azure-saml will be created
  + resource "fortios_system_saml" "azure-saml" {
      + binding_protocol       = "redirect"
      + cert                   = (known after apply)
      + default_login_page     = "normal"
      + default_profile        = "super_admin"
      + dynamic_sort_subtable  = "false"
      + entity_id              = "http://<ip>/metadata/"
      + get_all_tables         = "false"
      + id                     = (known after apply)
      + idp_cert               = "Azure SAML Cert"
      + idp_entity_id          = "https://sts.windows.net/<tenantid>/"
      + idp_single_logout_url  = "https://login.microsoftonline.com/<tenantid>/saml2"
      + idp_single_sign_on_url = "https://login.microsoftonline.com/<tenantid>/saml2"
      + life                   = 30
      + portal_url             = (known after apply)
      + role                   = "service-provider"
      + server_address         = "<ip>"
      + single_logout_url      = (known after apply)
      + single_sign_on_url     = (known after apply)
      + status                 = "enable"
      + tolerance              = 5
    }

When I apply this Terraform Code I get the following Error (<*> replaces sensetive information):

│ Error: Error updating SystemSaml resource: Internal Server Error - Internal error when processing the request (500)
│ Cli response: 
│ entry not found in datasource
│ 
│ value parse error before 'super_admin'
│ Command fail. Return code -3
│ 
│ 
│   with fortios_system_saml.azure-saml,
│   on sso.tf line 23, in resource "fortios_system_saml" "azure-saml":
│   23: resource "fortios_system_saml" "azure-saml" {

Best regards

Erik

Edit: Also tested with 7.4.1 - same error.

BluetriX avatar Nov 18 '23 00:11 BluetriX

Ok, I tried different things and found out that the problem is the "super_admin".

I can select it in the ui, The API preview (WebUI) shows this name but in terraform it does not work. Another default_profile works well.

{
  "method": "PUT",
  "url": "/api/v2/cmdb/system/accprofile/super_admin",
  "params": {
    "vdom": "root"
  },
  "data": {
    "name": "super_admin",
    "q_origin_key": "super_admin",
    "scope": "global",
    "comments": "",
    "secfabgrp": "read-write",
    "ftviewgrp": "read-write",
    "authgrp": "read-write",
    "sysgrp": "read-write",
    "netgrp": "read-write",
    "loggrp": "read-write",
    "fwgrp": "read-write",
    "vpngrp": "read-write",
    "utmgrp": "read-write",
    "wanoptgrp": "read-write",
    "wifi": "read-write",
[...]
  }
}

In the terraform docs (https://registry.terraform.io/providers/fortinetdev/fortios/latest/docs/resources/fortios_system_saml) there is an example with "admin_no_access" - this does not work also.

In the Ansible Docs (https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_system_saml_module.html) I found this description: "default_profile string | Default profile for new SSO admin. Source system.accprofile.name" So when I look at this source I only find two profiles:

config system accprofile
    edit "prof_admin"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write
    next
    edit "terraform"
        set secfabgrp read-write
        set ftviewgrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set wifi read-write
    next
end

These two are working fine. The "virtual" profiles "super_admin" and "admin_no_access" do not work in terraform.

Is this a terraform issue or an API Issue? If it is an API Issue than it would be great if the docs are getting updated with this hint.

Greetings

Erik

BluetriX avatar Nov 18 '23 02:11 BluetriX

Hi @BluetriX,

Thank you for raising this issue. Could you check whether your admin user has the super_admin profile? Only 'super_admin' user could see 'super_admin' profile. And 'super_admin' profile could not be modified, that's why you could not see it in 'config system accprofile'.

Thanks, Xing

lix-fortinet avatar Nov 20 '23 20:11 lix-fortinet

Hi @BluetriX

I will go ahead and close this case. If you have any further questions, feel free to reopen it or open a new case to let us know.

Thanks, Maxx

MaxxLiu22 avatar Sep 16 '24 18:09 MaxxLiu22