import * as pulumi from "@pulumi/pulumi";
/**
 * This resource manages NAC IDPs (Identity Providers).
 *
 * The NAC IDPs are used to validate NAC client accounts against an IDP with OAuth2.0, LDAP/LDAPS, or a local Mist Edge.\
 * Mist Access Assurance can also retrieve group membership from the IDP, and use this information in the NAC Rules (`junipermist.org.Nacrule` resource)
 *
 * IMPORTANT:
 * * Once created, the NAC IDP must be registered in the `junipermist.org.Setting` resource (full path: `mist_org_setting.mist_nac.idps`).
 * * The associated REALMS are configured under `mist_org_setting.mist_nac.idps`
 * * To make the IDP the Default IDP, set the IDP ID under `mist_org_setting.mist_nac.default_idp_id`
 *
 * For SAML IDP, the NAC IDP Metadata can be retrieved with the `junipermist.org.getNacidpMetadata` data source.
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as junipermist from "@pulumi/juniper-mist";
 *
 * // OAuth with Azure Example
 * const idpAzure = new junipermist.org.Nacidp("idp_azure", {
 *     orgId: terraformTest.id,
 *     name: "idp_azure",
 *     idpType: "oauth",
 *     oauthCcClientId: "client_id",
 *     oauthCcClientSecret: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
 *     oauthRopcClientId: "ropc_client_id",
 *     oauthRopcClientSecret: "ropc_client_secret",
 *     oauthTenantId: "tenant_id",
 *     oauthType: "azure",
 * });
 * // Custom LDAP Example
 * const idpLdap = new junipermist.org.Nacidp("idp_ldap", {
 *     orgId: terraformTest.id,
 *     name: "idp_ldap",
 *     idpType: "ldap",
 *     ldapType: "custom",
 *     groupFilter: "memberOf",
 *     memberFilter: "memberOf",
 *     ldapUserFilter: "(mail=%s)",
 *     ldapServerHosts: [
 *         "ldap.mycorp.com",
 *         "1.2.3.4",
 *     ],
 *     ldapBaseDn: "DC=abc,DC=com",
 *     ldapBindDn: "CN=admin,CN=users,DC=abc,DC=com",
 *     ldapBindPassword: "secret!password",
 *     ldapCacerts: [
 *         `-----BEGIN CERTIFICATE-----
 * MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
 * -----END CERTIFICATE-----`,
 *         `-----BEGIN CERTIFICATE-----
 * BhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----`,
 *     ],
 *     ldapClientCert: `-----BEGIN CERTIFICATE-----
 * MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
 * -----END CERTIFICATE-----`,
 *     ldapClientKey: "-----BEGIN PRI...",
 * });
 * ```
 *
 * ## Import
 *
 * Using `pulumi import`, import `junipermist.org.Nacidp` with:
 * Org PSK can be imported by specifying the orgId and the nacidpId
 *
 * ```sh
 * $ pulumi import junipermist:org/nacidp:Nacidp idp_azure 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
 * ```
 */
export declare class Nacidp extends pulumi.CustomResource {
    /**
     * Get an existing Nacidp resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NacidpState, opts?: pulumi.CustomResourceOptions): Nacidp;
    /**
     * Returns true if the given object is an instance of Nacidp.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Nacidp;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    readonly groupFilter: pulumi.Output<string | undefined>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
     */
    readonly idpType: pulumi.Output<string>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    readonly ldapBaseDn: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    readonly ldapBindDn: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    readonly ldapBindPassword: pulumi.Output<string | undefined>;
    /**
     * CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
     */
    readonly ldapCacerts: pulumi.Output<string[] | undefined>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    readonly ldapClientCert: pulumi.Output<string | undefined>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    readonly ldapClientKey: pulumi.Output<string | undefined>;
    /**
     * Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
     */
    readonly ldapGroupAttr: pulumi.Output<string | undefined>;
    /**
     * Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
     */
    readonly ldapGroupDn: pulumi.Output<string | undefined>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    readonly ldapResolveGroups: pulumi.Output<boolean>;
    /**
     * Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
     */
    readonly ldapServerHosts: pulumi.Output<string[] | undefined>;
    /**
     * Provider template for LDAP SSO when `idpType`==`ldap`
     */
    readonly ldapType: pulumi.Output<string | undefined>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    readonly ldapUserFilter: pulumi.Output<string | undefined>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    readonly memberFilter: pulumi.Output<string | undefined>;
    /**
     * Display name of the NAC IDP configuration
     */
    readonly name: pulumi.Output<string>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    readonly oauthCcClientId: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    readonly oauthCcClientSecret: pulumi.Output<string | undefined>;
    /**
     * OAuth discovery document URL used when `idpType`==`oauth`
     */
    readonly oauthDiscoveryUrl: pulumi.Output<string | undefined>;
    /**
     * Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
     */
    readonly oauthPingIdentityRegion: pulumi.Output<string>;
    /**
     * Provider domain for Okta OAuth SSO when `oauthType`==`okta`
     */
    readonly oauthProviderDomain: pulumi.Output<string>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    readonly oauthRopcClientId: pulumi.Output<string | undefined>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    readonly oauthRopcClientSecret: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    readonly oauthTenantId: pulumi.Output<string | undefined>;
    /**
     * Provider type for OAuth SSO when `idpType`==`oauth`
     */
    readonly oauthType: pulumi.Output<string>;
    /**
     * SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
     */
    readonly openroamingSsids: pulumi.Output<string[] | undefined>;
    /**
     * Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
     */
    readonly openroamingWbaClientCert: pulumi.Output<string | undefined>;
    /**
     * Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
     */
    readonly openroamingWbaClientKey: pulumi.Output<string | undefined>;
    /**
     * Owning organization identifier for this NAC IDP configuration
     */
    readonly orgId: pulumi.Output<string>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    readonly scimEnabled: pulumi.Output<boolean>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    readonly scimSecretToken: pulumi.Output<string>;
    /**
     * Create a Nacidp resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: NacidpArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Nacidp resources.
 */
export interface NacidpState {
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    groupFilter?: pulumi.Input<string | undefined>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
     */
    idpType?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    ldapBaseDn?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    ldapBindDn?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    ldapBindPassword?: pulumi.Input<string | undefined>;
    /**
     * CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
     */
    ldapCacerts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    ldapClientCert?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    ldapClientKey?: pulumi.Input<string | undefined>;
    /**
     * Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
     */
    ldapGroupAttr?: pulumi.Input<string | undefined>;
    /**
     * Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
     */
    ldapGroupDn?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    ldapResolveGroups?: pulumi.Input<boolean | undefined>;
    /**
     * Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
     */
    ldapServerHosts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * Provider template for LDAP SSO when `idpType`==`ldap`
     */
    ldapType?: pulumi.Input<string | undefined>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    ldapUserFilter?: pulumi.Input<string | undefined>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    memberFilter?: pulumi.Input<string | undefined>;
    /**
     * Display name of the NAC IDP configuration
     */
    name?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    oauthCcClientId?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    oauthCcClientSecret?: pulumi.Input<string | undefined>;
    /**
     * OAuth discovery document URL used when `idpType`==`oauth`
     */
    oauthDiscoveryUrl?: pulumi.Input<string | undefined>;
    /**
     * Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
     */
    oauthPingIdentityRegion?: pulumi.Input<string | undefined>;
    /**
     * Provider domain for Okta OAuth SSO when `oauthType`==`okta`
     */
    oauthProviderDomain?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    oauthRopcClientId?: pulumi.Input<string | undefined>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    oauthRopcClientSecret?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    oauthTenantId?: pulumi.Input<string | undefined>;
    /**
     * Provider type for OAuth SSO when `idpType`==`oauth`
     */
    oauthType?: pulumi.Input<string | undefined>;
    /**
     * SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
     */
    openroamingSsids?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
     */
    openroamingWbaClientCert?: pulumi.Input<string | undefined>;
    /**
     * Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
     */
    openroamingWbaClientKey?: pulumi.Input<string | undefined>;
    /**
     * Owning organization identifier for this NAC IDP configuration
     */
    orgId?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    scimEnabled?: pulumi.Input<boolean | undefined>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    scimSecretToken?: pulumi.Input<string | undefined>;
}
/**
 * The set of arguments for constructing a Nacidp resource.
 */
export interface NacidpArgs {
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    groupFilter?: pulumi.Input<string | undefined>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`, `openroaming`
     */
    idpType: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    ldapBaseDn?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    ldapBindDn?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    ldapBindPassword?: pulumi.Input<string | undefined>;
    /**
     * CA certificates used to validate LDAP or LDAPS server certificates. Required if `idpType`==`ldap`
     */
    ldapCacerts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    ldapClientCert?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    ldapClientKey?: pulumi.Input<string | undefined>;
    /**
     * Group attribute used to resolve LDAP memberships. If `ldapType`==`custom`
     */
    ldapGroupAttr?: pulumi.Input<string | undefined>;
    /**
     * Group search base used for custom LDAP group lookup. If `ldapType`==`custom`
     */
    ldapGroupDn?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    ldapResolveGroups?: pulumi.Input<boolean | undefined>;
    /**
     * Server hostnames or IP addresses for LDAP or LDAPS when `idpType`==`ldap`
     */
    ldapServerHosts?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * Provider template for LDAP SSO when `idpType`==`ldap`
     */
    ldapType?: pulumi.Input<string | undefined>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    ldapUserFilter?: pulumi.Input<string | undefined>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    memberFilter?: pulumi.Input<string | undefined>;
    /**
     * Display name of the NAC IDP configuration
     */
    name?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    oauthCcClientId?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    oauthCcClientSecret?: pulumi.Input<string | undefined>;
    /**
     * OAuth discovery document URL used when `idpType`==`oauth`
     */
    oauthDiscoveryUrl?: pulumi.Input<string | undefined>;
    /**
     * Ping Identity region for OAuth SSO when `oauthType`==`pingIdentity`
     */
    oauthPingIdentityRegion?: pulumi.Input<string | undefined>;
    /**
     * Provider domain for Okta OAuth SSO when `oauthType`==`okta`
     */
    oauthProviderDomain?: pulumi.Input<string | undefined>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    oauthRopcClientId?: pulumi.Input<string | undefined>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    oauthRopcClientSecret?: pulumi.Input<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    oauthTenantId?: pulumi.Input<string | undefined>;
    /**
     * Provider type for OAuth SSO when `idpType`==`oauth`
     */
    oauthType?: pulumi.Input<string | undefined>;
    /**
     * SSIDs that support OpenRoaming, used when `idpType`==`openroaming`
     */
    openroamingSsids?: pulumi.Input<pulumi.Input<string>[] | undefined>;
    /**
     * Optional WBA-issued client certificate for OpenRoaming. If not provided, the default WBA-issued certificate for Juniper will be used.
     */
    openroamingWbaClientCert?: pulumi.Input<string | undefined>;
    /**
     * Optional WBA-issued client private key for OpenRoaming. If not provided, the default WBA-issued key for Juniper will be used.
     */
    openroamingWbaClientKey?: pulumi.Input<string | undefined>;
    /**
     * Owning organization identifier for this NAC IDP configuration
     */
    orgId: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    scimEnabled?: pulumi.Input<boolean | undefined>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    scimSecretToken?: pulumi.Input<string | undefined>;
}
//# sourceMappingURL=nacidp.d.ts.map