import * as pulumi from "@pulumi/pulumi";
/**
 * This resource manages NAC IDPs (Identity Providers).
 *
 * The NAC IDPs are used to validate NAC client accounts against an IDP with OAuth2.0, LDAP/LDAPS, or a local Mist Edge.\
 * Mist Access Assurance can also retrieve group membership from the IDP, and use this information in the NAC Rules (`junipermist.org.Nacrule` resource)
 *
 * IMPORTANT:
 * * Once created, the NAC IDP must be registered in the `junipermist.org.Setting` resource (full path: `mist_org_setting.mist_nac.idps`).
 * * The associated REALMS are configured under `mist_org_setting.mist_nac.idps`
 * * To make the IDP the Default IDP, set the IDP ID under `mist_org_setting.mist_nac.default_idp_id`
 *
 * For SAML IDP, the NAC IDP Metadata can be retrieved with the `junipermist.org.getNacidpMetadata` data source.
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as junipermist from "@pulumi/juniper-mist";
 *
 * // OAuth with Azure Example
 * const idpAzure = new junipermist.org.Nacidp("idp_azure", {
 *     orgId: terraformTest.id,
 *     name: "idp_azure",
 *     idpType: "oauth",
 *     oauthCcClientId: "client_id",
 *     oauthCcClientSecret: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
 *     oauthRopcClientId: "ropc_client_id",
 *     oauthRopcClientSecret: "ropc_client_secret",
 *     oauthTenantId: "tenant_id",
 *     oauthType: "azure",
 * });
 * // Custom LDAP Example
 * const idpLdap = new junipermist.org.Nacidp("idp_ldap", {
 *     orgId: terraformTest.id,
 *     name: "idp_ldap",
 *     idpType: "ldap",
 *     ldapType: "custom",
 *     groupFilter: "memberOf",
 *     memberFilter: "memberOf",
 *     ldapUserFilter: "(mail=%s)",
 *     ldapServerHosts: [
 *         "ldap.mycorp.com",
 *         "1.2.3.4",
 *     ],
 *     ldapBaseDn: "DC=abc,DC=com",
 *     ldapBindDn: "CN=admin,CN=users,DC=abc,DC=com",
 *     ldapBindPassword: "secret!password",
 *     ldapCacerts: [
 *         `-----BEGIN CERTIFICATE-----
 * MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
 * -----END CERTIFICATE-----`,
 *         `-----BEGIN CERTIFICATE-----
 * BhMCRVMxFDASBgNVBAoMC1N0YXJ0Q29tIENBMSwwKgYDVn-----END CERTIFICATE-----`,
 *     ],
 *     ldapClientCert: `-----BEGIN CERTIFICATE-----
 * MIIFZjCCA06gAwIBAgIIP61/1qm/uDowDQYJKoZIhvcNAQELBQE
 * -----END CERTIFICATE-----`,
 *     ldapClientKey: "-----BEGIN PRI...",
 * });
 * ```
 *
 * ## Import
 *
 * Using `pulumi import`, import `mist_org_nacidp` with:
 *
 * Org PSK can be imported by specifying the org_id and the nacidp_id
 *
 * ```sh
 * $ pulumi import junipermist:org/nacidp:Nacidp idp_azure 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
 * ```
 */
export declare class Nacidp extends pulumi.CustomResource {
    /**
     * Get an existing Nacidp resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: NacidpState, opts?: pulumi.CustomResourceOptions): Nacidp;
    /**
     * Returns true if the given object is an instance of Nacidp.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Nacidp;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    readonly groupFilter: pulumi.Output<string | undefined>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`
     */
    readonly idpType: pulumi.Output<string>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    readonly ldapBaseDn: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    readonly ldapBindDn: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    readonly ldapBindPassword: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
     */
    readonly ldapCacerts: pulumi.Output<string[] | undefined>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    readonly ldapClientCert: pulumi.Output<string | undefined>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    readonly ldapClientKey: pulumi.Output<string | undefined>;
    /**
     * If `ldapType`==`custom`
     */
    readonly ldapGroupAttr: pulumi.Output<string | undefined>;
    /**
     * If `ldapType`==`custom`
     */
    readonly ldapGroupDn: pulumi.Output<string | undefined>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    readonly ldapResolveGroups: pulumi.Output<boolean>;
    /**
     * If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
     */
    readonly ldapServerHosts: pulumi.Output<string[] | undefined>;
    /**
     * if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
     */
    readonly ldapType: pulumi.Output<string | undefined>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    readonly ldapUserFilter: pulumi.Output<string | undefined>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    readonly memberFilter: pulumi.Output<string | undefined>;
    /**
     * Name
     */
    readonly name: pulumi.Output<string>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    readonly oauthCcClientId: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    readonly oauthCcClientSecret: pulumi.Output<string | undefined>;
    /**
     * If `idpType`==`oauth`
     */
    readonly oauthDiscoveryUrl: pulumi.Output<string | undefined>;
    /**
     * enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
     */
    readonly oauthPingIdentityRegion: pulumi.Output<string>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    readonly oauthRopcClientId: pulumi.Output<string | undefined>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    readonly oauthRopcClientSecret: pulumi.Output<string | undefined>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    readonly oauthTenantId: pulumi.Output<string | undefined>;
    /**
     * if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
     */
    readonly oauthType: pulumi.Output<string>;
    readonly orgId: pulumi.Output<string>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    readonly scimEnabled: pulumi.Output<boolean>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    readonly scimSecretToken: pulumi.Output<string>;
    /**
     * Create a Nacidp resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: NacidpArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Nacidp resources.
 */
export interface NacidpState {
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    groupFilter?: pulumi.Input<string>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`
     */
    idpType?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    ldapBaseDn?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    ldapBindDn?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    ldapBindPassword?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
     */
    ldapCacerts?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    ldapClientCert?: pulumi.Input<string>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    ldapClientKey?: pulumi.Input<string>;
    /**
     * If `ldapType`==`custom`
     */
    ldapGroupAttr?: pulumi.Input<string>;
    /**
     * If `ldapType`==`custom`
     */
    ldapGroupDn?: pulumi.Input<string>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    ldapResolveGroups?: pulumi.Input<boolean>;
    /**
     * If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
     */
    ldapServerHosts?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
     */
    ldapType?: pulumi.Input<string>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    ldapUserFilter?: pulumi.Input<string>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    memberFilter?: pulumi.Input<string>;
    /**
     * Name
     */
    name?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    oauthCcClientId?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    oauthCcClientSecret?: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`
     */
    oauthDiscoveryUrl?: pulumi.Input<string>;
    /**
     * enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
     */
    oauthPingIdentityRegion?: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    oauthRopcClientId?: pulumi.Input<string>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    oauthRopcClientSecret?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    oauthTenantId?: pulumi.Input<string>;
    /**
     * if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
     */
    oauthType?: pulumi.Input<string>;
    orgId?: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    scimEnabled?: pulumi.Input<boolean>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    scimSecretToken?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a Nacidp resource.
 */
export interface NacidpArgs {
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of group
     */
    groupFilter?: pulumi.Input<string>;
    /**
     * enum: `ldap`, `mxedgeProxy`, `oauth`
     */
    idpType: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, whole domain or a specific organization unit (container) in Search base to specify where users and groups are found in the LDAP tree
     */
    ldapBaseDn?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, the account used to authenticate against the LDAP
     */
    ldapBindDn?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, the password used to authenticate against the LDAP
     */
    ldapBindPassword?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`ldap`, list of CA certificates to validate the LDAP certificate
     */
    ldapCacerts?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * If `idpType`==`ldap`, LDAPS Client certificate
     */
    ldapClientCert?: pulumi.Input<string>;
    /**
     * If `idpType`==`ldap`, Key for the `ldapClientCert`
     */
    ldapClientKey?: pulumi.Input<string>;
    /**
     * If `ldapType`==`custom`
     */
    ldapGroupAttr?: pulumi.Input<string>;
    /**
     * If `ldapType`==`custom`
     */
    ldapGroupDn?: pulumi.Input<string>;
    /**
     * If `idpType`==`ldap`, whether to recursively resolve LDAP groups
     */
    ldapResolveGroups?: pulumi.Input<boolean>;
    /**
     * If `idpType`==`ldap`, list of LDAP/LDAPS server IP Addresses or Hostnames
     */
    ldapServerHosts?: pulumi.Input<pulumi.Input<string>[]>;
    /**
     * if `idpType`==`ldap`. enum: `azure`, `custom`, `google`, `okta`, `pingIdentity`
     */
    ldapType?: pulumi.Input<string>;
    /**
     * Required if `ldapType`==`custom`, LDAP filter that will identify the type of user
     */
    ldapUserFilter?: pulumi.Input<string>;
    /**
     * Required if `ldapType`==`custom`,LDAP filter that will identify the type of member
     */
    memberFilter?: pulumi.Input<string>;
    /**
     * Name
     */
    name?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, Client Credentials
     */
    oauthCcClientId?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, oauth*cc*client_secret is RSA private key, of the form "-----BEGIN RSA PRIVATE KEY--...."
     */
    oauthCcClientSecret?: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`
     */
    oauthDiscoveryUrl?: pulumi.Input<string>;
    /**
     * enum: `us` (United States, default), `ca` (Canada), `eu` (Europe), `asia` (Asia), `au` (Australia)
     */
    oauthPingIdentityRegion?: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`, ropc = Resource Owner Password Credentials
     */
    oauthRopcClientId?: pulumi.Input<string>;
    /**
     * If `oauthType`==`azure` or `oauthType`==`azure-gov`. oauth*ropc*client_secret can be empty
     */
    oauthRopcClientSecret?: pulumi.Input<string>;
    /**
     * Required if `idpType`==`oauth`, oauth*tenant*id
     */
    oauthTenantId?: pulumi.Input<string>;
    /**
     * if `idpType`==`oauth`. enum: `azure`, `azure-gov`, `okta`, `pingIdentity`
     */
    oauthType?: pulumi.Input<string>;
    orgId: pulumi.Input<string>;
    /**
     * If `idpType`==`oauth`, indicates if SCIM provisioning is enabled for the OAuth IDP
     */
    scimEnabled?: pulumi.Input<boolean>;
    /**
     * If `idpType`==`oauth`, scim*secret*token (auto-generated when not provided by caller and `scimEnabled`==`true`, empty string when `scimEnabled`==`false`) is used as the Bearer token in the Authorization header of SCIM provisioning requests by the IDP
     */
    scimSecretToken?: pulumi.Input<string>;
}
