import * as pulumi from "@pulumi/pulumi";
/**
 * This resource manages Org SSO Configuration.
 *
 * Org SSO, or Single Sign-On, is a method of authentication that allows users to securely log in to multiple applications and websites with a single set of login credentials.\
 * It involves integrating the Org portal with an Identity Provider (IdP) using the Security Assertion Markup Language (SAML) framework.\
 * This enables users to authenticate themselves through their corporate IdP, eliminating the need to remember separate passwords or enter credentials each time they access the Org portal.
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as junipermist from "@pulumi/juniper-mist";
 *
 * const ssoAdminOne = new junipermist.org.Sso("sso_admin_one", {
 *     orgId: terraformTest.id,
 *     name: "sso_admin_one",
 *     customLogoutUrl: "https://idp.com/logout",
 *     idpCert: "-----BEGIN CERTIFICATE-----MIIF0jC .../fSCGx7-----END CERTIFICATE-----",
 *     idpSignAlgo: "sha512",
 *     idpSsoUrl: "https://idp.com/login",
 *     issuer: "my_idp_issuer",
 *     nameidFormat: "email",
 * });
 * ```
 *
 * ## Import
 *
 * Using `pulumi import`, import `mist_org_sso` with:
 *
 * Org PSK can be imported by specifying the org_id and the sso_id
 *
 * ```sh
 * $ pulumi import junipermist:org/sso:Sso sso_admin_one 17b46405-3a6d-4715-8bb4-6bb6d06f316a.d3c42998-9012-4859-9743-6b9bee475309
 * ```
 */
export declare class Sso extends pulumi.CustomResource {
    /**
     * Get an existing Sso resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SsoState, opts?: pulumi.CustomResourceOptions): Sso;
    /**
     * Returns true if the given object is an instance of Sso.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is Sso;
    /**
     * a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is
     * different from SP-initiated SLO process)
     */
    readonly customLogoutUrl: pulumi.Output<string | undefined>;
    /**
     * default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role
     * matched
     */
    readonly defaultRole: pulumi.Output<string | undefined>;
    /**
     * Random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
     * `/api/v1/saml/{domain}/login` (e.g. `https://api.mist.com/api/v1/saml/s4t5vwv8/login`) * Single Logout URL =
     * `/api/v1/saml/{domain}/logout` (e.g. `https://api.mist.com/api/v1/saml/s4t5vwv8/logout`)
     */
    readonly domain: pulumi.Output<string>;
    /**
     * IDP Cert (used to verify the signed response)
     */
    readonly idpCert: pulumi.Output<string>;
    /**
     * Signing algorithm for SAML Assertion. enum `sha1`, `sha256`, `sha384`, `sha512`
     */
    readonly idpSignAlgo: pulumi.Output<string>;
    /**
     * IDP Single-Sign-On URL
     */
    readonly idpSsoUrl: pulumi.Output<string>;
    /**
     * ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
     */
    readonly ignoreUnmatchedRoles: pulumi.Output<boolean | undefined>;
    /**
     * IDP issuer URL
     */
    readonly issuer: pulumi.Output<string>;
    /**
     * Name
     */
    readonly name: pulumi.Output<string>;
    /**
     * enum: `email`, `unspecified`
     */
    readonly nameidFormat: pulumi.Output<string>;
    readonly orgId: pulumi.Output<string>;
    /**
     * custom role attribute parsing scheme. Supported Role Parsing Schemes
     * <table><tr><th>Name</th><th>Scheme</th></tr><tr><td>`cn`</td><td><ul><li>The expected role attribute format in SAML
     * Assertion is “CN=cn,OU=ou1,OU=ou2,…”</li><li>CN (the key) is case insensitive and exactly 1 CN is expected (or the
     * entire entry will be ignored)</li></ul>E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is
     * “cn”</td></tr></table>
     */
    readonly roleAttrExtraction: pulumi.Output<string | undefined>;
    /**
     * name of the attribute in SAML Assertion to extract role from. Default: `Role`
     */
    readonly roleAttrFrom: pulumi.Output<string>;
    /**
     * Create a Sso resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: SsoArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering Sso resources.
 */
export interface SsoState {
    /**
     * a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is
     * different from SP-initiated SLO process)
     */
    customLogoutUrl?: pulumi.Input<string>;
    /**
     * default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role
     * matched
     */
    defaultRole?: pulumi.Input<string>;
    /**
     * Random string generated during the SSO creation and used to generate the SAML URLs: * ACS URL =
     * `/api/v1/saml/{domain}/login` (e.g. `https://api.mist.com/api/v1/saml/s4t5vwv8/login`) * Single Logout URL =
     * `/api/v1/saml/{domain}/logout` (e.g. `https://api.mist.com/api/v1/saml/s4t5vwv8/logout`)
     */
    domain?: pulumi.Input<string>;
    /**
     * IDP Cert (used to verify the signed response)
     */
    idpCert?: pulumi.Input<string>;
    /**
     * Signing algorithm for SAML Assertion. enum `sha1`, `sha256`, `sha384`, `sha512`
     */
    idpSignAlgo?: pulumi.Input<string>;
    /**
     * IDP Single-Sign-On URL
     */
    idpSsoUrl?: pulumi.Input<string>;
    /**
     * ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
     */
    ignoreUnmatchedRoles?: pulumi.Input<boolean>;
    /**
     * IDP issuer URL
     */
    issuer?: pulumi.Input<string>;
    /**
     * Name
     */
    name?: pulumi.Input<string>;
    /**
     * enum: `email`, `unspecified`
     */
    nameidFormat?: pulumi.Input<string>;
    orgId?: pulumi.Input<string>;
    /**
     * custom role attribute parsing scheme. Supported Role Parsing Schemes
     * <table><tr><th>Name</th><th>Scheme</th></tr><tr><td>`cn`</td><td><ul><li>The expected role attribute format in SAML
     * Assertion is “CN=cn,OU=ou1,OU=ou2,…”</li><li>CN (the key) is case insensitive and exactly 1 CN is expected (or the
     * entire entry will be ignored)</li></ul>E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is
     * “cn”</td></tr></table>
     */
    roleAttrExtraction?: pulumi.Input<string>;
    /**
     * name of the attribute in SAML Assertion to extract role from. Default: `Role`
     */
    roleAttrFrom?: pulumi.Input<string>;
}
/**
 * The set of arguments for constructing a Sso resource.
 */
export interface SsoArgs {
    /**
     * a URL we will redirect the user after user logout from Mist (for some IdP which supports a custom logout URL that is
     * different from SP-initiated SLO process)
     */
    customLogoutUrl?: pulumi.Input<string>;
    /**
     * default role to assign if there’s no match. By default, an assertion is treated as invalid when there’s no role
     * matched
     */
    defaultRole?: pulumi.Input<string>;
    /**
     * IDP Cert (used to verify the signed response)
     */
    idpCert: pulumi.Input<string>;
    /**
     * Signing algorithm for SAML Assertion. enum `sha1`, `sha256`, `sha384`, `sha512`
     */
    idpSignAlgo: pulumi.Input<string>;
    /**
     * IDP Single-Sign-On URL
     */
    idpSsoUrl: pulumi.Input<string>;
    /**
     * ignore any unmatched roles provided in assertion. By default, an assertion is treated as invalid for any unmatched role
     */
    ignoreUnmatchedRoles?: pulumi.Input<boolean>;
    /**
     * IDP issuer URL
     */
    issuer: pulumi.Input<string>;
    /**
     * Name
     */
    name?: pulumi.Input<string>;
    /**
     * enum: `email`, `unspecified`
     */
    nameidFormat?: pulumi.Input<string>;
    orgId: pulumi.Input<string>;
    /**
     * custom role attribute parsing scheme. Supported Role Parsing Schemes
     * <table><tr><th>Name</th><th>Scheme</th></tr><tr><td>`cn`</td><td><ul><li>The expected role attribute format in SAML
     * Assertion is “CN=cn,OU=ou1,OU=ou2,…”</li><li>CN (the key) is case insensitive and exactly 1 CN is expected (or the
     * entire entry will be ignored)</li></ul>E.g. if role attribute is “CN=cn,OU=ou1,OU=ou2” then parsed role value is
     * “cn”</td></tr></table>
     */
    roleAttrExtraction?: pulumi.Input<string>;
    /**
     * name of the attribute in SAML Assertion to extract role from. Default: `Role`
     */
    roleAttrFrom?: pulumi.Input<string>;
}
