Add support for token issuance policies

[smokedlinq]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for the tokenIssuancePolicies API so that SAML applications can configure how tokens are signed. This may require the ability to create these policies to be assigned to the application as it looks like each application gets its own instance of a policies/tokenIssuancePolicies.

New or Affected Resource(s)

• azuread_service_principal

Potential Terraform Configuration

resource "azuread_service_principal" "example" {
  token_issuance_policy {
    signing_algorithm             = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
    token_response_signing_policy = "ResponseAndToken"
  }
}

# Alternative adding it to the saml_single_sign_on block
resource "azuread_service_principal" "example" {
  saml_single_sign_on {
    token_issuance_policy = {
      signing_algorithm             = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
      token_response_signing_policy = "ResponseAndToken"
    }
  }
}

# Alternative as a separate resource, though you can only have one I believe so this may not make sense
resource "azuread_service_principal_token_issuance_policy" "example" {
  id                            = azuread_service_principal.example.id
  signing_algorithm             = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
  token_response_signing_policy = "ResponseAndToken"
}

References

• https://learn.microsoft.com/en-us/graph/api/application-post-tokenissuancepolicies?view=graph-rest-1.0&tabs=http