vercel · kitfoster · Apr 29, 2025 · Apr 11, 2025 · Apr 14, 2025 · Apr 14, 2025
@@ -19,12 +19,21 @@ type SamlRoleAccessGroupID struct {
 	AccessGroupID string `json:"accessGroupId"`
 }
 
-type SamlRole struct {
+type SamlRoleAPI struct {
 	Role          *string
 	AccessGroupID *SamlRoleAccessGroupID
 }
 
-func (f *SamlRole) UnmarshalJSON(data []byte) error {
+type SamlRolesAPI map[string]SamlRoleAPI
+
+type SamlRole struct {
+	Role          *string `json:"role"`
+	AccessGroupID *string `json:"accessGroupId"`
+}
+
+type SamlRoles map[string]SamlRole
+
+func (f *SamlRoleAPI) UnmarshalJSON(data []byte) error {
 	var role string
 	if err := json.Unmarshal(data, &role); err == nil {
 		f.Role = &role
@@ -38,10 +47,8 @@ func (f *SamlRole) UnmarshalJSON(data []byte) error {
 	return fmt.Errorf("received json is neither Role string nor AccessGroupID map")
 }
 
-type SamlRoles map[string]string
-
 func (f *SamlRoles) UnmarshalJSON(data []byte) error {
-	var result map[string]SamlRole
+	var result SamlRolesAPI
 	if err := json.Unmarshal(data, &result); err != nil {
 		return err
 	}
@@ -50,7 +57,14 @@ func (f *SamlRoles) UnmarshalJSON(data []byte) error {
 		k := k
 		v := v
 		if v.Role != nil {
-			tmp[k] = *(v.Role)
+			tmp[k] = SamlRole{
+				Role: v.Role,
+			}
+		}
+		if v.AccessGroupID != nil {
+			tmp[k] = SamlRole{
+				AccessGroupID: &v.AccessGroupID.AccessGroupID,
+			}
 		}
 	}
 	*f = tmp
@@ -119,9 +133,37 @@ func (c *Client) GetTeam(ctx context.Context, idOrSlug string) (t Team, err erro
 	return t, err
 }
 
+type UpdateSamlConfigRole struct {
+	Role          *string `json:"role"`
+	AccessGroupID *string `json:"accessGroupId"`
+}
+
 type UpdateSamlConfig struct {
-	Enforced bool              `json:"enforced"`
-	Roles    map[string]string `json:"roles"`
+	Enforced bool                            `json:"enforced"`
+	Roles    map[string]UpdateSamlConfigRole `json:"roles"`
+}
+
+func (r *UpdateSamlConfig) MarshalJSON() ([]byte, error) {
+	roles := map[string]any{}
+	for k, v := range r.Roles {
+		if v.Role != nil && v.AccessGroupID != nil {
+			return nil, fmt.Errorf("bad union")
+		}
+		if v.Role != nil {
+			roles[k] = v.Role
+		} else if v.AccessGroupID != nil {
+			roles[k] = map[string]any{
+				"accessGroupId": v.AccessGroupID,
+			}
+		} else {
+			return nil, fmt.Errorf("bad union")
+		}
+
+	}
+	return json.Marshal(map[string]any{
+		"enforced": r.Enforced,
+		"roles":    roles,
+	})
 }
 
 type UpdateTeamRequest struct {

@@ -54,6 +54,13 @@ Read-Only:
 
 Read-Only:
 
-- `access_group_id` (String) The ID of the access group to use for the team.
 - `enforced` (Boolean) Indicates if SAML is enforced for the team.
-- `roles` (Map of String) Directory groups to role or access group mappings.
+- `roles` (Attributes Map) Directory groups to role or access group mappings. For each directory group, either a role or access group id is specified. (see [below for nested schema](#nestedatt--saml--roles))
+
+<a id="nestedatt--saml--roles"></a>
+### Nested Schema for `saml.roles`
+
+Read-Only:
+
+- `access_group_id` (String) The access group the assign is assigned to.
+- `role` (String) The team level role the user is assigned. One of 'MEMBER', 'OWNER', 'VIEWER', 'DEVELOPER', 'BILLING' or 'CONTRIBUTOR'.
@@ -78,5 +78,12 @@ Required:
 
 Optional:
 
-- `access_group_id` (String) The ID of the access group to use for the team.
-- `roles` (Map of String) Directory groups to role or access group mappings.
+- `roles` (Attributes Map) Directory groups to role or access group mappings. For each directory group, specify either a role or access group id. (see [below for nested schema](#nestedatt--saml--roles))
+
+<a id="nestedatt--saml--roles"></a>
+### Nested Schema for `saml.roles`
+
+Optional:
+
+- `access_group_id` (String) The access group id to assign to the user.
+- `role` (String) The team level role to assign to the user. One of 'MEMBER', 'OWNER', 'VIEWER', 'DEVELOPER', 'BILLING' or 'CONTRIBUTOR'.
@@ -112,14 +112,21 @@ func (d *teamConfigDataSource) Schema(_ context.Context, _ datasource.SchemaRequ
 						Description: "Indicates if SAML is enforced for the team.",
 						Computed:    true,
 					},
-					"roles": schema.MapAttribute{
-						Description: "Directory groups to role or access group mappings.",
-						Computed:    true,
-						ElementType: types.StringType,
-					},
-					"access_group_id": schema.StringAttribute{
-						Description: "The ID of the access group to use for the team.",
+					"roles": schema.MapNestedAttribute{
+						Description: "Directory groups to role or access group mappings. For each directory group, either a role or access group id is specified.",
 						Computed:    true,
+						NestedObject: schema.NestedAttributeObject{
+							Attributes: map[string]schema.Attribute{
+								"role": schema.StringAttribute{
+									Description: "The team level role the user is assigned. One of 'MEMBER', 'OWNER', 'VIEWER', 'DEVELOPER', 'BILLING' or 'CONTRIBUTOR'.",
+									Computed:    true,
+								},
+								"access_group_id": schema.StringAttribute{
+									Description: "The access group the assign is assigned to.",
+									Computed:    true,
+								},
+							},
+						},
 					},
 				},
 				Computed:    true,