Azuread provider SAML Signing Certificate support

In the process of converting our Azure Active Directory Enterprise Application SSO setup to terraform using the azuread provider (currently v2.2.1). Running into the following problems/shortcomings, and I’m not convinced that such features are actually supported fully yet, or if they are supposed to work, and I’m just configuring my resources incorrectly, or if there’s a bug in the provider. Here’s what I’m experiencing:

  • The Enterprise Applications “SAML Signing Certificate” appears to be partially working when using the azuread_service_principal_certificate resource. First off, the consuming application always gets an error about the certificate, and if I manually create a new cert through the Portal, it’s enough to work. Secondly, using the az CLI, I can see a clear difference between the keyCertificates collection of a service principal when using terraform vs the portal.
  • There does not appear to be a mechanism in terraform to activate the “SAML Signing Certificate”. That is something I have to do manually in the Portal, and then there is the above issues.

Anyone experiencing similar issues or maybe has this working fine, in which case I should provide a lot more detail to get to the bottom of my issues.