Identity Provider sso_url

[venkatakanupuru]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

• okta_xxx

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Can this be done in the Admin UI?

Can this be done in the actual API call?

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

Hi Team,

For a SAML IDP, resource "okta_idp_saml" I am able to configure the IDP with no issues. And I am able to import the IDP configurations which are manually configured from Okta UI

However the sso_url which is a required attribute is not being imported or it wont show up and needs to be manually added in the script.

sso_url - (Required) URL of binding-specific endpoint to send an AuthnRequest message to IdP.
and also issuer_mode, name_format and sso_binding which is not required but without these it is throwing an error.

Steps for configuring manually IDP attributes :
OKTA Admin UI >> Security >> Identity Providers >> your IDP >> configure

For importing :
terraform import okta_idp_saml.example

Can you please help in including the sso_url when importing.

Thank you
Venkata

[monde]

Thanks @venkatakanupuru . I can see how the definition/behavior of the idp saml resource needs to be tightened up to matched what is documented in the public API. I'm not sure if the API drifted since this resource was created or if the resource has always been imprecise.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-612970

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[venkatakanupuru]

Not stale

[icsrmontano]

@monde any chance to get this issue fixed in the near future?

[monde]

I have a PR to address this issue: #1796

Given an existing SAML IdP and the following config:

terraform {
  required_providers {
    okta = {
      source = "okta/okta"
    }
  }
}

resource "okta_idp_saml" "test" {                                                                                                                                                                                                                                               
  name = "Test 1558"
}

Terraform import will look like this for me:

$ TF_LOG=info tf import okta_idp_saml.test 0oabcdefg
2023-11-01T15:51:38.807-0700 [INFO]  Terraform version: 1.5.6
2023-11-01T15:51:38.809-0700 [INFO]  Go runtime version: go1.20.7
2023-11-01T15:51:38.809-0700 [INFO]  CLI args: []string{"terraform", "import", "okta_idp_saml.test", "0oabcdefg"}
2023-11-01T15:51:38.809-0700 [INFO]  Loading CLI configuration from /me/.terraformrc
2023-11-01T15:51:38.810-0700 [INFO]  CLI command args: []string{"import", "okta_idp_saml.test", "0oabcdefg"}
2023-11-01T15:51:38.827-0700 [INFO]  provider: configuring client automatic mTLS
2023-11-01T15:51:39.590-0700 [INFO]  provider.terraform-provider-okta: configuring server automatic mTLS: timestamp=2023-11-01T15:51:39.590-0700
2023-11-01T15:51:39.640-0700 [INFO]  provider: configuring client automatic mTLS
2023-11-01T15:51:39.667-0700 [INFO]  provider.terraform-provider-okta: configuring server automatic mTLS: timestamp=2023-11-01T15:51:39.667-0700
okta_idp_saml.test: Importing from ID "0oabcdefg"...
okta_idp_saml.test: Import prepared!
  Prepared okta_idp_saml for import
okta_idp_saml.test: Refreshing state... [id=0oabcdefg]
2023-11-01T15:51:40.507-0700 [WARN]  Provider "registry.terraform.io/okta/okta" produced an unexpected new value for okta_idp_saml.test during refresh.
      - .response_signature_scope: was null, but now cty.StringVal("ANY")
      - .user_type_id: was null, but now cty.StringVal("otyabc")
      - .username_template: was null, but now cty.StringVal("idpuser.email")
      - .groups_filter: was null, but now cty.SetValEmpty(cty.String)
      - .issuer: was null, but now cty.StringVal("IdP-Issuer-URI")
      - .request_signature_scope: was null, but now cty.StringVal("REQUEST")
      - .status: was null, but now cty.StringVal("ACTIVE")
      - .suspended_action: was null, but now cty.StringVal("NONE")
      - .groups_assignment: was null, but now cty.SetValEmpty(cty.String)
      - .deprovisioned_action: was null, but now cty.StringVal("NONE")
      - .groups_action: was null, but now cty.StringVal("NONE")
      - .name: was null, but now cty.StringVal("\"Test 1558")
      - .provisioning_action: was null, but now cty.StringVal("AUTO")
      - .subject_match_type: was null, but now cty.StringVal("USERNAME")
      - .acs_binding: was null, but now cty.StringVal("HTTP-POST")
      - .kid: was null, but now cty.StringVal("abc-abc-abc-abc-abc")
      - .sso_url: was null, but now cty.StringVal("https://idp.example.com/sso")
      - .account_link_action: was null, but now cty.StringVal("DISABLED")
      - .sso_destination: was null, but now cty.StringVal("https://idp.example.com")
      - .groups_attribute: was null, but now cty.StringVal("")
      - .audience: was null, but now cty.StringVal("https://www.okta.com/saml2/service-provider/abc")
      - .max_clock_skew: was null, but now cty.NumberIntVal(120000)
      - .response_signature_algorithm: was null, but now cty.StringVal("SHA-256")
      - .subject_filter: was null, but now cty.StringVal("")
      - .acs_type: was null, but now cty.StringVal("INSTANCE")
      - .request_signature_algorithm: was null, but now cty.StringVal("SHA-256")
      - .sso_binding: was null, but now cty.StringVal("HTTP-POST")
      - .subject_format: was null, but now cty.SetValEmpty(cty.String)
      - .profile_master: was null, but now cty.False
      - .subject_match_attribute: was null, but now cty.StringVal("")
2023-11-01T15:51:40.511-0700 [INFO]  Writing state output to:

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

[monde]

@venkatakanupuru this will go out on the next release.