Deactivate IDP does not deactivate the routing rule pointing to the IDP unlike direct API call or the Okta UI

[aqib-bhat]

Describe the bug?

• Using Okta dotnet SDK and calling OktaClientObject.IdentityProviders.DeactivateIdentityProviderAsync(someOktaIdpId, cancellationToken); results in the IDP getting deactivated but a routing rule made for it remains Active.
• This is unlike what happens in the Okta UI and through direct calls to the Okta API.
  • On deactivating an Active IDP, its routing rule is also deactivated.
• I also tried the IOktaClient.PostAsync<IdentityProvider> but that also behaved the same way.

---

P.S. On a side note: The Okta UI has also a weird bug where on trying to deactivate an IDP, the warning says that the following routing rules will be disabled but some of them are not pointing to the IDP being disabled but just happen to match part of the name. On clicking OK though, only the actually related routing rule gets deactivated but the message is confusing.

What is expected to happen?

Just like what happens in the UI and through direct calls to the Okta API, deactivating an IDP through the Okta dotnet SDK should result in the IDP's routing rule(s) also getting deactivated.

What is the actual behavior?

Unlike what happens in the UI and through direct calls to the Okta API, deactivating an IDP through the Okta dotnet SDK only results in the IDP getting deactivated while it's routing rule(s) remain(s) Active.

Reproduction Steps?

• Create a SAML2 IDP in Okta.
• Add a routing rule in the Default IDP_DISCOVERY policy, which directs to the above created IDP when the email of the user ends in some given email domains.
  • The IDP and routing rule will be Active at this stage.
• In the Okta UI, deactivate the IDP. Accept / Click OK for the warning rule that the associated routing rules will also be deactivated.
  • Check that the IDP and its routing rule both are now Inactive.
  • Make the IDP and its routing rule both Active again.
• Hit the Okta API directly to deactivate the IDP.
  • In the Okta UI, check that the IDP and its routing rule both are now Inactive.
  • Make the IDP and its routing rule both Active again.
• Use Okta dotnet SDK to deactivate the IDP (OktaClientObject.IdentityProviders.DeactivateIdentityProviderAsync(someOktaIdpId, cancellationToken);).
  • In the Okta UI, you will find that:
  • the IDP will be Inactive but
  • the routing rule pointing to the IDP will still be Active.

Additional Information?

Ref:

• https://github.com/okta/okta-sdk-dotnet/blob/b00df0ea5befced5280114a7533fbc4e12ef58b5/src/Okta.Sdk/Generated/IdentityProvidersClient.Generated.cs#L344
• https://github.com/okta/okta-sdk-dotnet/blob/4bffbfbd2fb6d1d56dacb8582ca9a30c0a791c35/src/Okta.Sdk/OktaClient.cs#L311
• https://github.com/okta/okta-sdk-dotnet/blob/4bffbfbd2fb6d1d56dacb8582ca9a30c0a791c35/src/Okta.Sdk/Internal/DefaultDataStore.cs#L224

.NET Version

6

SDK Version

5.6.0

OS version

• BuildNumber: 19044
• Caption: Microsoft Windows 10 Enterprise
• OSArchitecture: 64-bit
• Version: 10.0.19044

[bryanapellanes-okta]

@aqib-bhat Thanks for bringing this to our attention and I apologize for the inconvenience. I've entered an internal issue to investigate further. This will need to be prioritized against other work.

Internal Ref: OKTA-537890

[laura-rodriguez]

Hi @aqib-bhat,

Thank you for reporting this issue. You mentioned that deactivating works when you hit the API directly. Would you mind sharing what that request looks like? Also, can you please share the requests the UI makes?

[aqib-bhat]

Thank you @bryanapellanes-okta for the quick acknowledgement and assurance!

[aqib-bhat]

Hi @laura-rodriguez Hitting the API directly, the request is:

• POST /api/v1/idps//lifecycle/deactivate
• Body: Empty
• Headers: Usual headers with Authorization containing the Okta API key, Accept: application/json, etc.

[aqib-bhat]

@laura-rodriguez On the UI, when I deactivate an IDP with a routing rule, in the Network tab of Chrome Developer Tools, I see a call: and Request Payload:

[laura-rodriguez]

Thanks for sharing @aqib-bhat. According to the API docs, the SDK is making the request correctly. I wonder if this could be a UI sync issue 🤔 . What happens if you get the rules via the SDK after calling DeactivateAsync, do they look ACTIVE?

[aqib-bhat]

@laura-rodriguez I had also suspected initially that this is likely an eventual consistency issue. However, the status of the rule did not change even after a few hours. As you suggested, I also just tested again:

• Using the SDK, our code created an IDP and a routing rule for it in the default IDP_DISCOVERY policy, and then deactivated the IDP.
• Then hitting the API directly, I fetched the rules for the default IDP_DISCOVERY policy, and saw that the new routing rule was still in ACTIVE status.
  • GET /api/v1/policies//rules and usual headers with Authorization containing the Okta API key, Accept: application/json, etc.

[laura-rodriguez]

Hi @aqib-bhat,

I wasn't able to reproduce this issue. I also added an integration test to verify that routing rules are deactivated when an IDP is deactivated here.

I confirmed with the API team that routing rules are deactivated ONLY if it's not being used by other IDPs. Please, let me know if you're still facing this issue, and I can redirect your case to customer support if necessary.

[laura-rodriguez]

Closing due to inactivity.