search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
256 stars 207 forks source link

Unable to modify "memberOf" attribute for okta_app_saml #1440

Closed daverin closed 1 year ago

daverin commented 1 year ago

I am unable to set the "memberOf" attribute in the SAML settings.

Screenshot 2023-02-06 at 17 02 24 6

If I attempt the following config: 

resource "okta_app_saml" "aws_vpn_client_app" {
  label                 = "AWS Client VPN (Vault)"
  preconfigured_app     = "aws_clientvpn"
  saml_version          = "2.0"
  status                = "ACTIVE"
  authentication_policy = okta_app_signon_policy.aws_vpn_client_app_sign_on.id

  attribute_statements {
    type         = "GROUP"
    name         = "memberOf"
    filter_type  = "REGEX"
    filter_value = ".*"
  }

  lifecycle {
    ignore_changes = [groups]
  }
}

I receive:

Error: failed to update SAML application: the API returned an error: Operation on application settings failed.. Causes: errorSummary: customSamlGroupAttributes[0].name: Invalid SAML attribute name 'memberOf': duplicate name, errorSummary: customSamlGroupAttributes[0].name: Invalid attribute name: The SAML attribute 'memberOf' matches an existing attribute name within this integration. View the SAML 2.0 setup instructions for a list of predefined SAML attributes. Choose a different name for the SAML attribute to prevent name collision.

Any help would be greatly appreciated 🙌🏾

monde commented 1 year ago

@daverin the error is coming straight from the API "Choose a different name for the SAML attribute to prevent name collision.", so can you use use a different name? Also, if you run your TF command with TF_LOG=debug you'll get to see the actual API call and response bodies and that can help give some insight as to what the provider is crafting into the call body.

Let me know what you find.

daverin commented 1 year ago

Hi @monde . I understand why the API is giving me an error. The problem is that when creating a okta_app_saml resource a default attribute with the name "memberOf" is being created with a filter value of none.

I want to change this value to .* but have no way to achieve this with terraform.

ghost commented 1 year ago

Getting the same issue here, no workaround found as of yet

stmyers commented 1 year ago

I'm having the same problem - I don't think the provider currently supports the configuredAttributeStatements parameter?

https://developer.okta.com/docs/reference/api/apps/#add-saml-2-0-authentication-application

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

daverin commented 6 months ago

Hi Okta team. Any update on this?

markogenomics commented 4 months ago

I'm facing the same issue