Correct Way to Setup a SAML Org2Org Configuration

[emanor-okta]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In order to configure a SAML Org2Org configuration between two Okta Orgs both resources okta_app_saml and okta_idp_saml have configurations which rely on each other. When doing this manually,

1. The SAML App is configured with some placeholder values
2. The SAML IdP is then created with values from the SAML App
3. The SAML App is updated with values from the SAML IdP

The below configuration snippet shows this. When trying to run plan a Terraform Cycle error will be returned.

2023-06-02T14:11:13.994-0700 [ERROR] Graph validation failed. Graph:

okta_app_saml.idp_b2e_saml_app
  okta_idp_saml.saml_idp
  provider["registry.terraform.io/okta/okta"]
okta_idp_saml.saml_idp
  okta_app_saml.idp_b2e_saml_app
  okta_idp_saml_key.okta_b2b_saml_key
  provider["registry.terraform.io/okta/okta"]
okta_idp_saml_key.okta_b2b_saml_key
  okta_app_saml.idp_b2e_saml_app
  provider["registry.terraform.io/okta/okta"]
provider["registry.terraform.io/okta/okta"]
  var.api_token
  var.base_url
  var.org_name
provider["registry.terraform.io/okta/okta"] (close)
  okta_app_saml.idp_b2e_saml_app
  okta_idp_saml.saml_idp
  okta_idp_saml_key.okta_b2b_saml_key
  provider["registry.terraform.io/okta/okta"]
root
  provider["registry.terraform.io/okta/okta"] (close)
var.api_token
var.base_url
var.org_name
╷
│ Error: Cycle: okta_app_saml.idp_b2e_saml_app, okta_idp_saml_key.okta_b2b_saml_key, okta_idp_saml.saml_idp

This means running a Terraform job with place holder values to configure the SAML App. Then updating the .tf file with the values from the SAML IdP and running another job.

There are some potential workarounds like using optional values and environment variables so the .tf file does not need to be updated, multiple Terraform jobs will still need to be run.

Is there a solution to configure this in a single job? If not would it be possible to it through breaking up the resources, or a Provider update of some kind?

New or Affected Resource(s)

• okta_app_saml
• okta_idp_saml

Potential Terraform Configuration

# SAML APP Section
resource "okta_app_saml" "idp_b2e_saml_app" {
  label = "B2E_IDP_Test_App"
  sso_url = "https://domain.okta.com/sso/saml2/${resource.okta_idp_saml.saml_idp.id}"
  recipient = "https://domain.okta.com/sso/saml2/${resource.okta_idp_saml.saml_idp.id}"
  destination = "https://domain.okta.com/sso/saml2/${resource.okta_idp_saml.saml_idp.id}"
  audience = "https://domain.com${resource.okta_idp_saml.saml_idp.audience}"
  subject_name_id_template = "$${user.email}"
  subject_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
  response_signed = true
  signature_algorithm = "RSA_SHA256"
  digest_algorithm = "SHA256"
  honor_force_authn = false
  authn_context_class_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
}

# SAML IdP Section
resource "okta_idp_saml_key" "okta_b2b_saml_key" {
  x5c = ["${resource.okta_app_saml.idp_b2e_saml_app.certificate}"]
}

resource "okta_idp_saml" "saml_idp" {
  name = "okta_b2b_test_app"
  acs_type = "INSTANCE"
  sso_url = resource.okta_app_saml.idp_b2e_saml_app.entity_url
  sso_destination = resource.okta_app_saml.idp_b2e_saml_app.http_post_binding
  sso_binding = "HTTP-POST"
  username_template = "idpuser.subjectNameId"
  kid = resource.okta_idp_saml_key.okta_b2b_saml_key.id
  issuer = "https://idp.example.com"
  request_signature_scope = "REQUEST"
  response_signature_scope = "ANY"
}

References

https://developer.hashicorp.com/terraform/tutorials/configuration-language/troubleshooting-workflow#correct-a-cycle-error

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-616645

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[aureq]

@duytiennguyen-okta Has there been any progress on this please?