okta_app_saml adds source.login as default value for user_name_template instead of null or blank which is supported through API

[askmeidentity]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.5.1 on windows_386

• provider registry.terraform.io/okta/okta v4.4.2

Affected Resource(s)

okta_app_saml

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Terraform should create an APP with user_name_template type == "NONE" and user_name_Template == null

Can this be done in the Admin UI?

Can this be done in the actual API call?

curl --location 'https://dev-45062044.okta.com/api/v1/apps' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --header 'Authorization: SSWS ' \ --data '{ "label": "ZIA Sample App", "accessibility": { "selfService": false, "errorRedirectUrl": null, "loginRedirectUrl": null }, "visibility": { "autoSubmitToolbar": false, "hide": { "iOS": false, "web": false } }, "features": [], "signOnMode": "SAML_2_0", "credentials": { "userNameTemplate": { "template": null, "type": "NONE" }, "signing": {} }, "settings": { "app": {}, "notifications": { "vpn": { "network": { "connection": "DISABLED" }, "message": null, "helpUrl": null } }, "signOn": { "defaultRelayState": "", "ssoAcsUrl": "http://example.okta.com", "idpIssuer": "http://www.okta.com/${org.externalKey}", "audience": "https://example.com/tenant/123", "recipient": "http://recipient.okta.com", "destination": "http://destination.okta.com", "subjectNameIdTemplate": "${user.userName}", "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "responseSigned": true, "assertionSigned": true, "signatureAlgorithm": "RSA_SHA256", "digestAlgorithm": "SHA256", "honorForceAuthn": true, "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "spIssuer": null, "requestCompressed": false, "attributeStatements": [] } } }'

Actual Behavior

Steps to Reproduce

Create an okta_app_saml resource with user_name_template_type as "NONE" and user_name_template as null or blank

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place

Terraform will perform the following actions:

okta_app_saml.ziaapp will be updated in-place

(imported from "0oada5gisznTlGora5d7")

~ resource "okta_app_saml" "ziaapp" { accessibility_self_service = false acs_endpoints = [] app_links_json = jsonencode( { dev-45062044_ziasampleapp_2_link = true } ) app_settings_json = jsonencode({}) assertion_signed = true audience = "https://example.com/tenant/123" authn_context_class_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" auto_submit_toolbar = false destination = "http://destination.okta.com" digest_algorithm = "SHA256" embed_url = "https://dev-45062044.okta.com/home/dev-45062044_ziasampleapp_2/0oada5gisznTlGora5d7/alnda5qobvE3PfGeI5d7" entity_key = "exkda5gisyfYlE7rk5d7" entity_url = "http://www.okta.com/exkda5gisyfYlE7rk5d7" features = [] hide_ios = false hide_web = false honor_force_authn = true http_post_binding = "https://dev-45062044.okta.com/app/dev-45062044_ziasampleapp_2/exkda5gisyfYlE7rk5d7/sso/saml" http_redirect_binding = "https://dev-45062044.okta.com/app/dev-45062044_ziasampleapp_2/exkda5gisyfYlE7rk5d7/sso/saml" id = "0oada5gisznTlGora5d7" idp_issuer = "http://www.okta.com/${org.externalKey}" implicit_assignment = false label = "ZIA Sample App" logo_url = "https://ok12static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png" metadata_url = "https://dev-45062044.okta.com/api/v1/apps/0oada5gisznTlGora5d7/sso/saml/metadata" name = "dev-45062044_ziasampleapp_2" preconfigured_app = "dev-45062044_ziasampleapp_2" recipient = "http://recipient.okta.com" response_signed = true saml_signed_request_enabled = false saml_version = "2.0" sign_on_mode = "SAML_2_0" signature_algorithm = "RSA_SHA256" sso_url = "http://example.okta.com" status = "ACTIVE" subject_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" subject_name_id_template = "${user.userName}"

• user_name_template = "${source.login}" user_name_template_type = "NONE" }

[kalidasan116]

We are also facing this bug when we pass user_name_template as null or ""

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-669837