`okta_app_saml` - impossible to set `spCertificate` for request signing without SLO enabled?

[joshuacollins-deloitte]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform 1.8.5 on linux_amd64

Affected Resource(s)

• okta_app_saml

Terraform Configuration Files

resource "okta_app_saml" "smal_app" {
  accessibility_self_service     = "false"

  # spCertificate is used for both SLO request and authentication request signing
  # The provider does not have a dedicated parameter for request signing which can be used without enabling SLO, so we need to inject it here (most appSettings are generated by other parameters)
  app_settings_json              = jsonencode({
    signOn = {
      spCertificate = {
        "x5c" = [
          "MIID2zCCAsOgAwIBAgIUHBaBGrGVVkp2kC+yPrhXc5N2+4swDQYJKoZIhvcNAQEL\r\nBQAwfTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\r\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLZXhhbXBsZS5jb20x\r\nIDAeBgkqhkiG9w0BCQEWEWhlbGxvQGV4YW1wbGUuY29tMB4XDTI0MDYxODAzNTU0\r\nMVoXDTI1MDYxODAzNTU0MVowfTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt\r\nU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UE\r\nAwwLZXhhbXBsZS5jb20xIDAeBgkqhkiG9w0BCQEWEWhlbGxvQGV4YW1wbGUuY29t\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4G7iJpERa657fZdWVKpM\r\nxY+8KBtTe/bPx7v+7ccOA9JhsGoiJIilaqTEGi+VmLS0yBJJ75e0eRuCufXxdUU9\r\ncPtze6vVppIXjNDYKkCb4FpMJCXDR94ojYD28Q4j7R+A5MgoVaL4m6bQMxN4Gtu4\r\nww9tVoXXMtKlYm57Z+44KZ9zX9ZT7h5tpPk4bws2ooi3mv8tpPhh63s+eSdShL/0\r\nPLcaTRmeL3tCZ2R07Ea7ZHZix+DSAFGZ3MfhE0/q8PoEj8WSuvJtL7XhRq1xUsFL\r\nEQGGZNy4DJecu6mjhieKpsaQGSpMrMcmekvLaEtL6bOepDqVBsyzyvCzM+46LXGd\r\nhQIDAQABo1MwUTAdBgNVHQ4EFgQUlyqz0r9lJLuXVGY6XocwikJMzfIwHwYDVR0j\r\nBBgwFoAUlyqz0r9lJLuXVGY6XocwikJMzfIwDwYDVR0TAQH/BAUwAwEB/zANBgkq\r\nhkiG9w0BAQsFAAOCAQEAo9aqKVV+zIpaosBxCN5GQIhY6soa8FgEhcZrZvd2iL67\r\n9aLYDY46RnJgpa4RS+M0gTlp9u+3dH6uvuo8CmR243IOGH9LOWd624UN+tka+3PM\r\n50A7Uxo3KFfmOZi+ym5xn+UADJx8uUrH1owlMhFZMPWLr/JuoBAxVNI8KRXFhW4U\r\npcHmKvqU7GZo7m2QwE0JIJ5p00ED66jNky/IAqoexikbhZ8IgzTbtlWFzbqVKNq1\r\nzvcCEc4LXKytMQCCWv71HBNMfBvR4tEbcKmxe356IHcs+dmEFtg3dfEBfH5U5VoS\r\n1RqP+9+AB4coGpnm7F660PSwfyQwBZo5/a0HLqbZFA=="
        ]
      }
      samlSignedRequestEnabled = true
      slo = {
        enabled = false
      }
    }
  })
  assertion_signed               = "true"
  audience                       = "https://example.com/audience"
  authn_context_class_ref        = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
  auto_submit_toolbar            = "false"
  default_relay_state            = "/"
  destination                    = "https://example.com/audience"
  digest_algorithm               = "SHA256"
  hide_ios                       = "true"
  hide_web                       = "true"
  honor_force_authn              = "true"
  idp_issuer                     = "http://www.okta.com/$${org.externalKey}"
  implicit_assignment            = "false"
  label                          = "SAML APP"
  recipient                      = "https://example.com/audience"
  response_signed                = "true"
  saml_signed_request_enabled    = "true"
  saml_version                   = "2.0"
  signature_algorithm            = "RSA_SHA256"
  sso_url                        = "https://example.com/sso"
  status                         = "ACTIVE"
  subject_name_id_format         = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
  subject_name_id_template       = "$${user.userName}"
  user_name_template             = "user.login"
  user_name_template_push_status = "PUSH"
  user_name_template_type        = "CUSTOM"
}

Output

╷
│ Error: failed to create SAML application: the API returned an error: Api validation failed: mediated. Causes: errorSummary: settings.signOn.spCertificate is a required property.
│ 
│   with okta_app_saml.smal_app,
│   on main.tf line 106, in resource "okta_app_saml" "smal_app":
│  106: resource "okta_app_saml" "smal_app" {

Expected Behavior

I have provided a certificate in app_settings_json, however Okta rejects the request. I think the cause is that the provider is not passing the certificate through in the request.

If the app_settings_json block is removed, and saml_signed_request_enabled is set to false, the app creation succeeds.

If I'm reading this correctly, it looks like the signOn block is not passed through to the API: https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_app_saml.go#L621 The app_settings_json is saved in line 618, but sign-on settings are set separately on line 621.

Additionally, the code in the provider currently assumes that the only reason a certificate is required is for SLO requests, however spCertificate is used for both request signing and SLO requests - either option being enabled should cause the provider to save a certificate.

It looks like currently to set a certificate, we would need to enable SLO. https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_app_saml.go#L646

If I attempt to set the single_logout_certificate parameter without enabling SSO, we get the following warning:

"single_logout_certificate": all of `single_logout_certificate,single_logout_issuer,single_logout_url` must be specified

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

Yes

Steps to Reproduce

1. terraform apply with code block above.

Important Factoids

Classic engine, but hoping that is not relevant here

References

[duytiennguyen-okta]

@joshuacollins-deloitte so as far as I understand it, you want to use the spCertificate with saml_signed_request_enabled and not with slo, correct?

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-740374

[joshuacollins-deloitte]

@duytiennguyen-okta - yes that's correct. I'm also a bit unclear on what settings can be managed through app_settings_json - does it map to a particular object/field in the Apps API?