New `okta_policy_mfa` resource option `external_idps` does not work

[OnwardKnight]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.9.6

Affected Resource(s)

• okta_policy_mfa

Terraform Configuration Files

resource "okta_idp_oidc" "External_IdP" {
  name = "External IdP"
  protocol_type = "OIDC"
  scopes = ["openid"]
  authorization_url = "${var.authorization_url}"
  authorization_binding = "HTTP-REDIRECT"
  token_url = "${var.token_url}"
  token_binding = "HTTP-POST"
  jwks_url = "${var.jwks_url}"
  jwks_binding = "HTTP-REDIRECT"
  client_id = "${var.client_id}"
  client_secret = "${var.client_secret}"
  issuer_url = "${var.issuer_url}"
  issuer_mode = "DYNAMIC"
}

resource "okta_authenticator" "External_MFA" {
  key = "external_idp"
  name = "Duo Universal Prompt"
  status = "ACTIVE"
  provider_json = jsonencode(
    {
      "type": "CLAIMS",
      "configuration": {
        "idpId": "${okta_idp_oidc.External_IdP.id}"
      }
    }
  )
}

resource "okta_policy_mfa" "Users_MFA_Policy" {
  name              = "Users"
  description       = "Require Duo Universal Prompt for all users"
  groups_included   = [data.okta_group.SG_ALLUSERS.id]
  # priority          = 5
  status            = "ACTIVE"
  external_idps = [
    {
      "enroll" : "REQUIRED",
      "id" : "${okta_authenticator.External_MFA.id}"
    }
  ]
}

Expected Behavior

The new external_idps configuration for okta_policy_mfa resources (introduced in release 4.10.0 - #2044) should allow setting the external IdP configuration for an MFA policy.

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

I don't know

Actual Behavior

The external_idps configuration does not take effect when running terraform apply with only one external IdP listed based on the example provided. Using the deprecated external_idp still works.

Steps to Reproduce

1. Add an external OIDC IdP (factor only).
2. Add the OIDC IdP as an Authenticator.
3. Configure an okta_policy_mfa policy resource with the external_idps configuration.
4. terraform apply

Important Factoids

References

• 2044

[Davie3]

Similarly, the okta_policy_mfa_default resource is also not working as expected with external_idps.