search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
258 stars 208 forks source link

Permission denied to Super Admin for app_saml creation #494

Closed drewmullen closed 3 years ago

drewmullen commented 3 years ago

Error

Error: failed to create SAML application: The API returned an error: You do not have permission to perform the requested action

Terraform Version

$ terraform -version
Terraform v0.15.4
on linux_amd64
+ provider registry.terraform.io/okta/okta v3.11.1

I've tried back as far as version 3.6 (oktadeveloper namespace)

Affected Resource(s)

Terraform Configuration Files

resource "okta_app_saml" "app" {
  assertion_signed         = true
  label                    = "${var.app_name}"
  sso_url                  = "http://127.0.0.1:29001/saml"
  recipient                = "http://127.0.0.1:29001/saml"
  destination              = "http://127.0.0.1:29001/saml"
  audience                 = "${var.app_name}"
  subject_name_id_template = "$${user.userName}"
  subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  user_name_template       = "$${fn:substringBefore(source.login, \"@\")}"
  response_signed          = true
  signature_algorithm      = "RSA_SHA256"
  digest_algorithm         = "SHA256"
  honor_force_authn        = true
  authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

  attribute_statements {
    name   = "username"
    values = ["user.login"]
  }
  attribute_statements {
    name   = "firstName"
    values = ["user.firstName"]
  }
  attribute_statements {
    name   = "lastName"
    values = ["user.lastName"]
  }
  attribute_statements {
    type      = "EXPRESSION"
    name      = "emails"
    namespace = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    values    = ["user.email"]
  }
  attribute_statements {
    type         = "GROUP"
    name         = "groups"
    filter_type  = "REGEX"
    filter_value = ".*"
    namespace    = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    values       = []
  }

  groups = [okta_group.app.id]
}

This is a super admin credential:

image

To validate the credential I tried creating another user with SUPER_ADMIN perms, which worked:

resource "okta_user" "drew" {
  admin_roles = [
    "SUPER_ADMIN",
  ]
  custom_profile_attributes = jsonencode({})
  email                     = "<>.com"
  first_name                = "Drew"
  last_name                 = "Mullen"
  login                     = "<>.com"
  status                    = "ACTIVE"
}

(theres 2 because i didnt think to use a different first/last name)

Screen Shot 2021-05-28 at 8 11 59 AM

Debug Output

DEBUG OUTPUT

``` module.okta_config.okta_app_saml.app: Creating... 2021-05-27T20:24:40.992Z [INFO] Starting apply for module.okta_config.okta_app_saml.app 2021-05-27T20:24:40.993Z [DEBUG] module.okta_config.okta_app_saml.app: applying the planned Create change 2021-05-27T20:24:40.997Z [INFO] provider.terraform-provider-okta_v3.11.1: 2021/05/27 20:24:40 [DEBUG] Okta API Request Details: ---[ REQUEST ]--------------------------------------- POST //api/v1/apps?activate=true HTTP/1.1 Host: MYAPP.okta.com User-Agent: okta-sdk-golang/2.3.0 golang/go1.16.4 linux/amd64 okta-terraform/3.9.0 Content-Length: 1568 Accept: application/json Authorization: SSWS Content-Type: application/json Accept-Encoding: gzip { "accessibility": { "selfService": false }, "credentials": { "userNameTemplate": { "template": "${fn:substringBefore(source.login, \"@\")}", "type": "BUILT_IN" } }, "label": "acme", "settings": { "app": {}, "signOn": { "allowMultipleAcsEndpoints": false, "assertionSigned": true, "attributeStatements": [ { "name": "username", "namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "type": "EXPRESSION", "values": [ "user.login" ] }, { "name": "firstName", "namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "type": "EXPRESSION", "values": [ "user.firstName" ] }, { "name": "lastName", "namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "type": "EXPRESSION", "values": [ "user.lastName" ] }, { "name": "emails", "namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "type": "EXPRESSION", "values": [ "user.email" ] }, { "filterType": "REGEX", "filterValue": ".*", "name": "groups", "namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", "type": "GROUP" } ], "audience": "acme", "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "destination": "http://127.0.0.1:29001/saml", "digestAlgorithm": "SHA256", "honorForceAuthn": true, "recipient": "http://127.0.0.1:29001/saml", "responseSigned": true, "signatureAlgorithm": "RSA_SHA256", "slo": { "enabled": false }, "ssoAcsUrl": "http://127.0.0.1:29001/saml", "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "subjectNameIdTemplate": "${user.userName}" } }, "signOnMode": "SAML_2_0", "visibility": { "autoSubmitToolbar": false, "hide": { "iOS": false, "web": false } } } 2021-05-27T20:24:41.460Z [INFO] provider.terraform-provider-okta_v3.11.1: 2021/05/27 20:24:41 [DEBUG] Okta API Response Details: ---[ RESPONSE ]-------------------------------------- HTTP/2.0 403 Forbidden Cache-Control: no-cache, no-store Content-Security-Policy: default-src 'self' MYAPP.okta.com *.oktacdn.com; connect-src 'self' MYAPP.okta.com MYAPP-admin.okta.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com MYAPP.kerberos.okta.com https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' MYAPP.okta.com *.oktacdn.com; style-src 'unsafe-inline' 'self' MYAPP.okta.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' MYAPP.okta.com MYAPP-admin.okta.com login.okta.com; img-src 'self' MYAPP.okta.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data: blob:; font-src 'self' MYAPP.okta.com data: *.oktacdn.com fonts.gstatic.com Content-Type: application/json Date: Thu, 27 May 2021 20:24:41 GMT Expect-Ct: report-uri="https://oktaexpectct.report-uri.com/r/t/ct/reportOnly", max-age=0 Expires: 0 P3p: CP="HONK" Pragma: no-cache Public-Key-Pins-Report-Only: pin-sha256="r5EfzZxQO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnkcCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly" Server: nginx Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID=64C880B1388BCF861F69F00F21ACA0CE; Path=/; Secure; HttpOnly Strict-Transport-Security: max-age=315360000; includeSubDomains Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Okta-Request-Id: YLAACWeg6F8KSwoqNt--0AAADAc X-Rate-Limit-Limit: 100 X-Rate-Limit-Remaining: 99 X-Rate-Limit-Reset: 1622147141 X-Xss-Protection: 0 { "errorCode": "E0000006", "errorSummary": "You do not have permission to perform the requested action", "errorLink": "E0000006", "errorId": "oaeAr2urxBSQA67xhl9VjqAtQ", "errorCauses": [] } ```

Expected Behavior

create the app

Actual Behavior

error

Steps to Reproduce

  1. terraform apply

Important Factoids

okta dev license

drewmullen commented 3 years ago

update: I created a working saml app in the GUI, i was able to read using the data source and validate all my config values (terraform show then eyeball the values)

also i was able to import the resource and make changes to the pre-existing using the same API token

ajoline commented 3 years ago

I would be curious to know if there are restrictions in the Okta Dev environment that prevents this resource from working?

noinarisak commented 3 years ago

@drewmullen I wonder if the API Token is not associated with the correct Super Admin user (eg username). On the UI Dashboard; can you remove the user dups (of course, not username/email you are logged in as), recreate the API Token again and then give it a try.

drewmullen commented 3 years ago

@noinarisak same result D: we've tried having several Super Admins create keys for me to test as well. all with the same error. I also tried with the API and got the same error:

curl -v -X POST -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: SSWS ${api_token}" -d "@./app.json" "https://<>.okta.com/api/v1/apps?activate=true"
{"errorCode":"E0000006","errorSummary":"You do not have permission to perform the requested action","errorLink":"E0000006","errorId":"oae3jA0mvqeSY-iDDSmWnuGfw","errorCauses":[]}

you can piece together app.json using the debug output

drewmullen commented 3 years ago

this wound up being a licensing issue