search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
253 stars 206 forks source link

New Resource: App Sign On Policy #56

Closed ghost closed 2 years ago

ghost commented 4 years ago

@msmrnv1 commented on Oct 22, 2019, 6:46 PM UTC:

I can't find a resource to specify the signon policy for the app. Is there such a resource?

This issue was moved by noinarisak from articulate/terraform-provider-okta#309.

ghost commented 4 years ago

@quantumew commented on Oct 22, 2019, 6:56 PM UTC:

You can use okta_policy_signon and okta_policy_rule_signon for Sign On policies, although I am not sure I 100% follow what you mean by app? Makes me think you have a use case I haven't run into.

https://github.com/articulate/terraform-provider-okta/tree/master/examples/okta_policy_signon https://github.com/articulate/terraform-provider-okta/tree/master/examples/okta_policy_rule_signon

ghost commented 4 years ago

@msmrnv1 commented on Oct 22, 2019, 7:07 PM UTC:

it is under the application in Sign on Tab

image

image

ghost commented 4 years ago

@quantumew commented on Oct 22, 2019, 7:16 PM UTC:

Right, I forgot about this feature. There is no resource for it, thanks for reporting. We will need to ensure there is an API for it but we can likely reuse a lot of the signon policy stuff we have. Probably similar to the app_user_schema and user_schema relationship.

ghost commented 4 years ago

@msmrnv1 commented on Oct 23, 2019, 8:13 PM UTC:

oh, I see.. thanks for an update. It's a definitely a needed resource.

ghost commented 4 years ago

@jralmaraz commented on Nov 12, 2019, 3:10 AM UTC:

Quick investigation update:

  1. https://okta.my.salesforce.com/087F0000000BGB5IAO

  2. https://ideas.okta.com/app/#/case/111597

Had a quick inspect over the browser and some of the endpoints were:

Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule/instance/0oajmu4n7r1JAJAOIS Request Method: GET

Request URL: https://org-admin.oktapreview.com/admin/app/instance/0oajmu4n7r1JAJAOIS/app-sign-on-policy-list Request Method: GET

Created one via browser:

Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule Request Method: POST

Form DATA:

Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule Request Method: POST Status Code: 200 Remote Address: 34.236.241.37:443 Referrer Policy: no-referrer-when-downgrade adrum_0: g:a63a2f59-a8fb-45df-b709-d6ea36abe525 adrum_1: n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e adrum_2: i:11552 adrum3: e:280 cache-control: no-cache, no-store content-language: en content-security-policy-report-only: default-src 'self' op1static.oktacdn.com org.oktapreview.com; connect-src 'self' op1static.oktacdn.com .mixpanel.com .mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com .authenticatorlocalprod.com: .authenticatorlocaldev.com:_; script-src 'unsafe-inline' 'unsafe-eval' 'self' op1static.oktacdn.com; style-src 'unsafe-inline' 'self' op1static.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' login.okta.com; img-src 'self' op1static.oktacdn.com org.oktapreview.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data:; font-src data: 'self' op1static.oktacdn.com; frame-ancestors 'self'; report-uri https://okta.report-uri.com/r/d/csp/reportOnly; report-to csp-report content-type: application/json;charset=UTF-8 date: Tue, 12 Nov 2019 03:01:13 GMT expires: 0 p3p: CP="HONK" pragma: no-cache public-key-pins-report-only: pin-sha256="jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc="; pin-sha256="axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8="; pin-sha256="SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE="; pin-sha256="ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw="; max-age=60; report-uri="https://okta.report-uri.io/r/default/hpkp/reportOnly" report-to: {"group":"csp-report","max_age":31536000,"endpoints":[{"url":"https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains":true} server: nginx set-cookie: JSESSIONID=49F948576D74E9C324D8EF92935EF840; Path=/; Secure; HttpOnly set-cookie: sid=1022Ax4G9khTl68uzzAC7OGQ;Version=1;Path=/;Secure;HttpOnly;SameSite=None status: 200 strict-transport-security: max-age=315360000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-okta-request-id: XcogeIyvu4RzVMJ@mu3EAAAAExM x-rate-limit-limit: 6000 x-rate-limit-remaining: 5998 x-rate-limit-reset: 1573527724 x-robots-tag: none x-xss-protection: 1; mode=block; report=https://oktadev.report-uri.com/r/d/xss/enforce :authority: org-admin.oktapreview.com :method: POST :path: /admin/policy/app-sign-on-rule :scheme: https accept: text/plain, /_; q=0.01 accept-encoding: gzip, deflate, br accept-language: en-GB,en-US;q=0.9,en;q=0.8 content-length: 723 content-type: application/x-www-form-urlencoded; charset=UTF-8 cookie: DT=DI0dS-8JHjJSnyH-86i092ltg; _pendo_accountId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00ogcqkwtsRqDXA0L0h7; _pendo_visitorId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00ujf45q5pMF1oxyT0h7; t=default; sid=1022Ax4G9khTl68uzzAC7O_GQ; _pendo_meta.f8bd2822-002a-478f-66a9-0178efd7ee1f=4037906765; mp_73623d035cdabf11e9cfd7580c6d5a97_mixpanel=%7B%22distinct_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Forg.oktapreview.com%2F%22%2C%22%24initial_referring_domain%22%3A%20%22org.oktapreview.com%22%2C%22New%20User%22%3A%20%22%22%2C%22Application%22%3A%20%22%22%2C%22Edition%22%3A%20%22%22%2C%22SKU%22%3A%20%22%22%2C%22env%22%3A%20%22PREVIEW%22%2C%22Admin%22%3A%20%22true%22%2C%22OrgType%22%3A%20%22%22%2C%22%24user_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%2C%22%24had_persisted_distinct_id%22%3A%20true%2C%22%24device_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%7D; srefresh=1573527555024; JSESSIONID=1F95F484EB4240D62E2EB6EFD1E17CA9 origin: https://org-admin.oktapreview.com referer: https://org-admin.oktapreview.com/admin/app/salesforce/instance/0oajmu4n7r1JAJAOIS/ sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36 x-okta-xsrftoken: 582740478111265d366f1acf11159b553737ab64a5416a9b3376131d3db07afa x-requested-with: XMLHttpRequest _xsrfToken=582740478111265d366f1acf11159b553737ab64a5416a9b3376131d3db07afa&policyId=&ruleId=&appInstanceId=0oajmu4n7r1JAJAOIS&name=test&_disabled=on&hasIncluded=false&as_values_082=%2C&includedGroupIdString=&as_values_051=%2C&includedUserIdString=&_hasExcluded=on&as_values_067=%2C&excludedGroupIdString=&as_values_031=%2C&excludedUserIdString=&location=ANYWHERE&as_values_078=%2C&includedZoneIdString=&excludedZoneIdString=&platforms=IOS&_platforms=on&platforms=ANDROID&_platforms=on&platforms=MOBILE_OTHER&_platforms=on&platforms=WINDOWS&_platforms=on&platforms=OSX&_platforms=on&platforms=DESKTOP_OTHER&_platforms=on&deviceTrustLevel=ANY&action=ALLOW&_enforceMaxSessionAge=on&maxSessionAgeMinutes=60&_requireFactor=on

github-actions[bot] commented 4 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

CalebAlbers commented 3 years ago

@bogdanprodan-okta our organization manages well over 1,000 individual Okta apps across our client base and we have made a custom solution for managing app sign-on policies. I understand that there's no public API for this, but if we were to refactor our current solution, making it idiomatic with how the current Okta provider works, would you take a PR for it?

It would be hitting internal endpoints and require an Okta admin account's username/password in addition to the existing API key, however.

In the interim, I'll continue to push a feature request with our reps to get the app sign-on policies into the public API.

bogdanprodan-okta commented 3 years ago

Hi, @CalebAlbers! I'm not sure about that, but I'll talk to the manager to see what we can do.

Freaky-namuH commented 3 years ago

@CalebAlbers Do you have a change set available publicly? Even if @bogdanprodan-okta isn't able to accept a PR? We are running into similar issues.

CalebAlbers commented 3 years ago

@Freaky-namuH we have code in Typescript that I can provide publicly which can manage the internal auth and sign-on policies, but we haven't rewritten in Go for terraform yet. Happy to collaborate on doing that though if interested.

github-actions[bot] commented 3 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

jrummlerS24 commented 3 years ago

There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy

bogdanprodan-okta commented 3 years ago

There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy

Yes, that's correct and currently I can not add it here :(

monde commented 2 years ago

There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy

Yes, that's correct and currently I can not add it here :(

We are working on policies this month in okta-sdk-golang and that will trickle down to the okta provider.