Closed ghost closed 2 years ago
@quantumew commented on Oct 22, 2019, 6:56 PM UTC:
You can use okta_policy_signon
and okta_policy_rule_signon
for Sign On policies, although I am not sure I 100% follow what you mean by app? Makes me think you have a use case I haven't run into.
https://github.com/articulate/terraform-provider-okta/tree/master/examples/okta_policy_signon https://github.com/articulate/terraform-provider-okta/tree/master/examples/okta_policy_rule_signon
@quantumew commented on Oct 22, 2019, 7:16 PM UTC:
Right, I forgot about this feature. There is no resource for it, thanks for reporting. We will need to ensure there is an API for it but we can likely reuse a lot of the signon policy stuff we have. Probably similar to the app_user_schema and user_schema relationship.
@msmrnv1 commented on Oct 23, 2019, 8:13 PM UTC:
oh, I see.. thanks for an update. It's a definitely a needed resource.
@jralmaraz commented on Nov 12, 2019, 3:10 AM UTC:
Quick investigation update:
Raised a support ticket and at least so far found they are not supporting it via API :(
Some other people already raised the feature requests:
Had a quick inspect over the browser and some of the endpoints were:
Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule/instance/0oajmu4n7r1JAJAOIS Request Method: GET
Request URL: https://org-admin.oktapreview.com/admin/app/instance/0oajmu4n7r1JAJAOIS/app-sign-on-policy-list Request Method: GET
Created one via browser:
Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule Request Method: POST
Form DATA:
Request URL: https://org-admin.oktapreview.com/admin/policy/app-sign-on-rule Request Method: POST Status Code: 200 Remote Address: 34.236.241.37:443 Referrer Policy: no-referrer-when-downgrade adrum_0: g:a63a2f59-a8fb-45df-b709-d6ea36abe525 adrum_1: n:Okta_6d5b1e30-d05a-4894-a37b-81b5f6c60e0e adrum_2: i:11552 adrum3: e:280 cache-control: no-cache, no-store content-language: en content-security-policy-report-only: default-src 'self' op1static.oktacdn.com org.oktapreview.com; connect-src 'self' op1static.oktacdn.com .mixpanel.com .mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com .authenticatorlocalprod.com: .authenticatorlocaldev.com:_; script-src 'unsafe-inline' 'unsafe-eval' 'self' op1static.oktacdn.com; style-src 'unsafe-inline' 'self' op1static.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' login.okta.com; img-src 'self' op1static.oktacdn.com org.oktapreview.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data:; font-src data: 'self' op1static.oktacdn.com; frame-ancestors 'self'; report-uri https://okta.report-uri.com/r/d/csp/reportOnly; report-to csp-report content-type: application/json;charset=UTF-8 date: Tue, 12 Nov 2019 03:01:13 GMT expires: 0 p3p: CP="HONK" pragma: no-cache public-key-pins-report-only: pin-sha256="jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc="; pin-sha256="axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8="; pin-sha256="SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE="; pin-sha256="ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw="; max-age=60; report-uri="https://okta.report-uri.io/r/default/hpkp/reportOnly" report-to: {"group":"csp-report","max_age":31536000,"endpoints":[{"url":"https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains":true} server: nginx set-cookie: JSESSIONID=49F948576D74E9C324D8EF92935EF840; Path=/; Secure; HttpOnly set-cookie: sid=1022Ax4G9khTl68uzzAC7OGQ;Version=1;Path=/;Secure;HttpOnly;SameSite=None status: 200 strict-transport-security: max-age=315360000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-okta-request-id: XcogeIyvu4RzVMJ@mu3EAAAAExM x-rate-limit-limit: 6000 x-rate-limit-remaining: 5998 x-rate-limit-reset: 1573527724 x-robots-tag: none x-xss-protection: 1; mode=block; report=https://oktadev.report-uri.com/r/d/xss/enforce :authority: org-admin.oktapreview.com :method: POST :path: /admin/policy/app-sign-on-rule :scheme: https accept: text/plain, /_; q=0.01 accept-encoding: gzip, deflate, br accept-language: en-GB,en-US;q=0.9,en;q=0.8 content-length: 723 content-type: application/x-www-form-urlencoded; charset=UTF-8 cookie: DT=DI0dS-8JHjJSnyH-86i092ltg; _pendo_accountId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00ogcqkwtsRqDXA0L0h7; _pendo_visitorId.f8bd2822-002a-478f-66a9-0178efd7ee1f=00ujf45q5pMF1oxyT0h7; t=default; sid=1022Ax4G9khTl68uzzAC7O_GQ; _pendo_meta.f8bd2822-002a-478f-66a9-0178efd7ee1f=4037906765; mp_73623d035cdabf11e9cfd7580c6d5a97_mixpanel=%7B%22distinct_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2Forg.oktapreview.com%2F%22%2C%22%24initial_referring_domain%22%3A%20%22org.oktapreview.com%22%2C%22New%20User%22%3A%20%22%22%2C%22Application%22%3A%20%22%22%2C%22Edition%22%3A%20%22%22%2C%22SKU%22%3A%20%22%22%2C%22env%22%3A%20%22PREVIEW%22%2C%22Admin%22%3A%20%22true%22%2C%22OrgType%22%3A%20%22%22%2C%22%24user_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%2C%22%24had_persisted_distinct_id%22%3A%20true%2C%22%24device_id%22%3A%20%2200ujf45q5pMF1oxyT0h7%22%7D; srefresh=1573527555024; JSESSIONID=1F95F484EB4240D62E2EB6EFD1E17CA9 origin: https://org-admin.oktapreview.com referer: https://org-admin.oktapreview.com/admin/app/salesforce/instance/0oajmu4n7r1JAJAOIS/ sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36 x-okta-xsrftoken: 582740478111265d366f1acf11159b553737ab64a5416a9b3376131d3db07afa x-requested-with: XMLHttpRequest _xsrfToken=582740478111265d366f1acf11159b553737ab64a5416a9b3376131d3db07afa&policyId=&ruleId=&appInstanceId=0oajmu4n7r1JAJAOIS&name=test&_disabled=on&hasIncluded=false&as_values_082=%2C&includedGroupIdString=&as_values_051=%2C&includedUserIdString=&_hasExcluded=on&as_values_067=%2C&excludedGroupIdString=&as_values_031=%2C&excludedUserIdString=&location=ANYWHERE&as_values_078=%2C&includedZoneIdString=&excludedZoneIdString=&platforms=IOS&_platforms=on&platforms=ANDROID&_platforms=on&platforms=MOBILE_OTHER&_platforms=on&platforms=WINDOWS&_platforms=on&platforms=OSX&_platforms=on&platforms=DESKTOP_OTHER&_platforms=on&deviceTrustLevel=ANY&action=ALLOW&_enforceMaxSessionAge=on&maxSessionAgeMinutes=60&_requireFactor=on
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
@bogdanprodan-okta our organization manages well over 1,000 individual Okta apps across our client base and we have made a custom solution for managing app sign-on policies. I understand that there's no public API for this, but if we were to refactor our current solution, making it idiomatic with how the current Okta provider works, would you take a PR for it?
It would be hitting internal endpoints and require an Okta admin account's username/password in addition to the existing API key, however.
In the interim, I'll continue to push a feature request with our reps to get the app sign-on policies into the public API.
Hi, @CalebAlbers! I'm not sure about that, but I'll talk to the manager to see what we can do.
@CalebAlbers Do you have a change set available publicly? Even if @bogdanprodan-okta isn't able to accept a PR? We are running into similar issues.
@Freaky-namuH we have code in Typescript that I can provide publicly which can manage the internal auth and sign-on policies, but we haven't rewritten in Go for terraform yet. Happy to collaborate on doing that though if interested.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy
There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy
Yes, that's correct and currently I can not add it here :(
There seems to be an API now... but just for OIE enabled Okta tenants: https://developer.okta.com/docs/reference/api/policy/#app-sign-on-policy
Yes, that's correct and currently I can not add it here :(
We are working on policies this month in okta-sdk-golang and that will trickle down to the okta provider.
@msmrnv1 commented on Oct 22, 2019, 6:46 PM UTC:
I can't find a resource to specify the signon policy for the app. Is there such a resource?
This issue was moved by noinarisak from articulate/terraform-provider-okta#309.