Allow okta_policy_rule_signon to specify IdP

[conor-mullen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Through the Console and the API you can specify that Okta Sign-on Policy Rules should only apply when signing in through a specific IdP. I do not believe this can currently be achieved through this provider. Through the API this is done in the conditions object which looks something like

"conditions": {
        "people": {
            "users": {
                "exclude": []
            }
        },
        "network": {
            "connection": "ANYWHERE"
        },
        "authContext": {
            "authType": "ANY"
        },
        "identityProvider": {
            "provider": "SPECIFIC_IDP",
            "idpIds": [
                "INSERT_IDP_ID_HERE"
            ]
        }
    }

New or Affected Resource(s)

• okta_policy_rule_signon

Potential Terraform Configuration

My suggestion is to add 2 new optional arguments to okta_policy_rule_signon. The first would be identity_provider and would have the possible values of "ANY", "OKTA", and "SPECIFIC_IDP" with the default being "ANY". When the identity_provider is "SPECIFIC_IDP" then the second new argument, identity_provider_ids, would be used to specify a list of ids of identity providers.

resource "okta_policy_signon" "idp_mfa" {
  name            = "IdP MFA"
  status          = "ACTIVE"
  priority        = 1
  description     = "Require MFA for Okta IdP but not Gmail IdP"
  groups_included = [data.okta_group.everyone.id]
}

resource "okta_policy_rule_signon" "okta_idp" {
  policyid          = okta_policy_signon.idp_mfa.id
  name              = "Require MFA for Okta IdP"
  priority          = 1
  status            = "ACTIVE"
  mfa_required      = true
  mfa_lifetime      = 15
  mfa_prompt        = "SESSION"
  identity_provider = "OKTA"
}

resource "okta_policy_rule_signon" "google_idp" {
  policyid              = okta_policy_signon.idp_mfa.id
  name                  = "No MFA for Gmail IdP"
  priority              = 2
  status                = "ACTIVE"
  session_lifetime      = 120
  identity_provider     = "SPECIFIC_IDP"
  identity_provider_ids = [okta_idp_social.google.id]
}

References

• https://developer.okta.com/docs/reference/api/policy/#update-a-rule
• https://developer.okta.com/docs/reference/api/policy/#conditions-object-2
• https://developer.okta.com/okta-sdk-java/development/apidocs/com/okta/sdk/resource/policy/IdentityProviderPolicyRuleCondition.ProviderEnum.html

[conor-mullen]

I have started working on implementing this

[conor-mullen]

I've just discovered this is a new feature that hasn't been rolled out everywhere yet.

[bogdanprodan-okta]

Hi @conor-mullen! Thanks for submitting this issue. As soon as this feature will be officially released, I'll get back to this and add the functionality to support IdP specifying.

[conor-mullen]

Hi @bogdanprodan-okta , I got this working locally so I'll leave a link to my code in case it helps you in the future when this feature gets released.

master...conor-mullen:idp_policy_rule

[bogdanprodan-okta]

Hi @bogdanprodan-okta , I got this working locally so I'll leave a link to my code in case it helps you in the future when this feature gets released.

master...conor-mullen:idp_policy_rule

Thanks, @conor-mullen!

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[monde]

hi @conor-mullen conditions is the way to go about this as referenced at the beginning of the issue. So it won't be possible to put an identity provider on the okta_policy_rule_signon and have that behave as conditions do. cc/ @bogdanprodan-okta

[MichaelOtte-lhsystems]

@monde @bogdanprodan-okta Can you please help/advise how to set the IDP condition on okta_policy_rule_signon via terraform ?
The branch from @conor-mullen looks promising and works like the UI/API as well.
There is no conditions TF resource or i missed it?

[reecewilliams7]

Hi @monde @bogdanprodan-okta as per @MichaelOtte-lhsystems I don't quite understand the last comment on this ticket. There appears to be no way currently via Terraform to set the identityProvider as part of a signon policy rule.

I know it's an EA feature that has to be specifically requested to be enabled for your org, and I've struggled to find any documentation about it. But certainly the official Okta GO SDK seems to support it - https://github.com/okta/okta-sdk-golang/blob/2e0d27210f938215f3e3b8d5d47f1b93bdc5b92c/okta/identityProviderPolicyRuleCondition.go#L21

So is there anyway this could be revisited? It would be great to be able to set this via Terraform :)

[MichaelOtte-lhsystems]

especially as there is already a commit which fix that a31322b

[monde]

I'm asking @bogdanprodan-okta to color in some additional information on the current state of idp and sign on rules.

[monde]

fyi @MichaelOtte-lhsystems @reecewilliams7

[reecewilliams7]

fyi @MichaelOtte-lhsystems @reecewilliams7

Amazing, thank you! 😊