Merge pull request #714 from okta/app_signon_policy_rule

Added new 'okta_app_signon_policy' and 'okta_app_sign_on_policy_rule' resources
okta · Oct 15, 2021 · 95e716b · 95e716b
2 parents faf33c8 + 5bd4e69
commit 95e716b
Show file tree

Hide file tree

Showing 21 changed files with 1,136 additions and 32 deletions.
diff --git a/examples/okta_app_signon_policy_rule/bacis.tf b/examples/okta_app_signon_policy_rule/bacis.tf
@@ -0,0 +1,34 @@
+resource "okta_app_saml" "test" {
+  label                     = "testAcc_replace_with_uuid"
+  sso_url                   = "http://google.com"
+  recipient                 = "http://here.com"
+  destination               = "http://its-about-the-journey.com"
+  audience                  = "http://audience.com"
+  subject_name_id_template  = "$${user.userName}"
+  subject_name_id_format    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  response_signed           = true
+  signature_algorithm       = "RSA_SHA256"
+  digest_algorithm          = "SHA256"
+  honor_force_authn         = false
+  authn_context_class_ref   = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+  single_logout_issuer      = "https://dunshire.okta.com"
+  single_logout_url         = "https://dunshire.okta.com/logout"
+  single_logout_certificate = "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"
+
+  attribute_statements {
+    type         = "GROUP"
+    name         = "groups"
+    filter_type  = "REGEX"
+    filter_value = ".*"
+  }
+}
+
+data "okta_app_signon_policy" "test" {
+  app_id = okta_app_saml.test.id
+}
+
+resource "okta_app_signon_policy_rule" "test" {
+  policy_id = data.okta_app_signon_policy.test.id
+  name      = "testAcc_replace_with_uuid"
+}
+
diff --git a/examples/okta_app_signon_policy_rule/bacis_updated.tf b/examples/okta_app_signon_policy_rule/bacis_updated.tf
@@ -0,0 +1,143 @@
+resource "okta_app_saml" "test" {
+  label                     = "testAcc_replace_with_uuid"
+  sso_url                   = "http://google.com"
+  recipient                 = "http://here.com"
+  destination               = "http://its-about-the-journey.com"
+  audience                  = "http://audience.com"
+  subject_name_id_template  = "$${user.userName}"
+  subject_name_id_format    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  response_signed           = true
+  signature_algorithm       = "RSA_SHA256"
+  digest_algorithm          = "SHA256"
+  honor_force_authn         = false
+  authn_context_class_ref   = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+  single_logout_issuer      = "https://dunshire.okta.com"
+  single_logout_url         = "https://dunshire.okta.com/logout"
+  single_logout_certificate = "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"
+
+  attribute_statements {
+    type         = "GROUP"
+    name         = "groups"
+    filter_type  = "REGEX"
+    filter_value = ".*"
+  }
+}
+
+data "okta_app_signon_policy" "test" {
+  app_id = okta_app_saml.test.id
+}
+
+resource "okta_user" "test" {
+  count      = 5
+  first_name = "TestAcc"
+  last_name  = "Smith"
+  login      = "testAcc_${count.index}@example.com"
+  email      = "testAcc_${count.index}@example.com"
+}
+
+resource "okta_group" "this" {
+  count       = 5
+  name        = "testAcc_${count.index}"
+  description = "testAcc_${count.index}"
+}
+
+resource "okta_user_type" "test" {
+  name         = "testAcc_replace_with_uuid"
+  display_name = "Terraform Acceptance Test User Type Updated"
+  description  = "Terraform Acceptance Test User Type Updated"
+}
+
+resource "okta_network_zone" "test" {
+  name     = "testAcc_replace_with_uuid"
+  type     = "IP"
+  gateways = ["1.2.3.4/24", "2.3.4.5-2.3.4.15"]
+  proxies  = ["2.2.3.4/24", "3.3.4.5-3.3.4.15"]
+}
+
+data "okta_user_type" "default" {
+  name = "user"
+}
+
+resource "okta_app_signon_policy_rule" "test" {
+  name                                   = "testAcc_replace_with_uuid"
+  policy_id                              = data.okta_app_signon_policy.test.id
+  access                                 = "ALLOW"
+  custom_expression                      = "user.status == \"ACTIVE\""
+  device_is_managed                      = false
+  device_is_registered                   = true
+  factor_mode                            = "2FA"
+  groups_excluded                        = [
+    okta_group.this[2].id,
+    okta_group.this[3].id,
+    okta_group.this[4].id
+  ]
+  groups_included                        = [
+    okta_group.this[0].id,
+    okta_group.this[1].id
+  ]
+  inactivity_re_authentication_frequency = "PT10H"
+  network_connection                     = "ZONE"
+  network_includes                       = [
+    okta_network_zone.test.id
+  ]
+  platform_include {
+    os_type = "ANDROID"
+    type    = "MOBILE"
+  }
+  platform_include {
+    os_type = "IOS"
+    type    = "MOBILE"
+  }
+  platform_include {
+    os_type = "MACOS"
+    type    = "DESKTOP"
+  }
+  platform_include {
+    os_type = "OTHER"
+    type    = "DESKTOP"
+  }
+  platform_include {
+    os_type = "OTHER"
+    type    = "MOBILE"
+  }
+  platform_include {
+    os_type = "WINDOWS"
+    type    = "DESKTOP"
+  }
+  priority                               = 98
+  re_authentication_frequency            = "PT43800H"
+  type                                   = "ASSURANCE"
+  user_types_excluded                    = [
+    okta_user_type.test.id
+  ]
+  user_types_included                    = [
+    data.okta_user_type.default.id
+  ]
+  users_excluded                         = [
+    okta_user.test[2].id,
+    okta_user.test[3].id,
+    okta_user.test[4].id
+  ]
+  users_included                         = [
+    okta_user.test[0].id,
+    okta_user.test[1].id
+  ]
+  constraints                            = [
+    jsonencode({
+      "knowledge" : {
+        "reauthenticateIn" : "PT2H",
+        "types" : ["password"]
+      },
+      "possession" : {
+        "deviceBound" : "REQUIRED"
+      }
+    }),
+    jsonencode({
+      "possession" : {
+        "deviceBound" : "REQUIRED",
+        "hardwareProtection" : "REQUIRED",
+        "userPresence" : "OPTIONAL"
+      }
+    })
+  ]
+}
diff --git a/go.mod b/go.mod
@@ -54,7 +54,7 @@ require (
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/oklog/run v1.0.0 // indirect
-	github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211009204024-cb628b5d2137
+	github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015125119-aacf3820fbca
 	github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 // indirect
 	github.com/russellhaering/goxmldsig v1.1.0 // indirect
 	github.com/ulikunitz/xz v0.5.8 // indirect

diff --git a/go.sum b/go.sum
@@ -305,6 +305,18 @@ github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211009194114-60ca24b20d8c h1:Lpcx6
 github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211009194114-60ca24b20d8c/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
 github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211009204024-cb628b5d2137 h1:Ku0kX7LW6isMNVdr/V1myw0SFoAQoW+yKXQh3HG/t54=
 github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211009204024-cb628b5d2137/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211013090655-670f2c077458 h1:ptdfd37DbC3dfa6emidas0TNAE/shLxRGuHiwV4PZC0=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211013090655-670f2c077458/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211014114112-31cc2902cf8b h1:jo/3Ir/9M6Op+sR6YvPaMYEZhHqLIjT/ymPIwR8iPHs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211014114112-31cc2902cf8b/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211014182545-53566657e858 h1:2YbxQCk9f+l9+b8J8VKLyDhdZn5GxGeUE7p4JsEfOsU=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211014182545-53566657e858/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015122750-5787ecf6692f h1:Eb5umLbmCPAPYZhG8G4SSEpma1S0wok/yrSG8Alnzpg=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015122750-5787ecf6692f/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015124859-255e52c35c0c h1:jr3BKSmDGi/iFaoiX/Nm6kSS70X0qvfWGlCSeH/u09w=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015124859-255e52c35c0c/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015125119-aacf3820fbca h1:3e1ZkAIJ6MX0zHrgpQthCauTBCS4UGg6LoOr0Pilq2A=
+github.com/okta/okta-sdk-golang/v2 v2.8.1-0.20211015125119-aacf3820fbca/go.mod h1:0y8stgdplWMjaEbMr4mVtw0R+BdktpGZRw2sWKZWsMs=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 h1:pSCLCl6joCFRnjpeojzOpEYs4q7Vditq8fySFG5ap3Y=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/okta/data_source_okta_app_signon_policy.go b/okta/data_source_okta_app_signon_policy.go
@@ -0,0 +1,47 @@
+package okta
+
+import (
+	"context"
+	"path"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/okta/okta-sdk-golang/v2/okta"
+)
+
+func dataSourceAppSignOnPolicy() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceAppSignOnPolicyRead,
+		Schema: map[string]*schema.Schema{
+			"app_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "App ID",
+			},
+			"name": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "Policy name",
+			},
+		},
+	}
+}
+
+func dataSourceAppSignOnPolicyRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	app := okta.NewApplication()
+	_, _, err := getOktaClientFromMetadata(m).Application.GetApplication(ctx, d.Get("app_id").(string), app, nil)
+	if err != nil {
+		return diag.Errorf("failed get app by ID: %v", err)
+	}
+	accessPolicy := linksValue(app.Links, "accessPolicy", "href")
+	if accessPolicy == "" {
+		return diag.Errorf("app does not support sign-on policy or this feature is not available")
+	}
+	policy, _, err := getOktaClientFromMetadata(m).Policy.GetPolicy(ctx, path.Base(accessPolicy), nil)
+	if err != nil {
+		return diag.Errorf("failed get policy by ID: %v", err)
+	}
+	d.SetId(policy.Id)
+	_ = d.Set("name", policy.Name)
+	return nil
+}
diff --git a/okta/data_source_okta_default_policy.go b/okta/data_source_okta_default_policy.go
@@ -21,6 +21,7 @@ func dataSourceDefaultPolicies() *schema.Resource {
 					sdk.PasswordPolicyType,
 					sdk.MfaPolicyType,
 					sdk.IdpDiscoveryType,
+					sdk.AccessPolicyType,
 				}),
 				Description: fmt.Sprintf("Policy type: %s, %s, %s, or %s", sdk.SignOnPolicyType, sdk.PasswordPolicyType, sdk.MfaPolicyType, sdk.IdpDiscoveryType),
 				Required:    true,

diff --git a/okta/data_source_okta_policy.go b/okta/data_source_okta_policy.go
@@ -15,7 +15,7 @@ func dataSourcePolicy() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"name": {
 				Type:        schema.TypeString,
-				Description: "Name of policy",
+				Description: "Name of the policy",
 				Required:    true,
 			},
 			"type": {
@@ -25,10 +25,15 @@ func dataSourcePolicy() *schema.Resource {
 					sdk.PasswordPolicyType,
 					sdk.MfaPolicyType,
 					sdk.IdpDiscoveryType,
+					sdk.AccessPolicyType,
 				}),
 				Description: fmt.Sprintf("Policy type: %s, %s, %s, or %s", sdk.SignOnPolicyType, sdk.PasswordPolicyType, sdk.MfaPolicyType, sdk.IdpDiscoveryType),
 				Required:    true,
 			},
+			"status": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -39,5 +44,6 @@ func dataSourcePolicyRead(ctx context.Context, d *schema.ResourceData, m interfa
 		return diag.FromErr(err)
 	}
 	d.SetId(policy.Id)
+	_ = d.Set("status", policy.Status)
 	return nil
 }
diff --git a/okta/policy_rule.go b/okta/policy_rule.go
@@ -145,7 +145,7 @@ func ensureNotDefaultRule(d *schema.ResourceData) error {
 	return ensureNotDefault(d, "Rule")
 }
 
-func getNetwork(d *schema.ResourceData) *okta.PolicyNetworkCondition {
+func buildPolicyNetworkCondition(d *schema.ResourceData) *okta.PolicyNetworkCondition {
 	return &okta.PolicyNetworkCondition{
 		Connection: d.Get("network_connection").(string),
 		Exclude:    convertInterfaceToStringArrNullable(d.Get("network_excludes")),
@@ -184,10 +184,10 @@ func getPolicyRule(ctx context.Context, d *schema.ResourceData, m interface{}) (
 func getUsers(d *schema.ResourceData) *okta.PolicyPeopleCondition {
 	var people *okta.PolicyPeopleCondition
 
-	if include, ok := d.GetOk("users_excluded"); ok {
+	if exclude, ok := d.GetOk("users_excluded"); ok {
 		people = &okta.PolicyPeopleCondition{
 			Users: &okta.UserCondition{
-				Exclude: convertInterfaceToStringSet(include),
+				Exclude: convertInterfaceToStringSet(exclude),
 			},
 		}
 	}

diff --git a/okta/provider.go b/okta/provider.go
@@ -26,6 +26,8 @@ const (
 	appOAuthAPIScope          = "okta_app_oauth_api_scope"
 	appOAuthRedirectURI       = "okta_app_oauth_redirect_uri"
 	appSaml                   = "okta_app_saml"
+	appSignOnPolicy           = "okta_app_signon_policy"
+	appSignOnPolicyRule       = "okta_app_signon_policy_rule"
 	appSamlAppSettings        = "okta_app_saml_app_settings"
 	appSecurePasswordStore    = "okta_app_secure_password_store"
 	appSwa                    = "okta_app_swa"
@@ -204,6 +206,7 @@ func Provider() *schema.Provider {
 			appSaml:                   resourceAppSaml(),
 			appSamlAppSettings:        resourceAppSamlAppSettings(),
 			appSecurePasswordStore:    resourceAppSecurePasswordStore(),
+			appSignOnPolicyRule:       resourceAppSignOnPolicyRule(),
 			appSwa:                    resourceAppSwa(),
 			appSharedCredentials:      resourceAppSharedCredentials(),
 			appThreeField:             resourceAppThreeField(),
@@ -287,6 +290,7 @@ func Provider() *schema.Provider {
 			"okta_app":                         dataSourceApp(),
 			appGroupAssignments:                dataSourceAppGroupAssignments(),
 			appSaml:                            dataSourceAppSaml(),
+			appSignOnPolicy:                    dataSourceAppSignOnPolicy(),
 			appOAuth:                           dataSourceAppOauth(),
 			"okta_app_metadata_saml":           dataSourceAppMetadataSaml(),
 			"okta_app_user_assignments":        dataSourceAppUserAssignments(),

diff --git a/okta/resource_okta_app_saml.go b/okta/resource_okta_app_saml.go
@@ -479,14 +479,14 @@ func resourceAppSamlUpdate(ctx context.Context, d *schema.ResourceData, m interf
 	if err != nil {
 		return diag.Errorf("failed to create SAML application: %v", err)
 	}
-	_, _, err = client.Application.UpdateApplication(ctx, d.Id(), app)
-	if err != nil {
-		return diag.Errorf("failed to update SAML application: %v", err)
-	}
 	err = setAppStatus(ctx, d, client, app.Status)
 	if err != nil {
 		return diag.Errorf("failed to set SAML application status: %v", err)
 	}
+	_, _, err = client.Application.UpdateApplication(ctx, d.Id(), app)
+	if err != nil {
+		return diag.Errorf("failed to update SAML application: %v", err)
+	}
 	if d.HasChange("key_name") {
 		err = tryCreateCertificate(ctx, d, m, app.Id)
 		if err != nil {
@@ -509,6 +509,15 @@ func resourceAppSamlUpdate(ctx context.Context, d *schema.ResourceData, m interf
 			return diag.Errorf("failed to upload logo for SAML application: %v", err)
 		}
 	}
+	isStatusChaged := d.HasChange("status")
+	if isStatusChaged {
+		s := d.Get("status").(string)
+		if s == "ACTIVE" {
+			// activate
+		} else {
+			// deactivate
+		}
+	}
 	return resourceAppSamlRead(ctx, d, m)
 }