diff --git a/go.mod b/go.mod
index 8641081ae..a970ef34a 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-hclog v1.4.0
 	github.com/hashicorp/go-retryablehttp v0.7.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.25.0
-	github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7
+	github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6
 	github.com/stretchr/testify v1.8.1
 )
 
diff --git a/go.sum b/go.sum
index 83df2da48..15809b194 100644
--- a/go.sum
+++ b/go.sum
@@ -207,6 +207,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7 h1:NpPP654LMCbiRQD+pfuz8j9Z/MWFybbyxiYeAN2bSlc=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
+github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6 h1:4QDfpHc9H0UG4XOVy3JISbHPXAu+3Gpkjo1NtQNdw0s=
+github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 h1:pSCLCl6joCFRnjpeojzOpEYs4q7Vditq8fySFG5ap3Y=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
diff --git a/okta/app.go b/okta/app.go
index ecc8bd735..82dad9274 100644
--- a/okta/app.go
+++ b/okta/app.go
@@ -630,6 +630,7 @@ func setSamlSettings(d *schema.ResourceData, signOn *okta.SamlApplicationSetting
 	_ = d.Set("digest_algorithm", signOn.DigestAlgorithm)
 	_ = d.Set("honor_force_authn", signOn.HonorForceAuthn)
 	_ = d.Set("authn_context_class_ref", signOn.AuthnContextClassRef)
+	_ = d.Set("saml_signed_request_enabled", signOn.SamlSignedRequestEnabled)
 	if signOn.AllowMultipleAcsEndpoints != nil {
 		if *signOn.AllowMultipleAcsEndpoints {
 			acsEndpointsObj := signOn.AcsEndpoints
diff --git a/okta/data_source_okta_app_saml.go b/okta/data_source_okta_app_saml.go
index 81e59036c..24d8460da 100644
--- a/okta/data_source_okta_app_saml.go
+++ b/okta/data_source_okta_app_saml.go
@@ -274,6 +274,11 @@ func dataSourceAppSaml() *schema.Resource {
 				Description: "Users associated with the application",
 				Deprecated:  "The `users` field is now deprecated for the data source `okta_app_saml`, please replace all uses of this with: `okta_app_user_assignments`",
 			},
+			"saml_signed_request_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "SAML Signed Request enabled",
+			},
 		}),
 	}
 }
diff --git a/okta/data_source_okta_app_saml_test.go b/okta/data_source_okta_app_saml_test.go
index 553e41347..f44a1f486 100644
--- a/okta/data_source_okta_app_saml_test.go
+++ b/okta/data_source_okta_app_saml_test.go
@@ -30,6 +30,8 @@ func TestAccOktaDataSourceAppSaml_read(t *testing.T) {
 					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "label", buildResourceName(ri)),
 					resource.TestCheckResourceAttr("data.okta_app_saml.test", "status", statusActive),
 					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "status", statusActive),
+					resource.TestCheckResourceAttr("data.okta_app_saml.test", "saml_signed_request_enabled", "false"),
+					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "saml_signed_request_enabled", "false"),
 				),
 			},
 		},
diff --git a/okta/resource_okta_app_saml.go b/okta/resource_okta_app_saml.go
index 3a771a6bd..c99ce3482 100644
--- a/okta/resource_okta_app_saml.go
+++ b/okta/resource_okta_app_saml.go
@@ -417,6 +417,12 @@ func resourceAppSaml() *schema.Resource {
 				Computed:    true,
 				Description: "The url that can be used to embed this application in other portals.",
 			},
+			"saml_signed_request_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "SAML Signed Request enabled",
+				Default:     false,
+			},
 		}),
 		Timeouts: &schema.ResourceTimeout{
 			Create: schema.DefaultTimeout(1 * time.Hour),
@@ -651,21 +657,22 @@ func buildSamlApp(d *schema.ResourceData) (*okta.SamlApplication, error) {
 	// Note: You can't currently configure provisioning features via the API. Use the administrator UI.
 	// app.Features = convertInterfaceToStringSet(d.Get("features"))
 	app.Settings.SignOn = &okta.SamlApplicationSettingsSignOn{
-		DefaultRelayState:     d.Get("default_relay_state").(string),
-		SsoAcsUrl:             d.Get("sso_url").(string),
-		Recipient:             d.Get("recipient").(string),
-		Destination:           d.Get("destination").(string),
-		Audience:              d.Get("audience").(string),
-		IdpIssuer:             d.Get("idp_issuer").(string),
-		SubjectNameIdTemplate: d.Get("subject_name_id_template").(string),
-		SubjectNameIdFormat:   d.Get("subject_name_id_format").(string),
-		ResponseSigned:        &responseSigned,
-		AssertionSigned:       &assertionSigned,
-		SignatureAlgorithm:    d.Get("signature_algorithm").(string),
-		DigestAlgorithm:       d.Get("digest_algorithm").(string),
-		HonorForceAuthn:       &honorForce,
-		AuthnContextClassRef:  d.Get("authn_context_class_ref").(string),
-		Slo:                   &okta.SingleLogout{Enabled: boolPtr(false)},
+		DefaultRelayState:        d.Get("default_relay_state").(string),
+		SsoAcsUrl:                d.Get("sso_url").(string),
+		Recipient:                d.Get("recipient").(string),
+		Destination:              d.Get("destination").(string),
+		Audience:                 d.Get("audience").(string),
+		IdpIssuer:                d.Get("idp_issuer").(string),
+		SubjectNameIdTemplate:    d.Get("subject_name_id_template").(string),
+		SubjectNameIdFormat:      d.Get("subject_name_id_format").(string),
+		ResponseSigned:           &responseSigned,
+		AssertionSigned:          &assertionSigned,
+		SignatureAlgorithm:       d.Get("signature_algorithm").(string),
+		DigestAlgorithm:          d.Get("digest_algorithm").(string),
+		HonorForceAuthn:          &honorForce,
+		AuthnContextClassRef:     d.Get("authn_context_class_ref").(string),
+		Slo:                      &okta.SingleLogout{Enabled: boolPtr(false)},
+		SamlSignedRequestEnabled: boolPtr(d.Get("saml_signed_request_enabled").(bool)),
 	}
 	sli := d.Get("single_logout_issuer").(string)
 	if sli != "" {
diff --git a/okta/resource_okta_app_saml_test.go b/okta/resource_okta_app_saml_test.go
index 5b1de5355..abdc4edc2 100644
--- a/okta/resource_okta_app_saml_test.go
+++ b/okta/resource_okta_app_saml_test.go
@@ -451,6 +451,7 @@ func TestAccAppSaml_certdiff(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "single_logout_issuer", "https://dunshire.okta.com"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_url", "https://dunshire.okta.com/logout"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_certificate", "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"),
+					resource.TestCheckResourceAttr(resourceName, "saml_signed_request_enabled", "false"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
 				),
 			},
@@ -477,6 +478,7 @@ func TestAccAppSaml_certdiff(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "single_logout_issuer", "https://dunshire.okta.com"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_url", "https://dunshire.okta.com/logout"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_certificate", "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"),
+					resource.TestCheckResourceAttr(resourceName, "saml_signed_request_enabled", "false"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
 				),
 			},
diff --git a/website/docs/d/app_saml.html.markdown b/website/docs/d/app_saml.html.markdown
index 2a1eb7ec1..c57fc0067 100644
--- a/website/docs/d/app_saml.html.markdown
+++ b/website/docs/d/app_saml.html.markdown
@@ -20,6 +20,10 @@ data "okta_app_saml" "example" {
 
 ## Arguments Reference
 
+- `active_only` - (Optional) tells the provider to query for only `ACTIVE` applications.
+
+- `id` - (Optional) `id` of application to retrieve, conflicts with `label` and `label_prefix`.
+
 - `label` - (Optional) The label of the app to retrieve, conflicts with `label_prefix` and `id`. Label uses
   the `?q=<label>` query parameter exposed by Okta's API. It should be noted that at this time this searches both `name`
   and `label`. This is used to avoid paginating through all applications.
@@ -27,105 +31,102 @@ data "okta_app_saml" "example" {
 - `label_prefix` - (Optional) Label prefix of the app to retrieve, conflicts with `label` and `id`. This will tell the
   provider to do a `starts with` query as opposed to an `equals` query.
 
-- `id` - (Optional) `id` of application to retrieve, conflicts with `label` and `label_prefix`.
-
-- `active_only` - (Optional) tells the provider to query for only `ACTIVE` applications.
+- `skip_groups` - (Optional) Indicator that allows the app to skip `groups` sync. Default is `false`.
 
 - `skip_users` - (Optional) Indicator that allows the app to skip `users` sync. Default is `false`.
 
-- `skip_groups` - (Optional) Indicator that allows the app to skip `groups` sync. Default is `false`.
-
 ## Attributes Reference
 
-- `id` - id of application.
+- `accessibility_error_redirect_url` - Custom error page URL.
 
-- `label` - label of application.
+- `accessibility_login_redirect_url` - Custom login page URL.
 
-- `name` - name of application.
+- `accessibility_self_service` - Enable self-service.
 
-- `status` - status of application.
+- `acs_endpoints` - An array of ACS endpoints. You can configure a maximum of 100 endpoints.
 
-- `key_id` - Certificate key ID.
+- `app_settings_json` - Application settings in JSON format.
 
-- `auto_submit_toolbar` - Display auto submit toolbar.
+- `assertion_signed` - Determines whether the SAML assertion is digitally signed.
 
-- `hide_ios` - Do not display application icon on mobile app.
+- `attribute_statements` - List of SAML Attribute statements.
+    - `name` - The name of the attribute statement.
+    - `filter_type` - Type of group attribute filter.
+    - `filter_value` - Filter value to use.
+    - `namespace` - The attribute namespace.
+    - `type` - The type of attribute statement value.
+    - `values` - Array of values to use.
 
-- `hide_web` - Do not display application icon to users
+- `audience` - Audience restriction.
 
-- `default_relay_state` - Identifies a specific application resource in an IDP initiated SSO scenario.
+- `authn_context_class_ref` - Identifies the SAML authentication context class for the assertion’s authentication statement.
 
-- `sso_url` - Single Sign-on Url.
+- `auto_submit_toolbar` - Display auto submit toolbar.
 
-- `recipient` - The location where the app may present the SAML assertion.
+- `default_relay_state` - Identifies a specific application resource in an IDP initiated SSO scenario.
 
 - `destination` - Identifies the location where the SAML response is intended to be sent inside the SAML assertion.
 
-- `audience` - Audience restriction.
+- `digest_algorithm` - Determines the digest algorithm used to digitally sign the SAML assertion and response.
 
-- `idp_issuer` - SAML issuer ID.
+- `features` - features enabled.
 
-- `sp_issuer` - SAML service provider issuer.
+- `groups` - List of groups IDs assigned to the application.
+  - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_group_assignments`.
 
-- `subject_name_id_template` - Template for app user's username when a user is assigned to the app.
+- `hide_ios` - Do not display application icon on mobile app.
 
-- `subject_name_id_format` - Identifies the SAML processing rules.
+- `hide_web` - Do not display application icon to users
 
-- `response_signed` - Determines whether the SAML auth response message is digitally signed.
+- `honor_force_authn` - Prompt user to re-authenticate if SP asks for it.
 
-- `request_compressed` - Denotes whether the request is compressed or not.
+- `id` - id of application.
 
-- `assertion_signed` - Determines whether the SAML assertion is digitally signed.
+- `idp_issuer` - SAML issuer ID.
 
-- `signature_algorithm` - Signature algorithm used ot digitally sign the assertion and response.
+- `inline_hook_id` - Saml Inline Hook associated with the application.
 
-- `digest_algorithm` - Determines the digest algorithm used to digitally sign the SAML assertion and response.
+- `key_id` - Certificate key ID.
 
-- `honor_force_authn` - Prompt user to re-authenticate if SP asks for it.
+- `label` - label of application.
 
-- `authn_context_class_ref` - Identifies the SAML authentication context class for the assertion’s authentication
-  statement.
+- `links` - Generic JSON containing discoverable resources related to the app.
 
-- `accessibility_self_service` - Enable self-service.
+- `name` - name of application.
 
-- `accessibility_error_redirect_url` - Custom error page URL.
+- `recipient` - The location where the app may present the SAML assertion.
 
-- `accessibility_login_redirect_url` - Custom login page URL.
+- `request_compressed` - Denotes whether the request is compressed or not.
 
-- `features` - features enabled.
+- `response_signed` - Determines whether the SAML auth response message is digitally signed.
 
-- `user_name_template` - Username template.
+- `saml_signed_request_enabled` - SAML Signed Request enabled
 
-- `user_name_template_suffix` - Username template suffix.
+- `signature_algorithm` - Signature algorithm used ot digitally sign the assertion and response.
 
-- `user_name_template_type` - Username template type.
+- `single_logout_certificate` - x509 encoded certificate that the Service Provider uses to sign Single Logout requests.
 
-- `user_name_template_push_status` - Push username on update.
+- `single_logout_issuer` - The issuer of the Service Provider that generates the Single Logout request.
 
-- `app_settings_json` - Application settings in JSON format.
+- `single_logout_url` - The location where the logout response is sent.
 
-- `acs_endpoints` - An array of ACS endpoints. You can configure a maximum of 100 endpoints.
+- `sp_issuer` - SAML service provider issuer.
 
-- `attribute_statements` - List of SAML Attribute statements.
-    - `name` - The name of the attribute statement.
-    - `filter_type` - Type of group attribute filter.
-    - `filter_value` - Filter value to use.
-    - `namespace` - The attribute namespace.
-    - `type` - The type of attribute statement value.
-    - `values` - Array of values to use.
+- `sso_url` - Single Sign-on Url.
 
-- `single_logout_issuer` - The issuer of the Service Provider that generates the Single Logout request.
+- `status` - status of application.
 
-- `single_logout_url` - The location where the logout response is sent.
+- `subject_name_id_format` - Identifies the SAML processing rules.
 
-- `single_logout_certificate` - x509 encoded certificate that the Service Provider uses to sign Single Logout requests.
+- `subject_name_id_template` - Template for app user's username when a user is assigned to the app.
 
-- `links` - Generic JSON containing discoverable resources related to the app.
+- `user_name_template_push_status` - Push username on update.
 
-- `inline_hook_id` - Saml Inline Hook associated with the application.
+- `user_name_template_suffix` - Username template suffix.
+
+- `user_name_template_type` - Username template type.
+
+- `user_name_template` - Username template.
 
 - `users` - List of users IDs assigned to the application.
   - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_user_assignments`.
-
-- `groups` - List of groups IDs assigned to the application.
-  - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_group_assignments`.
diff --git a/website/docs/r/app_saml.html.markdown b/website/docs/r/app_saml.html.markdown
index 94551617c..dcbf51529 100644
--- a/website/docs/r/app_saml.html.markdown
+++ b/website/docs/r/app_saml.html.markdown
@@ -174,7 +174,6 @@ The following arguments are supported:
 - `assertion_signed` - (Optional) Determines whether the SAML assertion is digitally signed.
 
 - `attribute_statements` - (Optional) List of SAML Attribute statements.
-
   - `name` - (Required) The name of the attribute statement.
   - `filter_type` - (Optional) Type of group attribute filter. Valid values are: `"STARTS_WITH"`, `"EQUALS"`, `"CONTAINS"`, or `"REGEX"`
   - `filter_value` - (Optional) Filter value to use.
@@ -184,6 +183,8 @@ The following arguments are supported:
 
 - `audience` - (Optional) Audience restriction.
 
+- `authentication_policy` - (Optional) The ID of the associated `app_signon_policy`. If this property is removed from the application the `default` sign-on-policy will be associated with this application.
+
 - `authn_context_class_ref` - (Optional) Identifies the SAML authentication context class for the assertion’s authentication statement.
 
 - `auto_submit_toolbar` - (Optional) Display auto submit toolbar. Default is: `false`
@@ -199,7 +200,6 @@ The following arguments are supported:
 - `features` - (Optional) features enabled. Notice: you can't currently configure provisioning features via the API.
 
 - `groups` - (Optional) Groups associated with the application.
-
   - `DEPRECATED`: Please replace usage with the `okta_app_group_assignments` (or `okta_app_group_assignment`) resource.
 
 - `hide_ios` - (Optional) Do not display application icon on mobile app. Default is: `false`
@@ -222,9 +222,7 @@ The following arguments are supported:
 
 - `logo` - (Optional) Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
 
-- `preconfigured_app` - (Optional) name of application from the Okta Integration Network, if not included a custom app will be created.  
-  If not provided the following arguments are required:
-
+- `preconfigured_app` - (Optional) name of application from the Okta Integration Network, if not included a custom app will be created.  If not provided the following arguments are required:
   - `sso_url`
   - `recipient`
   - `destination`
@@ -241,12 +239,13 @@ The following arguments are supported:
 
 - `response_signed` - (Optional) Determines whether the SAML auth response message is digitally signed.
 
+- `saml_signed_request_enabled` - SAML Signed Request enabled
+
 - `saml_version` - (Optional) SAML version for the app's sign-on mode. Valid values are: `"2.0"` or `"1.1"`. Default is `"2.0"`.
 
 - `signature_algorithm` - (Optional) Signature algorithm used ot digitally sign the assertion and response.
 
-- `single_logout_certificate` - (Optional) x509 encoded certificate that the Service Provider uses to sign Single Logout requests.
-  Note: should be provided without `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`, see [official documentation](https://developer.okta.com/docs/reference/api/apps/#service-provider-certificate).
+- `single_logout_certificate` - (Optional) x509 encoded certificate that the Service Provider uses to sign Single Logout requests.  Note: should be provided without `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`, see [official documentation](https://developer.okta.com/docs/reference/api/apps/#service-provider-certificate).
 
 - `single_logout_issuer` - (Optional) The issuer of the Service Provider that generates the Single Logout request.
 
@@ -266,71 +265,58 @@ The following arguments are supported:
 
 - `subject_name_id_template` - (Optional) Template for app user's username when a user is assigned to the app.
 
-- `user_name_template` - (Optional) Username template. Default is: `"${source.login}"`
-
 - `user_name_template_push_status` - (Optional) Push username on update. Valid values: `"PUSH"` and `"DONT_PUSH"`.
 
 - `user_name_template_suffix` - (Optional) Username template suffix.
 
 - `user_name_template_type` - (Optional) Username template type. Default is: `"BUILT_IN"`.
 
-- `users` - (Optional) Users associated with the application.
+- `user_name_template` - (Optional) Username template. Default is: `"${source.login}"`
 
+- `users` - (Optional) Users associated with the application.
   - `DEPRECATED`: Please replace usage with the `okta_app_user` resource.
 
-- `authentication_policy` - (Optional) The ID of the associated `app_signon_policy`. If this property is removed from the application the `default` sign-on-policy will be associated with this application.
-
 ## Attributes Reference
 
-- `id` - id of application.
+- `certificate` - The raw signing certificate.
 
-- `name` - Name assigned to the application by Okta.
+- `embed_url` - Url that can be used to embed this application into another portal.
 
-- `sign_on_mode` - Sign-on mode of application.
+- `entity_key` - Entity ID, the ID portion of the `entity_url`.
+
+- `entity_url` - Entity URL for instance [http://www.okta.com/exk1fcia6d6EMsf331d8](http://www.okta.com/exk1fcia6d6EMsf331d8).
+
+- `http_post_binding` - `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post` location from the SAML metadata.
+
+- `http_redirect_binding` - `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` location from the SAML metadata.
+
+- `id` - id of application.
 
 - `key_id` - Certificate key ID.
 
 - `key_name` - Certificate name. This modulates the rotation of keys. New name == new key.
 
 - `keys` - An array of all key credentials for the application. Format of each entry is as follows:
-
   - `kid` - Key ID.
-
   - `kty` - Identifies the cryptographic algorithm family used with the key.
-
   - `use` - Intended use of the public key.
-
   - `created` - Date created.
-
   - `last_updated` - Date the key was last updated.
-
   - `expires_at` - Date the key expires.
-
   - `e` - RSA exponent.
-
   - `n` - RSA modulus.
-
   - `x5c` - X.509 certificate chain.
-
   - `x5t_s256` - X.509 certificate SHA-256 thumbprint.
 
-- `certificate` - The raw signing certificate.
-
-- `metadata` - The raw SAML metadata in XML.
+- `logo_url` - Direct link of application logo.
 
 - `metadata_url` - SAML xml metadata URL.
 
-- `http_post_binding` - `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post` location from the SAML metadata.
-
-- `http_redirect_binding` - `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` location from the SAML metadata.
-
-- `entity_key` - Entity ID, the ID portion of the `entity_url`.
-
-- `entity_url` - Entity URL for instance [http://www.okta.com/exk1fcia6d6EMsf331d8](http://www.okta.com/exk1fcia6d6EMsf331d8).
+- `metadata` - The raw SAML metadata in XML.
 
-- `logo_url` - Direct link of application logo.
+- `name` - Name assigned to the application by Okta.
 
-- `embed_url` - Url that can be used to embed this application into another portal.
+- `sign_on_mode` - Sign-on mode of application.
 
 ## Timeouts