okta_app_saml adds source.login as default value for user_name_template instead of null or blank which is supported through API

[askmeidentity]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.5.1
on windows_386

• provider registry.terraform.io/okta/okta v4.4.2

Affected Resource(s)

okta_app_saml

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

Terraform should create an APP with user_name_template type == "NONE" and user_name_Template == null

Can this be done in the Admin UI?

Can this be done in the actual API call?

curl --location 'https://dev-45062044.okta.com/api/v1/apps'
--header 'Accept: application/json'
--header 'Content-Type: application/json'
--header 'Authorization: SSWS '
--data '{
"label": "ZIA Sample App",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": null,
"type": "NONE"
},
"signing": {}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": "",
"ssoAcsUrl": "http://example.okta.com",
"idpIssuer": "http://www.okta.com/${org.externalKey}",
"audience": "https://example.com/tenant/123",
"recipient": "http://recipient.okta.com",
"destination": "http://destination.okta.com",
"subjectNameIdTemplate": "${user.userName}",
"subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"responseSigned": true,
"assertionSigned": true,
"signatureAlgorithm": "RSA_SHA256",
"digestAlgorithm": "SHA256",
"honorForceAuthn": true,
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"spIssuer": null,
"requestCompressed": false,
"attributeStatements": []
}
}
}'

Actual Behavior

Steps to Reproduce

Create an okta_app_saml resource with user_name_template_type as "NONE" and user_name_template as null or blank

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

okta_app_saml.ziaapp will be updated in-place

(imported from "0oada5gisznTlGora5d7")

~ resource "okta_app_saml" "ziaapp" {
accessibility_self_service = false
acs_endpoints = []
app_links_json = jsonencode(
{
dev-45062044_ziasampleapp_2_link = true
}
)
app_settings_json = jsonencode({})
assertion_signed = true
audience = "https://example.com/tenant/123"
authn_context_class_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
auto_submit_toolbar = false
destination = "http://destination.okta.com"
digest_algorithm = "SHA256"
embed_url = "https://dev-45062044.okta.com/home/dev-45062044_ziasampleapp_2/0oada5gisznTlGora5d7/alnda5qobvE3PfGeI5d7"
entity_key = "exkda5gisyfYlE7rk5d7"
entity_url = "http://www.okta.com/exkda5gisyfYlE7rk5d7"
features = []
hide_ios = false
hide_web = false
honor_force_authn = true
http_post_binding = "https://dev-45062044.okta.com/app/dev-45062044_ziasampleapp_2/exkda5gisyfYlE7rk5d7/sso/saml"
http_redirect_binding = "https://dev-45062044.okta.com/app/dev-45062044_ziasampleapp_2/exkda5gisyfYlE7rk5d7/sso/saml"
id = "0oada5gisznTlGora5d7"
idp_issuer = "http://www.okta.com/${org.externalKey}"
implicit_assignment = false
label = "ZIA Sample App"
logo_url = "https://ok12static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png"
metadata_url = "https://dev-45062044.okta.com/api/v1/apps/0oada5gisznTlGora5d7/sso/saml/metadata"
name = "dev-45062044_ziasampleapp_2"
preconfigured_app = "dev-45062044_ziasampleapp_2"
recipient = "http://recipient.okta.com"
response_signed = true
saml_signed_request_enabled = false
saml_version = "2.0"
sign_on_mode = "SAML_2_0"
signature_algorithm = "RSA_SHA256"
sso_url = "http://example.okta.com"
status = "ACTIVE"
subject_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
subject_name_id_template = "${user.userName}"
+ user_name_template = "${source.login}"
user_name_template_type = "NONE"
}

[kalidasan116]

We are also facing this bug when we pass user_name_template as null or ""

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-669837