Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New okta_policy_mfa resource option external_idps does not work #2091

Open
OnwardKnight opened this issue Sep 18, 2024 · 1 comment
Open

New okta_policy_mfa resource option external_idps does not work #2091

OnwardKnight opened this issue Sep 18, 2024 · 1 comment
Labels
bug OKTA-809782 triaged Triaged into internal Jira

Comments

@OnwardKnight
Copy link

OnwardKnight commented Sep 18, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.9.6

Affected Resource(s)

  • okta_policy_mfa

Terraform Configuration Files

resource "okta_idp_oidc" "External_IdP" {
  name = "External IdP"
  protocol_type = "OIDC"
  scopes = ["openid"]
  authorization_url = "${var.authorization_url}"
  authorization_binding = "HTTP-REDIRECT"
  token_url = "${var.token_url}"
  token_binding = "HTTP-POST"
  jwks_url = "${var.jwks_url}"
  jwks_binding = "HTTP-REDIRECT"
  client_id = "${var.client_id}"
  client_secret = "${var.client_secret}"
  issuer_url = "${var.issuer_url}"
  issuer_mode = "DYNAMIC"
}

resource "okta_authenticator" "External_MFA" {
  key = "external_idp"
  name = "Duo Universal Prompt"
  status = "ACTIVE"
  provider_json = jsonencode(
    {
      "type": "CLAIMS",
      "configuration": {
        "idpId": "${okta_idp_oidc.External_IdP.id}"
      }
    }
  )
}

resource "okta_policy_mfa" "Users_MFA_Policy" {
  name              = "Users"
  description       = "Require Duo Universal Prompt for all users"
  groups_included   = [data.okta_group.SG_ALLUSERS.id]
  # priority          = 5
  status            = "ACTIVE"
  external_idps = [
    {
      "enroll" : "REQUIRED",
      "id" : "${okta_authenticator.External_MFA.id}"
    }
  ]
}

Expected Behavior

The new external_idps configuration for okta_policy_mfa resources (introduced in release 4.10.0 - #2044) should allow setting the external IdP configuration for an MFA policy.

Can this be done in the Admin UI?

Yes

Can this be done in the actual API call?

I don't know

Actual Behavior

The external_idps configuration does not take effect when running terraform apply with only one external IdP listed based on the example provided. Using the deprecated external_idp still works.

Steps to Reproduce

  1. Add an external OIDC IdP (factor only).
  2. Add the OIDC IdP as an Authenticator.
  3. Configure an okta_policy_mfa policy resource with the external_idps configuration.
  4. terraform apply

Important Factoids

References
@Davie3
Copy link

Davie3 commented Sep 25, 2024

Similarly, the okta_policy_mfa_default resource is also not working as expected with external_idps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug OKTA-809782 triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Davie3 @OnwardKnight @arvindkrishnakumar-okta