Error: failed to get SAML identity profile mapping

[Cylock]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.1.6

Does a SAML mapping have anything to do with OIDC?

Hello,

I will preface this that I am not that well experienced in Identity Management, it's protocols, etc since it's not something with which I work day by day.

I am learning how to interact with Okta using terraform and tried to apply an example OIDC Identity Provider resource to my Okta developer instance.

At terraform apply it creates the remote object but an error pops up durring the process:

First searches of the error itself point to not having a feature flag enabled on my account so that it authorizes calling an API, specifically /api/v1/mappings

The support ticket: https://support.okta.com/help/s/question/0D54z000072AklcCAC/you-do-not-have-permission-to-access-the-feature-you-are-requesting-profile-mapping?language=en_US

But not sure if that is the root cause since OIDC and SAML are 2 different protocols. Some investigation it lead me to the go files in the Github repo for this resource:

Check references for the commit that introduced these changes.

My question: Is this implementation correct or am I missing something?

Affected Resource(s)

• okta_idp_oidc

Terraform Configuration Files

resource okta_idp_oidc bindid {
    name                  = "BindId"
    authorization_url     = "https://signin.bindid-sandbox.io/authorize"
    authorization_binding = "HTTP-REDIRECT"
    token_url             = "https://signin.bindid-sandbox.io/token"
    token_binding         = "HTTP-POST"
    user_info_url         = "https://signin.bindid-sandbox.io/userinfo"
    user_info_binding     = "HTTP-REDIRECT"
    jwks_url              = "https://signin.bindid-sandbox.io/jwks"
    jwks_binding          = "HTTP-REDIRECT"
    scopes                = ["openid","email"]
    client_id             = "efg456"
    client_secret         = "efg456"
    issuer_url            = "https://signin.bindid-sandbox.io"
    username_template     = "idpuser.email"
}

Expected Behavior

Create the remote object without any issues and track it

Actual Behavior

It creates the remote object, but because there is an error it taints the resource mapped to it in the terraform.tfstate and this leads to subsequent failures on terraform plan, terraform apply, terraform destroy

Steps to Reproduce

1. terraform apply

Important Factoids

Working with a free Okta developer account.

References

a1f46a1

• #0000

[monde]

@Cylock I'll try to get you some feedback today or tomorrow.

[monde]

@Cylock the error messages are a red herring. okta/resource_okta_idp_oidc.go and okta/resource_okta_idp_saml.go were worked on at the same time (see #957, #865) so that failed to get SAML identity provider profile mapping in the oidc resource is a copy and paste error. I have a PR to fix that #985 . I'm still looking into the bigger picture error. I'll give feedback when I have an answer for you.

[monde]

ok @Cylock, I used your sample resource okta_idp_oidc bindid on my test org and it works for me:

terraform {
  required_providers {
    okta = {
      source = "okta/okta"
    }
  }
}

# export OKTA_API_TOKEN=XXXX
# export OKTA_ORG_NAME=XXXX
# export OKTA_BASE_URL=okta.com
# export TF_VAR_client_id=XXXX
# export TF_VAR_client_secret=XXXX

# terraform init
# terraform plan
# terraform apply

variable "client_id" {
    type = string
}

variable "client_secret" {
    type = string
}

resource okta_idp_oidc bindid {
    name                  = "BindId"
    authorization_url     = "https://signin.bindid-sandbox.io/authorize"
    authorization_binding = "HTTP-REDIRECT"
    token_url             = "https://signin.bindid-sandbox.io/token"
    token_binding         = "HTTP-POST"
    user_info_url         = "https://signin.bindid-sandbox.io/userinfo"
    user_info_binding     = "HTTP-REDIRECT"
    jwks_url              = "https://signin.bindid-sandbox.io/jwks"
    jwks_binding          = "HTTP-REDIRECT"
    scopes                = ["openid","email"]
    client_id             = var.client_id
    client_secret         = var.client_secret
    issuer_url            = "https://signin.bindid-sandbox.io"
    username_template     = "idpuser.email"
}

export OKTA_API_TOKEN=XXXX
export OKTA_ORG_NAME=XXXX
export OKTA_BASE_URL=okta.com
export TF_VAR_client_id=XXXX
export TF_VAR_client_secret=XXXX

 ○ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # okta_idp_oidc.bindid will be created
  + resource "okta_idp_oidc" "bindid" {
      + account_link_action          = "AUTO"
      + authorization_binding        = "HTTP-REDIRECT"
      + authorization_url            = "https://signin.bindid-sandbox.io/authorize"
      + client_id                    = "0oaayrsmmgRlDp1d2696"
      + client_secret                = (sensitive value)
      + deprovisioned_action         = "NONE"
      + groups_action                = "NONE"
      + id                           = (known after apply)
      + issuer_mode                  = "ORG_URL"
      + issuer_url                   = "https://signin.bindid-sandbox.io"
      + jwks_binding                 = "HTTP-REDIRECT"
      + jwks_url                     = "https://signin.bindid-sandbox.io/jwks"
      + name                         = "BindId"
      + protocol_type                = "OIDC"
      + provisioning_action          = "AUTO"
      + request_signature_algorithm  = "SHA-256"
      + response_signature_algorithm = "SHA-256"
      + scopes                       = [
          + "email",
          + "openid",
        ]
      + status                       = "ACTIVE"
      + subject_match_type           = "USERNAME"
      + suspended_action             = "NONE"
      + token_binding                = "HTTP-POST"
      + token_url                    = "https://signin.bindid-sandbox.io/token"
      + type                         = (known after apply)
      + user_info_binding            = "HTTP-REDIRECT"
      + user_info_url                = "https://signin.bindid-sandbox.io/userinfo"
      + user_type_id                 = (known after apply)
      + username_template            = "idpuser.email"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

okta_idp_oidc.bindid: Creating...
okta_idp_oidc.bindid: Creation complete after 2s [id=0oahp2dpuKIjTYhka696]

[monde]

@Cylock so, your org might be having the same issue as the one reported in https://support.okta.com/help/s/question/0D54z000072AklcCAC/you-do-not-have-permission-to-access-the-feature-you-are-requesting-profile-mapping?language=en_US . Please open a support ticket and ask for the MAPPINGS_API feature flag to be applied to your organization. That feature is GA so it should have already been enabled but sometimes feature upgrades don't propagate correctly on releases. Let me know if this resolves your issue.

[Cylock]

Hello, requested okta support to enable the flag and it works now. Can create an oicd provider without any errors. Thank you @monde for the prompt responses.

Clossing this issue.