-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: failed to get SAML identity profile mapping #984
Comments
@Cylock I'll try to get you some feedback today or tomorrow. |
@Cylock the error messages are a red herring. |
ok @Cylock, I used your sample terraform {
required_providers {
okta = {
source = "okta/okta"
}
}
}
# export OKTA_API_TOKEN=XXXX
# export OKTA_ORG_NAME=XXXX
# export OKTA_BASE_URL=okta.com
# export TF_VAR_client_id=XXXX
# export TF_VAR_client_secret=XXXX
# terraform init
# terraform plan
# terraform apply
variable "client_id" {
type = string
}
variable "client_secret" {
type = string
}
resource okta_idp_oidc bindid {
name = "BindId"
authorization_url = "https://signin.bindid-sandbox.io/authorize"
authorization_binding = "HTTP-REDIRECT"
token_url = "https://signin.bindid-sandbox.io/token"
token_binding = "HTTP-POST"
user_info_url = "https://signin.bindid-sandbox.io/userinfo"
user_info_binding = "HTTP-REDIRECT"
jwks_url = "https://signin.bindid-sandbox.io/jwks"
jwks_binding = "HTTP-REDIRECT"
scopes = ["openid","email"]
client_id = var.client_id
client_secret = var.client_secret
issuer_url = "https://signin.bindid-sandbox.io"
username_template = "idpuser.email"
} export OKTA_API_TOKEN=XXXX
export OKTA_ORG_NAME=XXXX
export OKTA_BASE_URL=okta.com
export TF_VAR_client_id=XXXX
export TF_VAR_client_secret=XXXX
○ terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# okta_idp_oidc.bindid will be created
+ resource "okta_idp_oidc" "bindid" {
+ account_link_action = "AUTO"
+ authorization_binding = "HTTP-REDIRECT"
+ authorization_url = "https://signin.bindid-sandbox.io/authorize"
+ client_id = "0oaayrsmmgRlDp1d2696"
+ client_secret = (sensitive value)
+ deprovisioned_action = "NONE"
+ groups_action = "NONE"
+ id = (known after apply)
+ issuer_mode = "ORG_URL"
+ issuer_url = "https://signin.bindid-sandbox.io"
+ jwks_binding = "HTTP-REDIRECT"
+ jwks_url = "https://signin.bindid-sandbox.io/jwks"
+ name = "BindId"
+ protocol_type = "OIDC"
+ provisioning_action = "AUTO"
+ request_signature_algorithm = "SHA-256"
+ response_signature_algorithm = "SHA-256"
+ scopes = [
+ "email",
+ "openid",
]
+ status = "ACTIVE"
+ subject_match_type = "USERNAME"
+ suspended_action = "NONE"
+ token_binding = "HTTP-POST"
+ token_url = "https://signin.bindid-sandbox.io/token"
+ type = (known after apply)
+ user_info_binding = "HTTP-REDIRECT"
+ user_info_url = "https://signin.bindid-sandbox.io/userinfo"
+ user_type_id = (known after apply)
+ username_template = "idpuser.email"
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
okta_idp_oidc.bindid: Creating...
okta_idp_oidc.bindid: Creation complete after 2s [id=0oahp2dpuKIjTYhka696] |
@Cylock so, your org might be having the same issue as the one reported in https://support.okta.com/help/s/question/0D54z000072AklcCAC/you-do-not-have-permission-to-access-the-feature-you-are-requesting-profile-mapping?language=en_US . Please open a support ticket and ask for the |
Hello, requested okta support to enable the flag and it works now. Can create an oicd provider without any errors. Thank you @monde for the prompt responses. Clossing this issue. |
Correct ipd related error messages. See: #984
Community Note
Terraform Version
v1.1.6
Does a SAML mapping have anything to do with OIDC?
Hello,
I will preface this that I am not that well experienced in Identity Management, it's protocols, etc since it's not something with which I work day by day.
I am learning how to interact with Okta using terraform and tried to apply an example OIDC Identity Provider resource to my Okta developer instance.
At
terraform apply
it creates the remote object but an error pops up durring the process:First searches of the error itself point to not having a feature flag enabled on my account so that it authorizes calling an API, specifically /api/v1/mappings
The support ticket: https://support.okta.com/help/s/question/0D54z000072AklcCAC/you-do-not-have-permission-to-access-the-feature-you-are-requesting-profile-mapping?language=en_US
But not sure if that is the root cause since OIDC and SAML are 2 different protocols. Some investigation it lead me to the go files in the Github repo for this resource:
Check references for the commit that introduced these changes.
My question: Is this implementation correct or am I missing something?
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Create the remote object without any issues and track it
Actual Behavior
It creates the remote object, but because there is an error it taints the resource mapped to it in the terraform.tfstate and this leads to subsequent failures on
terraform plan
,terraform apply
,terraform destroy
Steps to Reproduce
terraform apply
Important Factoids
Working with a free Okta developer account.
References
a1f46a1
The text was updated successfully, but these errors were encountered: