Correct defaults on okta_idp_oidc, okta_idp_saml, and okta_idp_social.

examples/okta_idp_oidc/generic_oidc.tf

@@ -10,7 +10,7 @@ resource "okta_idp_oidc" "test" {
   jwks_binding          = "HTTP-REDIRECT"
   scopes                = ["openid"]
   client_id             = "efg456"
-  client_secret         = "efg456"
+  client_secret         = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
   issuer_url            = "https://id.example.com"
   username_template     = "idpuser.email"
 }

examples/okta_idp_oidc/generic_oidc_updated.tf

@@ -10,7 +10,7 @@ resource "okta_idp_oidc" "test" {
   jwks_binding          = "HTTP-REDIRECT"
   scopes                = ["openid"]
   client_id             = "efg456"
-  client_secret         = "efg456"
+  client_secret         = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
   issuer_url            = "https://id.example.com"
   username_template     = "idpuser.email"
 }

okta/idp.go

@@ -80,20 +80,6 @@ var (
 			Type:     schema.TypeBool,
 			Optional: true,
 		},
-		"request_signature_algorithm": algorithmSchema,
-		"request_signature_scope": {
-			Type:             schema.TypeString,
-			Optional:         true,
-			Description:      "algorithm to use to sign response",
-			ValidateDiagFunc: elemInSlice([]string{"REQUEST", ""}),
-		},
-		"response_signature_algorithm": algorithmSchema,
-		"response_signature_scope": {
-			Type:             schema.TypeString,
-			Optional:         true,
-			Description:      "algorithm to use to sign response",
-			ValidateDiagFunc: elemInSlice([]string{"RESPONSE", "ANY", ""}),
-		},
 	}
 
 	actionSchema = &schema.Schema{
@@ -102,13 +88,51 @@ var (
 		Default:  "NONE",
 	}
 
-	algorithmSchema = &schema.Schema{
+	samlRequestSignatureAlgorithmSchema = &schema.Schema{
+		Type:             schema.TypeString,
+		Optional:         true,
+		Description:      "The XML digital Signature Algorithm used when signing an <AuthnRequest> message",
+		ValidateDiagFunc: elemInSlice([]string{"SHA-256", "SHA-1"}),
+		Default:          "SHA-256",
+	}
+	samlRequestSignatureScopeSchema = &schema.Schema{
+		Type:             schema.TypeString,
+		Optional:         true,
+		Description:      "Specifies whether to digitally sign <AuthnRequest> messages to the IdP",
+		ValidateDiagFunc: elemInSlice([]string{"REQUEST", "NONE"}),
+		Default:          "REQUEST",
+	}
+
+	samlResponseSignatureAlgorithmSchema = &schema.Schema{
 		Type:             schema.TypeString,
 		Optional:         true,
-		Description:      "algorithm to use to sign requests",
+		Description:      "The minimum XML digital Signature Algorithm allowed when verifying a <SAMLResponse> message or <Assertion> element",
 		ValidateDiagFunc: elemInSlice([]string{"SHA-256", "SHA-1"}),
 		Default:          "SHA-256",
 	}
+	samlResponseSignatureScopeSchema = &schema.Schema{
+		Type:             schema.TypeString,
+		Optional:         true,
+		Description:      "Specifies whether to verify a <SAMLResponse> message or <Assertion> element XML digital signature",
+		ValidateDiagFunc: elemInSlice([]string{"RESPONSE", "ASSERTION", "ANY"}),
+		Default:          "ANY",
+	}
+
+	oidcRequestSignatureAlgorithmSchema = &schema.Schema{
+		Type:             schema.TypeString,
+		Optional:         true,
+		Description:      "The HMAC Signature Algorithm used when signing an authorization request",
+		ValidateDiagFunc: elemInSlice([]string{"HS256", "HS384", "HS512"}),
+		Default:          "HS256",
+	}
+
+	oidcRequestSignatureScopeSchema = &schema.Schema{
+		Type:             schema.TypeString,
+		Optional:         true,
+		Description:      "Specifies whether to digitally sign an authorization request to the IdP",
+		ValidateDiagFunc: elemInSlice([]string{"REQUEST", "NONE"}),
+		Default:          "REQUEST",
+	}
 
 	optBindingSchema = &schema.Schema{
 		Type:     schema.TypeString,
@@ -285,14 +309,14 @@ func buildAlgorithms(d *schema.ResourceData) *okta.ProtocolAlgorithms {
 
 func buildProtocolAlgorithmType(d *schema.ResourceData, key string) *okta.ProtocolAlgorithmType {
 	scopeKey := fmt.Sprintf("%s_signature_scope", key)
-	scope := d.Get(scopeKey).(string)
-	if scope == "" {
+	scope, ok := d.GetOk(scopeKey)
+	if !ok || scope.(string) == "" {
 		return nil
 	}
 	return &okta.ProtocolAlgorithmType{
 		Signature: &okta.ProtocolAlgorithmTypeSignature{
 			Algorithm: d.Get(fmt.Sprintf("%s_signature_algorithm", key)).(string),
-			Scope:     scope,
+			Scope:     scope.(string),
 		},
 	}
 }

okta/resource_okta_idp_oidc.go

@@ -72,6 +72,8 @@ func resourceIdpOidc() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"request_signature_algorithm": oidcRequestSignatureAlgorithmSchema,
+			"request_signature_scope":     oidcRequestSignatureScopeSchema,
 		}),
 	}
 }

okta/resource_okta_idp_oidc_test.go

@@ -33,7 +33,7 @@ func TestAccOktaIdpOidc_crud(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys"),
 					resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
 					resource.TestCheckResourceAttr(resourceName, "client_id", "efg456"),
-					resource.TestCheckResourceAttr(resourceName, "client_secret", "efg456"),
+					resource.TestCheckResourceAttr(resourceName, "client_secret", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
 					resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
 					resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
 				),
@@ -51,7 +51,7 @@ func TestAccOktaIdpOidc_crud(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "jwks_url", "https://idp.example.com/keys2"),
 					resource.TestCheckResourceAttr(resourceName, "jwks_binding", "HTTP-REDIRECT"),
 					resource.TestCheckResourceAttr(resourceName, "client_id", "efg456"),
-					resource.TestCheckResourceAttr(resourceName, "client_secret", "efg456"),
+					resource.TestCheckResourceAttr(resourceName, "client_secret", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"),
 					resource.TestCheckResourceAttr(resourceName, "issuer_url", "https://id.example.com"),
 					resource.TestCheckResourceAttr(resourceName, "username_template", "idpuser.email"),
 				),

okta/resource_okta_idp_saml.go

@@ -88,6 +88,10 @@ func resourceIdpSaml() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"request_signature_algorithm":  samlRequestSignatureAlgorithmSchema,
+			"request_signature_scope":      samlRequestSignatureScopeSchema,
+			"response_signature_algorithm": samlResponseSignatureAlgorithmSchema,
+			"response_signature_scope":     samlResponseSignatureScopeSchema,
 		}),
 	}
 }

website/docs/r/idp_oidc.html.markdown

@@ -97,6 +97,10 @@ The following arguments are supported:
 
 - `profile_master` - (Optional) Determines if the IdP should act as a source of truth for user profile attributes.
 
+- `request_signature_algorithm` - (Optional) The HMAC Signature Algorithm used when signing an authorization request. It can be `"HS256"`, `"HS384"`, or `"HS512"`.
+
+- `request_signature_scope` - (Optional) Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be `"REQUEST"` or `"NONE"`.
+
 ## Attributes Reference
 
 - `id` - ID of the IdP.

website/docs/r/idp_saml.html.markdown

@@ -85,11 +85,11 @@ The following arguments are supported:
 
 - `profile_master` - (Optional) Determines if the IdP should act as a source of truth for user profile attributes.
 
-- `request_signature_algorithm` - (Optional) The XML digital signature algorithm used when signing an AuthnRequest message.
+- `request_signature_algorithm` - (Optional) The XML digital signature algorithm used when signing an AuthnRequest message. It can be `"SHA-256"` or `"SHA-1"`.
 
 - `request_signature_scope` - (Optional) Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be `"REQUEST"` or `"NONE"`.
 
-- `response_signature_algorithm` - (Optional) The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
+- `response_signature_algorithm` - (Optional) The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be `"SHA-256"` or `"SHA-1"`.
 
 - `response_signature_scope` - (Optional) Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be `"RESPONSE"`, `"ASSERTION"`, or `"ANY"`.