Fix okta_idp_saml resource reading when Mappings API is disabled

[deorus]

When Orgs don't have Mappings API flag set, reading okta_idp_saml fails due to unauthorized access to mappings API.

╷
│ Error: failed to get SAML identity provider profile mapping: the API returned an error: You do not have permission to access the feature you are requesting
│
│   with okta_idp_saml.google_workspace,
│   on main.tf line 42, in resource "okta_idp_saml" "google_workspace":
│   42: resource "okta_idp_saml" "google_workspace" {
│
╵

[monde]

@deorus interesting technique, I might make use of it in #1216. If you create a user, but your API key is for an Admin user, not the Super user, when the resource attempts to read in the roles assigned to the new user.

[monde]

@deorus I'd like to take this PR but I can't do so without an integration test. I've been trying to write one but have not be able to replicate when a 401 would occur on that code path. Can you give me more context about your situation?

• OIE or classic org
• SAML app already exists, or SAML app is also created with terraform
• The Okta API token is for the Super Admin, or the lesser Org Admin
• Other feature flags have been explicitly enabled on that org
  Any other details that you can give me to reproduce the 401 you are seeing would be greatly appreciated.

[deorus]

@monde hope it helps:

OIE or classic org

I believe it's OIE (was recently created and am able to use OIE authenticators).

SAML app already exists, or SAML app is also created with terraform

SAML (IDP) app was created via TF.

The Okta API token is for the Super Admin, or the lesser Org Admin

Super Admin

Other feature flags have been explicitly enabled on that org

Wouldn't be able to know. I tried Support / Sales to get Mappings API enabled but they said I'd need to upgrade commercial plan. So far the account has SSO + MFA 'modules' enabled. Nothing else. Does that help?

Any other details that you can give me to reproduce the 401 you are seeing would be greatly appreciated.

When the IDP is created the first time, any 'read' operation (which occurs during plan), results in this:

╷
│ Error: failed to get SAML identity provider profile mapping: the API returned an error: You do not have permission to access the feature you are requesting
│
│   with okta_idp_saml.google_workspace,
│   on identity_providers.tf line 46, in resource "okta_idp_saml" "google_workspace":
│   46: resource "okta_idp_saml" "google_workspace" {
│
╵

[monde]

Confirmed this occurs when the api token is super admin but the org does not have the mappings api enabled/granted to it.

[monde]

@deorus your work here is being merged into #1369 so you get the github credits! Thanks for your PR, closing this out.