Okta app saml saml signed request enabled

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/go-hclog v1.4.0
 	github.com/hashicorp/go-retryablehttp v0.7.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.25.0
-	github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7
+	github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6
 	github.com/stretchr/testify v1.8.1
 )
 

go.sum

@@ -207,6 +207,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7 h1:NpPP654LMCbiRQD+pfuz8j9Z/MWFybbyxiYeAN2bSlc=
 github.com/okta/okta-sdk-golang/v2 v2.14.1-0.20221118211525-097c8f2b7cf7/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
+github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6 h1:4QDfpHc9H0UG4XOVy3JISbHPXAu+3Gpkjo1NtQNdw0s=
+github.com/okta/okta-sdk-golang/v2 v2.16.1-0.20230303020731-c9f10b776eb6/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 h1:pSCLCl6joCFRnjpeojzOpEYs4q7Vditq8fySFG5ap3Y=
 github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=

okta/app.go

@@ -630,6 +630,7 @@ func setSamlSettings(d *schema.ResourceData, signOn *okta.SamlApplicationSetting
 	_ = d.Set("digest_algorithm", signOn.DigestAlgorithm)
 	_ = d.Set("honor_force_authn", signOn.HonorForceAuthn)
 	_ = d.Set("authn_context_class_ref", signOn.AuthnContextClassRef)
+	_ = d.Set("saml_signed_request_enabled", signOn.SamlSignedRequestEnabled)
 	if signOn.AllowMultipleAcsEndpoints != nil {
 		if *signOn.AllowMultipleAcsEndpoints {
 			acsEndpointsObj := signOn.AcsEndpoints

okta/data_source_okta_app_saml.go

@@ -274,6 +274,11 @@ func dataSourceAppSaml() *schema.Resource {
 				Description: "Users associated with the application",
 				Deprecated:  "The `users` field is now deprecated for the data source `okta_app_saml`, please replace all uses of this with: `okta_app_user_assignments`",
 			},
+			"saml_signed_request_enabled": {
+				Type:        schema.TypeBool,
+				Computed:    true,
+				Description: "SAML Signed Request enabled",
+			},
 		}),
 	}
 }

okta/data_source_okta_app_saml_test.go

@@ -30,6 +30,8 @@ func TestAccOktaDataSourceAppSaml_read(t *testing.T) {
 					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "label", buildResourceName(ri)),
 					resource.TestCheckResourceAttr("data.okta_app_saml.test", "status", statusActive),
 					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "status", statusActive),
+					resource.TestCheckResourceAttr("data.okta_app_saml.test", "saml_signed_request_enabled", "false"),
+					resource.TestCheckResourceAttr("data.okta_app_saml.test_label", "saml_signed_request_enabled", "false"),
 				),
 			},
 		},

okta/resource_okta_app_saml.go

@@ -417,6 +417,12 @@ func resourceAppSaml() *schema.Resource {
 				Computed:    true,
 				Description: "The url that can be used to embed this application in other portals.",
 			},
+			"saml_signed_request_enabled": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "SAML Signed Request enabled",
+				Default:     false,
+			},
 		}),
 		Timeouts: &schema.ResourceTimeout{
 			Create: schema.DefaultTimeout(1 * time.Hour),
@@ -651,21 +657,22 @@ func buildSamlApp(d *schema.ResourceData) (*okta.SamlApplication, error) {
 	// Note: You can't currently configure provisioning features via the API. Use the administrator UI.
 	// app.Features = convertInterfaceToStringSet(d.Get("features"))
 	app.Settings.SignOn = &okta.SamlApplicationSettingsSignOn{
-		DefaultRelayState:     d.Get("default_relay_state").(string),
-		SsoAcsUrl:             d.Get("sso_url").(string),
-		Recipient:             d.Get("recipient").(string),
-		Destination:           d.Get("destination").(string),
-		Audience:              d.Get("audience").(string),
-		IdpIssuer:             d.Get("idp_issuer").(string),
-		SubjectNameIdTemplate: d.Get("subject_name_id_template").(string),
-		SubjectNameIdFormat:   d.Get("subject_name_id_format").(string),
-		ResponseSigned:        &responseSigned,
-		AssertionSigned:       &assertionSigned,
-		SignatureAlgorithm:    d.Get("signature_algorithm").(string),
-		DigestAlgorithm:       d.Get("digest_algorithm").(string),
-		HonorForceAuthn:       &honorForce,
-		AuthnContextClassRef:  d.Get("authn_context_class_ref").(string),
-		Slo:                   &okta.SingleLogout{Enabled: boolPtr(false)},
+		DefaultRelayState:        d.Get("default_relay_state").(string),
+		SsoAcsUrl:                d.Get("sso_url").(string),
+		Recipient:                d.Get("recipient").(string),
+		Destination:              d.Get("destination").(string),
+		Audience:                 d.Get("audience").(string),
+		IdpIssuer:                d.Get("idp_issuer").(string),
+		SubjectNameIdTemplate:    d.Get("subject_name_id_template").(string),
+		SubjectNameIdFormat:      d.Get("subject_name_id_format").(string),
+		ResponseSigned:           &responseSigned,
+		AssertionSigned:          &assertionSigned,
+		SignatureAlgorithm:       d.Get("signature_algorithm").(string),
+		DigestAlgorithm:          d.Get("digest_algorithm").(string),
+		HonorForceAuthn:          &honorForce,
+		AuthnContextClassRef:     d.Get("authn_context_class_ref").(string),
+		Slo:                      &okta.SingleLogout{Enabled: boolPtr(false)},
+		SamlSignedRequestEnabled: boolPtr(d.Get("saml_signed_request_enabled").(bool)),
 	}
 	sli := d.Get("single_logout_issuer").(string)
 	if sli != "" {

okta/resource_okta_app_saml_test.go

@@ -451,6 +451,7 @@ func TestAccAppSaml_certdiff(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "single_logout_issuer", "https://dunshire.okta.com"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_url", "https://dunshire.okta.com/logout"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_certificate", "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"),
+					resource.TestCheckResourceAttr(resourceName, "saml_signed_request_enabled", "false"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
 				),
 			},
@@ -477,6 +478,7 @@ func TestAccAppSaml_certdiff(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "single_logout_issuer", "https://dunshire.okta.com"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_url", "https://dunshire.okta.com/logout"),
 					resource.TestCheckResourceAttr(resourceName, "single_logout_certificate", "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"),
+					resource.TestCheckResourceAttr(resourceName, "saml_signed_request_enabled", "false"),
 					resource.TestCheckResourceAttrSet(resourceName, "logo_url"),
 				),
 			},

website/docs/d/app_saml.html.markdown

@@ -20,112 +20,113 @@ data "okta_app_saml" "example" {
 
 ## Arguments Reference
 
+- `active_only` - (Optional) tells the provider to query for only `ACTIVE` applications.
+
+- `id` - (Optional) `id` of application to retrieve, conflicts with `label` and `label_prefix`.
+
 - `label` - (Optional) The label of the app to retrieve, conflicts with `label_prefix` and `id`. Label uses
   the `?q=<label>` query parameter exposed by Okta's API. It should be noted that at this time this searches both `name`
   and `label`. This is used to avoid paginating through all applications.
 
 - `label_prefix` - (Optional) Label prefix of the app to retrieve, conflicts with `label` and `id`. This will tell the
   provider to do a `starts with` query as opposed to an `equals` query.
 
-- `id` - (Optional) `id` of application to retrieve, conflicts with `label` and `label_prefix`.
-
-- `active_only` - (Optional) tells the provider to query for only `ACTIVE` applications.
+- `skip_groups` - (Optional) Indicator that allows the app to skip `groups` sync. Default is `false`.
 
 - `skip_users` - (Optional) Indicator that allows the app to skip `users` sync. Default is `false`.
 
-- `skip_groups` - (Optional) Indicator that allows the app to skip `groups` sync. Default is `false`.
-
 ## Attributes Reference
 
-- `id` - id of application.
+- `accessibility_error_redirect_url` - Custom error page URL.
 
-- `label` - label of application.
+- `accessibility_login_redirect_url` - Custom login page URL.
 
-- `name` - name of application.
+- `accessibility_self_service` - Enable self-service.
 
-- `status` - status of application.
+- `acs_endpoints` - An array of ACS endpoints. You can configure a maximum of 100 endpoints.
 
-- `key_id` - Certificate key ID.
+- `app_settings_json` - Application settings in JSON format.
 
-- `auto_submit_toolbar` - Display auto submit toolbar.
+- `assertion_signed` - Determines whether the SAML assertion is digitally signed.
 
-- `hide_ios` - Do not display application icon on mobile app.
+- `attribute_statements` - List of SAML Attribute statements.
+    - `name` - The name of the attribute statement.
+    - `filter_type` - Type of group attribute filter.
+    - `filter_value` - Filter value to use.
+    - `namespace` - The attribute namespace.
+    - `type` - The type of attribute statement value.
+    - `values` - Array of values to use.
 
-- `hide_web` - Do not display application icon to users
+- `audience` - Audience restriction.
 
-- `default_relay_state` - Identifies a specific application resource in an IDP initiated SSO scenario.
+- `authn_context_class_ref` - Identifies the SAML authentication context class for the assertion’s authentication statement.
 
-- `sso_url` - Single Sign-on Url.
+- `auto_submit_toolbar` - Display auto submit toolbar.
 
-- `recipient` - The location where the app may present the SAML assertion.
+- `default_relay_state` - Identifies a specific application resource in an IDP initiated SSO scenario.
 
 - `destination` - Identifies the location where the SAML response is intended to be sent inside the SAML assertion.
 
-- `audience` - Audience restriction.
+- `digest_algorithm` - Determines the digest algorithm used to digitally sign the SAML assertion and response.
 
-- `idp_issuer` - SAML issuer ID.
+- `features` - features enabled.
 
-- `sp_issuer` - SAML service provider issuer.
+- `groups` - List of groups IDs assigned to the application.
+  - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_group_assignments`.
 
-- `subject_name_id_template` - Template for app user's username when a user is assigned to the app.
+- `hide_ios` - Do not display application icon on mobile app.
 
-- `subject_name_id_format` - Identifies the SAML processing rules.
+- `hide_web` - Do not display application icon to users
 
-- `response_signed` - Determines whether the SAML auth response message is digitally signed.
+- `honor_force_authn` - Prompt user to re-authenticate if SP asks for it.
 
-- `request_compressed` - Denotes whether the request is compressed or not.
+- `id` - id of application.
 
-- `assertion_signed` - Determines whether the SAML assertion is digitally signed.
+- `idp_issuer` - SAML issuer ID.
 
-- `signature_algorithm` - Signature algorithm used ot digitally sign the assertion and response.
+- `inline_hook_id` - Saml Inline Hook associated with the application.
 
-- `digest_algorithm` - Determines the digest algorithm used to digitally sign the SAML assertion and response.
+- `key_id` - Certificate key ID.
 
-- `honor_force_authn` - Prompt user to re-authenticate if SP asks for it.
+- `label` - label of application.
 
-- `authn_context_class_ref` - Identifies the SAML authentication context class for the assertion’s authentication
-  statement.
+- `links` - Generic JSON containing discoverable resources related to the app.
 
-- `accessibility_self_service` - Enable self-service.
+- `name` - name of application.
 
-- `accessibility_error_redirect_url` - Custom error page URL.
+- `recipient` - The location where the app may present the SAML assertion.
 
-- `accessibility_login_redirect_url` - Custom login page URL.
+- `request_compressed` - Denotes whether the request is compressed or not.
 
-- `features` - features enabled.
+- `response_signed` - Determines whether the SAML auth response message is digitally signed.
 
-- `user_name_template` - Username template.
+- `saml_signed_request_enabled` - SAML Signed Request enabled
 
-- `user_name_template_suffix` - Username template suffix.
+- `signature_algorithm` - Signature algorithm used ot digitally sign the assertion and response.
 
-- `user_name_template_type` - Username template type.
+- `single_logout_certificate` - x509 encoded certificate that the Service Provider uses to sign Single Logout requests.
 
-- `user_name_template_push_status` - Push username on update.
+- `single_logout_issuer` - The issuer of the Service Provider that generates the Single Logout request.
 
-- `app_settings_json` - Application settings in JSON format.
+- `single_logout_url` - The location where the logout response is sent.
 
-- `acs_endpoints` - An array of ACS endpoints. You can configure a maximum of 100 endpoints.
+- `sp_issuer` - SAML service provider issuer.
 
-- `attribute_statements` - List of SAML Attribute statements.
-    - `name` - The name of the attribute statement.
-    - `filter_type` - Type of group attribute filter.
-    - `filter_value` - Filter value to use.
-    - `namespace` - The attribute namespace.
-    - `type` - The type of attribute statement value.
-    - `values` - Array of values to use.
+- `sso_url` - Single Sign-on Url.
 
-- `single_logout_issuer` - The issuer of the Service Provider that generates the Single Logout request.
+- `status` - status of application.
 
-- `single_logout_url` - The location where the logout response is sent.
+- `subject_name_id_format` - Identifies the SAML processing rules.
 
-- `single_logout_certificate` - x509 encoded certificate that the Service Provider uses to sign Single Logout requests.
+- `subject_name_id_template` - Template for app user's username when a user is assigned to the app.
 
-- `links` - Generic JSON containing discoverable resources related to the app.
+- `user_name_template_push_status` - Push username on update.
 
-- `inline_hook_id` - Saml Inline Hook associated with the application.
+- `user_name_template_suffix` - Username template suffix.
+
+- `user_name_template_type` - Username template type.
+
+- `user_name_template` - Username template.
 
 - `users` - List of users IDs assigned to the application.
   - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_user_assignments`.
-
-- `groups` - List of groups IDs assigned to the application.
-  - `DEPRECATED`: Please replace all usage of this field with the data source `okta_app_group_assignments`.