terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

Option to enable Assertion Encryption via terraform resource for `okta_app_saml`

Open snigdhasjg opened this issue 1 year ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Assertion Encryption

We want to provision Okta SAML 2.0 custom app via terraform. The current configuration uses Assertion Encryption. There are 100s of SAML app we have to create based on requirements, and its not easy to do it manually via Admin Console. So we are looking at terraform resource / API.

So far what we saw to enable Assertion Encryption via Admin Console, the browser sends these 6 fields post uploading the file via an internal file API -

    "assertionEncrypted": true,
    "encryptionAlgorithm": "AES256_CBC",
    "keyTransportAlgorithm": "RSA_OAEP",
    "certificateId": "aic1**********h8",
    "certificateFilename": "app-PUBLIC-certificate.crt",
    "certificatePrincipal": "app.domain.com",

We couldn't find any settings in okta_app_saml or any other terraform resource. And on the API doc it is mentioned

You can't update the application's Assertion Encryption configuration through the API. Use the Admin Console

New or Affected Resource(s)

  • okta_app_saml
  • okta_app_saml_assertion_encryption

Potential Terraform Configuration

resource "okta_app_saml" "example" {
  ...

  assertion_encrypted                          = true
  assertion_encryption_algorithm               = "AES256_CBC"
  assertion_encryption_key_transport_algorithm = "RSA_OAEP"
  assertion_encryption_certificate             = file("./cert/app-PUBLIC-certificate.crt")

  ...
}

And the corresponding 6 Attributes Reference mentioned above.

OR we are go with a totally new resource like okta_app_saml_assertion_encryption as existing okta_app_saml doesn't have any state change if we enable / disable manually via Admin Console.

References

  • https://stackoverflow.com/questions/40114261/how-encrypt-and-decrypt-a-saml-assertion
  • https://support.okta.com/help/s/question/0D54z00009JZv06CAD/steps-to-encrypt-saml-assertion-in-oidc-app-integration-with-saml20-idp-setup?language=en_US

cc: @ravalierukulla @gitsidgo

snigdhasjg avatar Jan 17 '24 16:01 snigdhasjg

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-690455

duytiennguyen-okta avatar Jan 30 '24 15:01 duytiennguyen-okta