The Okta App module will take the following actions:
- Create a new Okta SAML App
- (optionally) Create new Okta group and associated group rule that adds users in matching okta groups
- Assigns group to SAML app granting all users in associated groups access
- (optionally) Sends all matching to SAML assertion
If single_app_assign_group is true, the group needs to exist already. The uncommented attributes are the minumim required, otherwise default SAML app settings will be used.
module "my_app" {
app = "My App Label" # displayed to users
sso_acs_url = "https://myapp.com/saml/consume"
entity_id = "https://myapp.com/"
### Optional Okta SAML App settings with defaults
### In most cases, you don't need to changes these
# recipient_url = same as sso_acs_url
# destination_url = same as sso_acs_url
# default_relay_state = ""
# acs_endpoints = [] # comma separated list of URLs
# subject_name_id_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
# subject_name_id_template = "$${user.userName}"
# user_name_template = "$${source.login}"
# user_name_template_type = "BUILT_IN" # Must use "CUSTOM" if changing user_name_template
###
### Group assigment to app, based on filter
# filter_type = "STARTS_WITH" #Use "REGEX" if more complex matching is needed
# single_app_assign_group = true # If false, use STARTS_WITH or REGEX filter_type to assign multiple groups to single app
app_assign_group = "my_app_group"
###
### Authentication Policy Name (use exact name of Authentication policy )
authentication_policy = "Any Two Factors"
### Logo
# Place a png, jpg, or gif in the root of the repo and set here.
# logo = "logo.png"
### Set Error URL if user is unassigned. This redirects user to a custom error page.
# set_error_url = true # default false
### Misc App Settings
admin_note = "App owner: team name"
# hide_app_icon = false # Hides both web/mobile icons from Okta Apps dashboard
###
# Exmaples only - remove if SAML attributes aren't needed
/*attribute_statements = {
"email" = {
name = "email"
value = "user.email"
},
"Username" = {
name = "Username"
value = "user.sAMAccountName"
}
}*/
# attribute_statements_namespace = ""urn:oasis:names:tc:SAML:2.0:attrname-format:basic" # this is default if not specified
# To send groups in SAML assertion, set to true and set attribute name here
# pass_groups_in_saml = false
# group_attribute_name = "groups"
}- Manual App assignments to this app are ignored by Terraform, and won't be overwritten on subsequent runs
- Add ability to manage app user profile
| Name | Version |
|---|---|
| terraform | >= 0.14.7 |
| okta | ~> 4.0 |
| Name | Version |
|---|---|
| okta | 4.6.1 |
No modules.
| Name | Type |
|---|---|
| okta_app_group_assignment.app_assign_app_assign_group | resource |
| okta_app_group_assignment.app_assign_single_app_assign_group | resource |
| okta_app_saml.saml_app | resource |
| okta_group.app_assign_group | resource |
| okta_group_rule.aggregate_app_assign_groups | resource |
| okta_group.single_app_assign_group | data source |
| okta_policy.authentication_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acs_endpoints | n/a | list(string) |
[] |
no |
| admin_note | Application notes for admins. | string |
"" |
no |
| app | Name of app in Okta (appears on dashboard) | string |
n/a | yes |
| app_assign_group | Name of group or matching set of groups (starts_with or regex) to assign all users assigned to app | string |
n/a | yes |
| attribute_statements | A map of objects to create attribute statements for SAML assertion | map(object({ |
{} |
no |
| attribute_statements_namespace | Namespace The attribute namespace. It can be set to "unspecified", "uri", or "basic". "urn:oasis:names:tc:SAML:2.0:attrname-format:" is automatically set. | string |
"unspecified" |
no |
| authentication_policy | Authentication policy to apply to this app. You can use the exact name | string |
null |
no |
| default_relay_state | Relay State, if used | string |
"" |
no |
| destination_url | n/a | string |
"" |
no |
| entity_id | Audience URI (SP Entity ID) | string |
n/a | yes |
| filter_type | STARTS_WITH, EQUALS, CONTAINS, or REGEX | string |
"STARTS_WITH" |
no |
| filter_value | Allows separate filter for SAML group expression | string |
"" |
no |
| group_attribute_name | Name of attribute to pass in groups attribute of SAML assertion | string |
"groups" |
no |
| group_filter_type | Allows separate filter type for SAML group expression (STARTS_WITH or REGEX) | string |
"" |
no |
| hide_app_icon | Do not display application icon to users (web and mobile) | bool |
false |
no |
| logo | Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. | string |
null |
no |
| name_id_format | Follow vendor instructions. Unspecified is usually ok | string |
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" |
no |
| pass_groups_in_saml | Pass list of groups | bool |
false |
no |
| recipient_url | n/a | string |
"" |
no |
| set_error_url | Set the error url to redirect unassigned users to custom error page | bool |
false |
no |
| single_app_assign_group | True means a single group is used to assign users to app, False means all matching groups (starts_with or regex) are aggregated using a group rule | bool |
true |
no |
| sso_acs_url | SSO URL, also known as Assertion Consumer Service (ACS) For SAML App | string |
n/a | yes |
| user_name_template | Value to pass as NameID | string |
"${source.login}" |
no |
| user_name_template_type | BUILT_IN or CUSTOM if using expression | string |
"BUILT_IN" |
no |
| Name | Description |
|---|---|
| app_assign_group_id | Okta Group ID of app assign group created for group rule |
| metadata_url | Public Metadata URL for SAML app |
| saml_app_id | Okta ID of the application |
| saml_app_label | Name of application (user facing label) |
| saml_metadata | The raw SAML metadata in XML. |