Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

metadata validation failed in okta_app_saml #1465

Closed
ppanan33 opened this issue Feb 27, 2023 · 7 comments · Fixed by #1806
Closed

metadata validation failed in okta_app_saml #1465

ppanan33 opened this issue Feb 27, 2023 · 7 comments · Fixed by #1806
Assignees
@monde
Labels
bug triaged Triaged into internal Jira

Comments

@ppanan33
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Affected Resource(s)

  • okta_app_saml

Terraform Configuration Files

resource "okta_app_saml" "default_0" {
  accessibility_self_service     = false
  assertion_signed               = false
  audience                       = ""
  authentication_policy          = "rst2gutoisLK0vjcq1d7"
  authn_context_class_ref        = ""
  auto_submit_toolbar            = true
  hide_ios                       = false
  hide_web                       = false
  idp_issuer                     = ""
  label                          = "Slack"
  saml_version                   = "2.0"
  skip_groups                    = true
  skip_users                     = true
  status                         = "INACTIVE"
  user_name_template             = "$${source.login}"
  user_name_template_push_status = ""
  user_name_template_suffix      = ""
  user_name_template_type        = "BUILT_IN"
}

Debug Output

image

Panic Output

Expected Behavior

when using okta_app_saml to deactive a saml app, it will return the error This operation on app metadata is not yet supported: No active instances. but the app DOES de-active successfully. For the API {{url}}/api/v1/apps/{{appId}}/sso/saml/metadata?kid={{keyId}}, if a saml app is inactive, the metadata can't be found, so I think okta_app_saml should be updated for this case.

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • #0000
@monde
Copy link
Collaborator

monde commented Feb 28, 2023

Thank @ppanan33 . I am not familiar with that specific error and will need time to debug it. There might be an issue in the app lifecycle where a change to the app needs to be made in a deactivated status first. I don't have any recommendations for a workaround with this yet. Marking this as a bug.

Okta internal reference https://oktainc.atlassian.net/browse/OKTA-581716

@monde monde added bug triaged Triaged into internal Jira labels Feb 28, 2023
@ppanan33
Copy link
Author

ppanan33 commented Mar 1, 2023

Thanks @monde, there is a hint might help, you can get the metadata via below API for ACTIVE saml app, but for INACTIVE saml app, it throw error which is almost same as in Terraform.
{{url}}/api/v1/apps/{{appId}}/sso/saml/metadata?kid={{keyId}}

image

@github-actions
Copy link

github-actions bot commented May 1, 2023

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the stale label May 1, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 7, 2023
@askmeidentity
Copy link

askmeidentity commented Aug 25, 2023
edited
Loading

Is there any update on this issue. When changing the status from ACTIVE to INACTIVE this error is thrown. We have dedicated api to deactivate app but for terraform there isnt anything other than status change.

@monde monde removed the stale label Aug 25, 2023
@monde monde reopened this Aug 25, 2023
@monde monde self-assigned this Nov 1, 2023
@monde
Copy link
Collaborator

monde commented Nov 6, 2023

@ppanan33 @askmeidentity do you think the correct behavior, when the application is deactivated, is to set the metadata https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_saml#metadata value to blank "" and not make the API call to /api/v1/apps/{id}/sso/saml/metadata?kid={kid}? That way 1) the error doesn't occur 2) change detection occurs on metadata

@monde
Copy link
Collaborator

monde commented Nov 7, 2023
edited
Loading

@duytiennguyen-okta and I looked at this some more. We think there is a flaw in the way all the apps do update. If you are using TF to disable an app then any other updates in the same apply are invalid for that update. Okta treats deactivated apps as a soft delete, once deactivated, the operator can no longer make associations to that app or update it's attributes. The only action or change that can be taken on an deactivated app is activate it or delete it. I'm going to update all the apps behavior to be more precise about this. And also update our docs.

cc: @ppanan33 @askmeidentity

@monde monde mentioned this issue Nov 7, 2023
Closed
monde added a commit that referenced this issue Nov 9, 2023
@monde
Clean up saml app update, includes ACC demonstrating the fix.
1200a71 
Closes #1465
@monde monde mentioned this issue Nov 9, 2023
Merged
monde added a commit that referenced this issue Nov 9, 2023
@monde
Clean up saml app update, includes ACC demonstrating the fix.
cbf0971 
Closes #1465
monde added a commit that referenced this issue Nov 9, 2023
@monde
Clean up saml app update, includes ACC demonstrating the fix.
b9c68fc 
Closes #1465
monde added a commit that referenced this issue Nov 9, 2023
@monde
Clean up saml app update, includes ACC demonstrating the fix.
0b348f2 
Closes #1465
monde added a commit that referenced this issue Nov 14, 2023
@monde
Corrected update for app resources
acb3735 
- `okta_app_auto_login`
- `okta_app_basic_auth`
- `okta_app_bookmark`
- `okta_app_oauth`
- `okta_app_saml`
- `okta_app_secure_password_store`
- `okta_app_shared_credentials`
- `okta_app_swa`
- `okta_app_three_field`

Includes ACC tests.

Closes #1465
monde added a commit that referenced this issue Nov 14, 2023
@monde
Corrected update for app resources
86e69cd 
- `okta_app_auto_login`
- `okta_app_basic_auth`
- `okta_app_bookmark`
- `okta_app_oauth`
- `okta_app_saml`
- `okta_app_secure_password_store`
- `okta_app_shared_credentials`
- `okta_app_swa`
- `okta_app_three_field`

Includes ACC tests.

Closes #1465
@monde
Copy link
Collaborator

monde commented Nov 14, 2023

I was incorrect in my previous comment. We did make an update to all the Okta apps including okta_app_saml

During an apply if there is change in status the app will first be
activated or deactivated in accordance with the status change. Then, all
other arguments that changed will be applied.

That will be PR #1806

monde added a commit that referenced this issue Nov 15, 2023
@monde
Corrected update for app resources
dc02727 
- `okta_app_auto_login`
- `okta_app_basic_auth`
- `okta_app_bookmark`
- `okta_app_oauth`
- `okta_app_saml`
- `okta_app_secure_password_store`
- `okta_app_shared_credentials`
- `okta_app_swa`
- `okta_app_three_field`

Includes ACC tests.

Closes #1465
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@monde monde

Labels
bug triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correct updating an app when status is involved with the update okta/terraform-provider-okta
3 participants
@monde @ppanan33 @askmeidentity