feat(saml-app): support more saml configs

posquit0 · posquit0 · commit ab2fd1592a33 · 2026-01-08T02:56:30.000+09:00
diff --git a/modules/saml-app/README.md b/modules/saml-app/README.md
@@ -19,7 +19,7 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_okta"></a> [okta](#provider\_okta) | 6.3.0 |
+| <a name="provider_okta"></a> [okta](#provider\_okta) | 6.5.3 |
 
 ## Modules
 
@@ -51,6 +51,7 @@ No modules.
 | <a name="input_notes"></a> [notes](#input\_notes) | (Optional) A configurations for application notes. `notes` block as defined below.<br/>    (Optional) `admin` - Application notes for admins.<br/>    (Optional) `user` - Application notes for end users. | <pre>object({<br/>    admin = optional(string, "")<br/>    user  = optional(string, "")<br/>  })</pre> | `{}` | no |
 | <a name="input_preconfigured_app"></a> [preconfigured\_app](#input\_preconfigured\_app) | (Optional) The name of a preconfigured app from the Okta App Integration Network. For example `aws_sso`, `google`, `github_enterprise`, etc. When this is specified, most SAML configuration is inherited from the preconfigured app. | `string` | `null` | no |
 | <a name="input_saml_attributes"></a> [saml\_attributes](#input\_saml\_attributes) | (Optional) A list of SAML attribute statements for the application. Each item of `saml_attributes` block as defined below.<br/>    (Required) `name` - The name of the attribute.<br/>    (Optional) `namespace` - The namespace for the attribute. Valid values are `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`, `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`, `urn:oasis:names:tc:SAML:2.0:attrname-format:basic`. Defaults to `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`.<br/>    (Optional) `type` - The type of the attribute. Valid values are `EXPRESSION`, `GROUP`.<br/>    (Optional) `values` - The values for the attribute.<br/>    (Optional) `filter` - A filter configuration for group attributes. Only requirded if `type` is `GROUP`. `filter` block as defined below.<br/>      (Required) `type` - The filter type for group attributes. Valid values are `REGEX`, `STARTS_WITH`, `EQUALS`, `CONTAINS`.<br/>      (Required) `value` - The filter value for group attributes. | <pre>list(object({<br/>    type      = optional(string, "EXPRESSION")<br/>    namespace = optional(string, "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified")<br/>    name      = string<br/>    values    = optional(list(string))<br/>    filter = optional(object({<br/>      type  = string<br/>      value = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_saml_config"></a> [saml\_config](#input\_saml\_config) | (Optional) A configurations for SAML settings for the application. `saml_config` block as defined below.<br/>    (Optional) `sso_url` - The location to send the SAML assertion using a POST operation. This URL is required and serves as the default Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.<br/>    (Optional) `recipient_url` - The location where the app can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. Defaults to the value of `sso_url` if not provided.<br/>    (Optional) `destination_url` - The location to send the SAML Response, as defined in the SAML assertion. This is usually the Single Sign-On (SSO) URL. Defaults to the value of `sso_url` if not provided.<br/>    (Optional) `audience` - The intended audience of the SAML assertion. This is usually the Entity ID of your app.<br/><br/>    (Optional) `subject_name_id` - A configuration for the subject name ID. `subject_name_id` block as defined below.<br/>      (Optional) `format` - The format of the subject name ID.<br/>      (Optional) `template` - Template for app user's username when a user is assigned to the app. Defaults to `${user.userName}`.<br/><br/>    (Optional) `assertion_signed` - Whether to sign the SAML assertion. Defaults to `true`.<br/>    (Optional) `response_signed` - Whether to sign the SAML auth response. Defaults to<br/>    (Optional) `digest_algorithm` - The algorithm used to digitally sign the SAML assertion and response. Valid values are `SHA1`, `SHA256`, `SHA384`, `SHA512`. Defaults to `SHA256`.<br/>    (Optional) `signature_algorithm` - 	The signing algorithm that's used to digitally sign the SAML assertion and response. Valid values are `RSA_SHA1`, `RSA_SHA256`, `RSA_SHA384`, `RSA_SHA512`, `DSA_SHA1`, `DSA_SHA256`, `DSA_SHA384`, `DSA_SHA512`, `ECDSA_SHA1`, `ECDSA_SHA256`, `ECDSA_SHA384`, `ECDSA_SHA512`. Defaults to `RSA_SHA256`.<br/><br/>    (Optional) `authn_context_class_ref` - The authentication context class for the assertion’s authentication statement.<br/>    (Optional) `honor_force_authn` - Whether to honor the ForceAuthn attribute in the SAML request. Defaults to `false`. | <pre>object({<br/>    sso_url         = optional(string)<br/>    recipient_url   = optional(string)<br/>    destination_url = optional(string)<br/>    audience        = optional(string)<br/><br/>    subject_name_id = optional(object({<br/>      format   = optional(string)<br/>      template = optional(string, "$${user.userName}")<br/>    }))<br/><br/>    assertion_signed    = optional(bool, true)<br/>    response_signed     = optional(bool, true)<br/>    digest_algorithm    = optional(string, "SHA256")<br/>    signature_algorithm = optional(string, "RSA_SHA256")<br/><br/>    authn_context_class_ref = optional(string)<br/>    honor_force_authn       = optional(bool, false)<br/>  })</pre> | `{}` | no |
 | <a name="input_self_service"></a> [self\_service](#input\_self\_service) | (Optional) Self-service configurations for the application. `self_service` block as defined below.<br/>    (Optional) `enabled` - Whether to enable self-service. Defaults to `false`. | <pre>object({<br/>    enabled = optional(bool, false)<br/>  })</pre> | `{}` | no |
 | <a name="input_sign_on"></a> [sign\_on](#input\_sign\_on) | (Optional) A configurations for application sign-on. `sign_on` block as defined below.<br/>    (Optional) `authentication_policy` - The ID of the authentication policy to associate to the applicatioauthentication policy to associate to the application. If this is removed from the application the default sign-on-policy will be associated with this application.<br/>    (Optional) `user_name_template` - A configuration for the user name template. `user_name_template` block as defined below.<br/>      (Optional) `type` - The type of user name template. Valid values are `BUILT_IN`, `CUSTOM` or `NONE`. Defaults to `BUILT_IN`.<br/>      (Optional) `template` - The template for the user name. Defaults to `${source.login}`.<br/>      (Optional) `suffix` - The suffix to append to the user name. Only applicable if `type` is `BUILT_IN`. Defaults to an empty string.<br/>      (Optional) `push_status` - The push status for the user name template. Valid values are `PUSH`, `DONT_PUSH` or `NOT_CONFIGURED`. Defaults to `PUSH`. | <pre>object({<br/>    authentication_policy = optional(string)<br/>    user_name_template = optional(object({<br/>      type        = optional(string, "BUILT_IN")<br/>      template    = optional(string, "$${source.login}")<br/>      suffix      = optional(string, "")<br/>      push_status = optional(string, "PUSH")<br/>    }), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_single_logout"></a> [single\_logout](#input\_single\_logout) | (Optional) Single logout configuration for the application. `single_logout` block as defined below.<br/>    (Optional) `issuer` - The issuer of the Service Provider that generates the Single Logout request.<br/>    (Optional) `url` - The URL where the logout response is sent.<br/>    (Optional) `certificate` - The X509 encoded certificate that the Service Provider uses to sign Single Logout requests. Note: should be provided without `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`. | <pre>object({<br/>    issuer      = optional(string)<br/>    url         = optional(string)<br/>    certificate = optional(string)<br/>  })</pre> | `{}` | no |
@@ -74,6 +75,7 @@ No modules.
 | <a name="output_notes"></a> [notes](#output\_notes) | The configurations for application notes. |
 | <a name="output_preconfigured_app"></a> [preconfigured\_app](#output\_preconfigured\_app) | The name of a preconfigured app from the Okta App Integration Network. |
 | <a name="output_saml_attributes"></a> [saml\_attributes](#output\_saml\_attributes) | A list of SAML attribute statements for the application. |
+| <a name="output_saml_config"></a> [saml\_config](#output\_saml\_config) | The SAML configurations for the application. |
 | <a name="output_saml_metadata"></a> [saml\_metadata](#output\_saml\_metadata) | The SAML metadata configurations. |
 | <a name="output_saml_version"></a> [saml\_version](#output\_saml\_version) | The SAML version used by the application. |
 | <a name="output_sign_on"></a> [sign\_on](#output\_sign\_on) | The configurations for application sign-on. |
diff --git a/modules/saml-app/main.tf b/modules/saml-app/main.tf
@@ -58,6 +58,60 @@ resource "okta_app_saml" "this" {
   status            = var.enabled ? "ACTIVE" : "INACTIVE"
 
 
+  ## SAML Config
+  sso_url = (!local.is_preconfigured
+    ? var.saml_config.sso_url
+    : null
+  )
+  recipient = (!local.is_preconfigured
+    ? var.saml_config.recipient_url
+    : null
+  )
+  destination = (!local.is_preconfigured
+    ? var.saml_config.destination_url
+    : null
+  )
+  audience = (!local.is_preconfigured
+    ? var.saml_config.audience
+    : null
+  )
+
+  subject_name_id_format = (!local.is_preconfigured
+    ? var.saml_config.subject_name_id.format
+    : null
+  )
+  subject_name_id_template = (!local.is_preconfigured
+    ? var.saml_config.subject_name_id.template
+    : null
+  )
+
+  assertion_signed = (!local.is_preconfigured
+    ? var.saml_config.assertion_signed
+    : null
+  )
+  response_signed = (!local.is_preconfigured
+    ? var.saml_config.response_signed
+    : null
+  )
+  digest_algorithm = (!local.is_preconfigured
+    ? var.saml_config.digest_algorithm
+    : null
+  )
+  signature_algorithm = (!local.is_preconfigured
+    ? var.saml_config.signature_algorithm
+    : null
+  )
+
+  authn_context_class_ref = (!local.is_preconfigured
+    ? var.saml_config.authn_context_class_ref
+    : null
+  )
+  honor_force_authn = (!local.is_preconfigured
+    ? var.saml_config.honor_force_authn
+    : null
+  )
+
+
   ## SAML Attribute Statements
   dynamic "attribute_statements" {
     for_each = var.saml_attributes
diff --git a/modules/saml-app/outputs.tf b/modules/saml-app/outputs.tf
@@ -57,6 +57,29 @@ output "saml_metadata" {
   }
 }
 
+output "saml_config" {
+  description = "The SAML configurations for the application."
+  value = {
+    sso_url         = okta_app_saml.this.sso_url
+    recipient_url   = okta_app_saml.this.recipient
+    destination_url = okta_app_saml.this.destination
+    audience        = okta_app_saml.this.audience
+
+    subject_name_id = {
+      format   = okta_app_saml.this.subject_name_id_format
+      template = okta_app_saml.this.subject_name_id_template
+    }
+
+    assertion_signed    = okta_app_saml.this.assertion_signed
+    response_signed     = okta_app_saml.this.response_signed
+    digest_algorithm    = okta_app_saml.this.digest_algorithm
+    signature_algorithm = okta_app_saml.this.signature_algorithm
+
+    authn_context_class_ref = okta_app_saml.this.authn_context_class_ref
+    honor_force_authn       = okta_app_saml.this.honor_force_authn
+  }
+}
+
 output "saml_attributes" {
   description = "A list of SAML attribute statements for the application."
   value = [
@@ -142,6 +165,6 @@ output "group_assignments" {
 #   value = {
 #     for k, v in okta_app_saml.this :
 #     k => v
-#     if !contains(["id", "label", "url", "status", "authentication_policy", "accessibility_error_redirect_url", "timeouts", "request_integration", "accessibility_login_redirect_url", "accessibility_self_service", "hide_ios", "hide_web", "enduser_note", "admin_note", "auto_submit_toolbar", "logo", "logo_url", "name", "sign_on_mode", "features", "single_logout_issuer", "single_logout_url", "single_logout_certificate", "user_name_template_type", "user_name_template_suffix", "user_name_template_push_status", "user_name_template", "app_links_json", "metadata_url", "certificate", "preconfigured_app", "entity_key", "embed_url", "app_settings_json", "saml_version", "metadata", "http_post_binding", "http_redirect_binding"], k)
+#     if !contains(["id", "label", "url", "status", "authentication_policy", "accessibility_error_redirect_url", "timeouts", "request_integration", "accessibility_login_redirect_url", "accessibility_self_service", "hide_ios", "hide_web", "enduser_note", "admin_note", "auto_submit_toolbar", "logo", "logo_url", "name", "sign_on_mode", "features", "single_logout_issuer", "single_logout_url", "single_logout_certificate", "user_name_template_type", "user_name_template_suffix", "user_name_template_push_status", "user_name_template", "app_links_json", "metadata_url", "certificate", "preconfigured_app", "entity_key", "embed_url", "app_settings_json", "saml_version", "metadata", "http_post_binding", "http_redirect_binding", "digest_algorithm", "signature_algorithm", "sso_url", "recipient", "destination", "audience", "subject_name_id_format", "subject_name_id_template", "assertion_signed", "response_signed", "authn_context_class_ref", "honor_force_authn"], k)
 #   }
 # }
diff --git a/modules/saml-app/variables.tf b/modules/saml-app/variables.tf
@@ -34,6 +34,49 @@ variable "app_settings" {
   nullable    = true
 }
 
+variable "saml_config" {
+  description = <<EOF
+  (Optional) A configurations for SAML settings for the application. `saml_config` block as defined below.
+    (Optional) `sso_url` - The location to send the SAML assertion using a POST operation. This URL is required and serves as the default Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests.
+    (Optional) `recipient_url` - The location where the app can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. Defaults to the value of `sso_url` if not provided.
+    (Optional) `destination_url` - The location to send the SAML Response, as defined in the SAML assertion. This is usually the Single Sign-On (SSO) URL. Defaults to the value of `sso_url` if not provided.
+    (Optional) `audience` - The intended audience of the SAML assertion. This is usually the Entity ID of your app.
+
+    (Optional) `subject_name_id` - A configuration for the subject name ID. `subject_name_id` block as defined below.
+      (Optional) `format` - The format of the subject name ID.
+      (Optional) `template` - Template for app user's username when a user is assigned to the app. Defaults to `$${user.userName}`.
+
+    (Optional) `assertion_signed` - Whether to sign the SAML assertion. Defaults to `true`.
+    (Optional) `response_signed` - Whether to sign the SAML auth response. Defaults to
+    (Optional) `digest_algorithm` - The algorithm used to digitally sign the SAML assertion and response. Valid values are `SHA1`, `SHA256`, `SHA384`, `SHA512`. Defaults to `SHA256`.
+    (Optional) `signature_algorithm` - 	The signing algorithm that's used to digitally sign the SAML assertion and response. Valid values are `RSA_SHA1`, `RSA_SHA256`, `RSA_SHA384`, `RSA_SHA512`, `DSA_SHA1`, `DSA_SHA256`, `DSA_SHA384`, `DSA_SHA512`, `ECDSA_SHA1`, `ECDSA_SHA256`, `ECDSA_SHA384`, `ECDSA_SHA512`. Defaults to `RSA_SHA256`.
+
+    (Optional) `authn_context_class_ref` - The authentication context class for the assertion’s authentication statement.
+    (Optional) `honor_force_authn` - Whether to honor the ForceAuthn attribute in the SAML request. Defaults to `false`.
+  EOF
+  type = object({
+    sso_url         = optional(string)
+    recipient_url   = optional(string)
+    destination_url = optional(string)
+    audience        = optional(string)
+
+    subject_name_id = optional(object({
+      format   = optional(string)
+      template = optional(string, "$${user.userName}")
+    }))
+
+    assertion_signed    = optional(bool, true)
+    response_signed     = optional(bool, true)
+    digest_algorithm    = optional(string, "SHA256")
+    signature_algorithm = optional(string, "RSA_SHA256")
+
+    authn_context_class_ref = optional(string)
+    honor_force_authn       = optional(bool, false)
+  })
+  default  = {}
+  nullable = false
+}
+
 variable "saml_attributes" {
   description = <<EOF
   (Optional) A list of SAML attribute statements for the application. Each item of `saml_attributes` block as defined below.
