Saml

Creates a SAML Identity Provider.

This resource allows you to create and configure a SAML Identity Provider.

Example Usage

using Pulumi;
using Okta = Pulumi.Okta;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Okta.Idp.Saml("example", new Okta.Idp.SamlArgs
        {
            AcsBinding = "HTTP-POST",
            AcsType = "INSTANCE",
            Issuer = "https://idp.example.com",
            Kid = okta_idp_saml_key.Test.Id,
            RequestSignatureScope = "REQUEST",
            ResponseSignatureScope = "ANY",
            SsoBinding = "HTTP-POST",
            SsoDestination = "https://idp.example.com",
            SsoUrl = "https://idp.example.com",
            UsernameTemplate = "idpuser.email",
        });
    }

}

Coming soon!

import pulumi
import pulumi_okta as okta

example = okta.idp.Saml("example",
    acs_binding="HTTP-POST",
    acs_type="INSTANCE",
    issuer="https://idp.example.com",
    kid=okta_idp_saml_key["test"]["id"],
    request_signature_scope="REQUEST",
    response_signature_scope="ANY",
    sso_binding="HTTP-POST",
    sso_destination="https://idp.example.com",
    sso_url="https://idp.example.com",
    username_template="idpuser.email")

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.idp.Saml("example", {
    acsBinding: "HTTP-POST",
    acsType: "INSTANCE",
    issuer: "https://idp.example.com",
    kid: okta_idp_saml_key_test.id,
    requestSignatureScope: "REQUEST",
    responseSignatureScope: "ANY",
    ssoBinding: "HTTP-POST",
    ssoDestination: "https://idp.example.com",
    ssoUrl: "https://idp.example.com",
    usernameTemplate: "idpuser.email",
});

Create a Saml Resource

new Saml(name: string, args: SamlArgs, opts?: CustomResourceOptions);

def Saml(resource_name, opts=None, account_link_action=None, account_link_group_includes=None, acs_binding=None, acs_type=None, deprovisioned_action=None, groups_action=None, groups_assignments=None, groups_attribute=None, groups_filters=None, issuer=None, issuer_mode=None, kid=None, name=None, name_format=None, profile_master=None, provisioning_action=None, request_signature_algorithm=None, request_signature_scope=None, response_signature_algorithm=None, response_signature_scope=None, sso_binding=None, sso_destination=None, sso_url=None, status=None, subject_filter=None, subject_formats=None, subject_match_attribute=None, subject_match_type=None, suspended_action=None, username_template=None, __props__=None);

func NewSaml(ctx *Context, name string, args SamlArgs, opts ...ResourceOption) (*Saml, error)

public Saml(string name, SamlArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Saml Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Saml resource accepts the following input properties:

AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
Issuer string: URI that identifies the issuer.
Kid string: The ID of the signing key.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsType string: The type of ACS. It can be "INSTANCE" or "ORG".
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
Name string: The Application’s display name.
NameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
RequestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
SsoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
Status string: Status of the IdP.
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats List<string>: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
Issuer string: URI that identifies the issuer.
Kid string: The ID of the signing key.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsType string: The type of ACS. It can be "INSTANCE" or "ORG".
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
Name string: The Application’s display name.
NameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
RequestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
SsoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
Status string: Status of the IdP.
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats []string: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

acsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
issuer string: URI that identifies the issuer.
kid string: The ID of the signing key.
ssoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
accountLinkAction string: Specifies the account linking action for an IdP user.
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsType string: The type of ACS. It can be "INSTANCE" or "ORG".
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
name string: The Application’s display name.
nameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction string: Provisioning action for an IdP user during authentication.
requestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
requestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
responseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
responseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
ssoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
ssoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
status string: Status of the IdP.
subjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats string[]: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

acs_binding str: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
issuer str: URI that identifies the issuer.
kid str: The ID of the signing key.
sso_url str: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
account_link_action str: Specifies the account linking action for an IdP user.
account_link_group_includes List[str]: Group memberships to determine link candidates.
acs_type str: The type of ACS. It can be "INSTANCE" or "ORG".
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groups_action str: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groups_assignments List[str]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters List[str]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
name str: The Application’s display name.
name_format str: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
provisioning_action str: Provisioning action for an IdP user during authentication.
request_signature_algorithm str: The XML digital signature algorithm used when signing an AuthnRequest message.
request_signature_scope str: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
response_signature_algorithm str: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
response_signature_scope str: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
sso_binding str: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
sso_destination str: URI reference indicating the address to which the AuthnRequest message is sent.
status str: Status of the IdP.
subject_filter str: Optional regular expression pattern used to filter untrusted IdP usernames.
subject_formats List[str]: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspended_action str: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user.

Outputs

All input properties are implicitly available as output properties. Additionally, the Saml resource produces the following output properties:

Audience string: The audience restriction for the IdP.
Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of the IdP.

Audience string: The audience restriction for the IdP.
Id string: The provider-assigned unique ID for this managed resource.
Type string: Type of the IdP.

audience string: The audience restriction for the IdP.
id string: The provider-assigned unique ID for this managed resource.
type string: Type of the IdP.

audience str: The audience restriction for the IdP.
id str: The provider-assigned unique ID for this managed resource.
type str: Type of the IdP.

Look up an Existing Saml Resource

Get an existing Saml resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SamlState, opts?: CustomResourceOptions): Saml

static get(resource_name, id, opts=None, account_link_action=None, account_link_group_includes=None, acs_binding=None, acs_type=None, audience=None, deprovisioned_action=None, groups_action=None, groups_assignments=None, groups_attribute=None, groups_filters=None, issuer=None, issuer_mode=None, kid=None, name=None, name_format=None, profile_master=None, provisioning_action=None, request_signature_algorithm=None, request_signature_scope=None, response_signature_algorithm=None, response_signature_scope=None, sso_binding=None, sso_destination=None, sso_url=None, status=None, subject_filter=None, subject_formats=None, subject_match_attribute=None, subject_match_type=None, suspended_action=None, type=None, username_template=None, __props__=None);

func GetSaml(ctx *Context, name string, id IDInput, state *SamlState, opts ...ResourceOption) (*Saml, error)

public static Saml Get(string name, Input<string> id, SamlState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AcsType string: The type of ACS. It can be "INSTANCE" or "ORG".
Audience string: The audience restriction for the IdP.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
Issuer string: URI that identifies the issuer.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
Kid string: The ID of the signing key.
Name string: The Application’s display name.
NameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
RequestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
SsoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
Status string: Status of the IdP.
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats List<string>: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
Type string: Type of the IdP.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

AccountLinkAction string: Specifies the account linking action for an IdP user.
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
AcsType string: The type of ACS. It can be "INSTANCE" or "ORG".
Audience string: The audience restriction for the IdP.
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
GroupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
Issuer string: URI that identifies the issuer.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
Kid string: The ID of the signing key.
Name string: The Application’s display name.
NameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication.
RequestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
RequestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
SsoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
Status string: Status of the IdP.
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats []string: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
Type string: Type of the IdP.
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

accountLinkAction string: Specifies the account linking action for an IdP user.
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsBinding string: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
acsType string: The type of ACS. It can be "INSTANCE" or "ORG".
audience string: The audience restriction for the IdP.
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groupsAction string: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuer string: URI that identifies the issuer.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
kid string: The ID of the signing key.
name string: The Application’s display name.
nameFormat string: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction string: Provisioning action for an IdP user during authentication.
requestSignatureAlgorithm string: The XML digital signature algorithm used when signing an AuthnRequest message.
requestSignatureScope string: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
responseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
responseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
ssoBinding string: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
ssoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
ssoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status string: Status of the IdP.
subjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats string[]: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
type string: Type of the IdP.
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user.

account_link_action str: Specifies the account linking action for an IdP user.
account_link_group_includes List[str]: Group memberships to determine link candidates.
acs_binding str: The method of making an ACS request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
acs_type str: The type of ACS. It can be "INSTANCE" or "ORG".
audience str: The audience restriction for the IdP.
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be "NONE" or "REACTIVATE".
groups_action str: Provisioning action for IdP user’s group memberships. It can be "NONE", "SYNC", "APPEND", or "ASSIGN".
groups_assignments List[str]: List of Okta Group IDs to add an IdP user as a member with the "ASSIGN" groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters List[str]: Whitelist of Okta Group identifiers that are allowed for the "APPEND" or "SYNC" groups_action.
issuer str: URI that identifies the issuer.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL. It can be "ORG_URL" or "CUSTOM_URL".
kid str: The ID of the signing key.
name str: The Application’s display name.
name_format str: The name identifier format to use. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
provisioning_action str: Provisioning action for an IdP user during authentication.
request_signature_algorithm str: The XML digital signature algorithm used when signing an AuthnRequest message.
request_signature_scope str: Specifies whether or not to digitally sign an AuthnRequest messages to the IdP. It can be "REQUEST" or "NONE".
response_signature_algorithm str: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element.
response_signature_scope str: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be "RESPONSE", "ASSERTION", or "ANY".
sso_binding str: The method of making an SSO request. It can be set to "HTTP-POST" or "HTTP-REDIRECT".
sso_destination str: URI reference indicating the address to which the AuthnRequest message is sent.
sso_url str: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status str: Status of the IdP.
subject_filter str: Optional regular expression pattern used to filter untrusted IdP usernames.
subject_formats List[str]: The name formate. By default "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType "CUSTOM_ATTRIBUTE".
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default it is set to "USERNAME". It can be set to "USERNAME", "EMAIL", "USERNAME_OR_EMAIL" or "CUSTOM_ATTRIBUTE".
suspended_action str: Action for a previously suspended IdP user during authentication. Can be set to "NONE" or "UNSUSPEND"
type str: Type of the IdP.
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user.

Package Details

Repository: https://github.com/pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud