Custom Profile Attributes for Identity Provider resources

[theralmackey-tc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

---

Description

We need the ability to manage custom attributes on profiles for IdPs.
Currently creating attribute mappings for an IdP (specifically for us, saml IdP) in TF passes a plan even if the Attribute being mapped does not exist in the Profile for the IdP. It subsequently fails on Apply. There appears to be no code in the provider for managing IdP profile attributes to add the missing ones causing the error. This causes a problem where we have to run an apply to create a new IdP, wait for it to fail because of an unknown Attribute in the mappings, go to the Profile Editor in the UI and add the custom attribute (and optionally map it there), then re-run the Apply for the mapping to be created/updated in state. Profile attrs are not tracked at all by the provider, though mappings are, as adding/deleting idp profile attrs in the UI does not register a change in a plan/apply, but a mapping change there does. I suspect this will be similar to PR #851 (added in release v3.20.3). We should probably also cause a tf plan to fail if mapping an unknown Attribute.

The Profile for an IdP restricts which attrs are available for mapping and also dictates what goes in the Metadata.xml generated in the UI, showing up as 'requested attributes.' The Metadata needs to match what we actually expect.

New or Affected Resource(s)

resource okta_idp_saml (and any other idp types that use profiles, oidc/social?)
resource okta_profile_mapping.mappings
resource okta_idp_profile_schema_property

Potential Terraform Configuration

Much like previous additions of profile management, this can likely be a json list. Edit from the example in PR #851, probably needs more updating/editing

resource "okta_idp_saml" "test" {
  name        = "testAcc_replace_with_uuid"
  description = "testing, testing"
  custom_profile_attributes = jsonencode({
    "${okta_idp_schema_property.test1.index}",
    "${okta_idp_schema_property.test2.index}",
    "${okta_idp_schema_property.test3.index}"
  })
}

// Test Schema
resource "okta_idp_schema_property" "test1" {
  display_name       = "Test Schema 1"
  variable_name     = "testSchema1"
  external_name     = "testScema1"
  external_namespace = ""
  type              = "string"
  description = "Test string schema"
  length      = "{min: x, max: y}"
  required  = True
  enum       = "{ ..enum data .. }"
}

resource "okta_idp_schema_property" "test2" {
  display_name       = "Test Schema 2"
  variable_name     = "testSchema2"
  external_name     = "testScema2"
  external_namespace = ""
  type              = "string"
  description = "Test string schema"
  length      = "{min: x, max: y}"
  required  = True
  enum       = "{ ..enum data .. }"
}

...

References

https://help.okta.com/en-us/content/topics/security/idp-config-ud-mappings.htm
https://github.com/okta/terraform-provider-okta/releases/tag/v3.20.3
#851

possibly expose in the data resources as well (not sure if this would be needed), similar to #1009 #1041
#1009
#1041

[monde]

https://oktainc.atlassian.net/browse/OKTA-858189