okta.AppSignonPolicyRule
Explore with Pulumi AI
WARNING: This feature is only available as a part of the Identity Engine. Contact support for further information.
This resource allows you to create and configure a sign-on policy rule for the application.
A default or Catch-all Rule
sign-on policy rule can be imported and managed as a custom rule.
The only difference is that these fields are immutable and can not be managed: network_connection
, network_excludes
,
network_includes
, platform_include
, custom_expression
, device_is_registered
, device_is_managed
, users_excluded
,
users_included
, groups_excluded
, groups_included
, user_types_excluded
and user_types_included
.
Example Usage
Simple usage
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const testSaml = new okta.app.Saml("testSaml", {
label: "My App",
ssoUrl: "https://google.com",
recipient: "https://here.com",
destination: "https://its-about-the-journey.com",
audience: "https://audience.com",
status: "ACTIVE",
subjectNameIdTemplate: "${user.userName}",
subjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
signatureAlgorithm: "RSA_SHA256",
responseSigned: true,
digestAlgorithm: "SHA256",
honorForceAuthn: false,
authnContextClassRef: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
});
const testAppSignonPolicy = okta.getAppSignonPolicyOutput({
appId: testSaml.id,
});
const testAppSignonPolicyRule = new okta.AppSignonPolicyRule("testAppSignonPolicyRule", {policyId: testAppSignonPolicy.apply(testAppSignonPolicy => testAppSignonPolicy.id)});
import pulumi
import pulumi_okta as okta
test_saml = okta.app.Saml("testSaml",
label="My App",
sso_url="https://google.com",
recipient="https://here.com",
destination="https://its-about-the-journey.com",
audience="https://audience.com",
status="ACTIVE",
subject_name_id_template="${user.userName}",
subject_name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
signature_algorithm="RSA_SHA256",
response_signed=True,
digest_algorithm="SHA256",
honor_force_authn=False,
authn_context_class_ref="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
test_app_signon_policy = okta.get_app_signon_policy_output(app_id=test_saml.id)
test_app_signon_policy_rule = okta.AppSignonPolicyRule("testAppSignonPolicyRule", policy_id=test_app_signon_policy.id)
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testSaml, err := app.NewSaml(ctx, "testSaml", &app.SamlArgs{
Label: pulumi.String("My App"),
SsoUrl: pulumi.String("https://google.com"),
Recipient: pulumi.String("https://here.com"),
Destination: pulumi.String("https://its-about-the-journey.com"),
Audience: pulumi.String("https://audience.com"),
Status: pulumi.String("ACTIVE"),
SubjectNameIdTemplate: pulumi.String("${user.userName}"),
SubjectNameIdFormat: pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
SignatureAlgorithm: pulumi.String("RSA_SHA256"),
ResponseSigned: pulumi.Bool(true),
DigestAlgorithm: pulumi.String("SHA256"),
HonorForceAuthn: pulumi.Bool(false),
AuthnContextClassRef: pulumi.String("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
})
if err != nil {
return err
}
testAppSignonPolicy := okta.LookupAppSignonPolicyOutput(ctx, okta.GetAppSignonPolicyOutputArgs{
AppId: testSaml.ID(),
}, nil)
_, err = okta.NewAppSignonPolicyRule(ctx, "testAppSignonPolicyRule", &okta.AppSignonPolicyRuleArgs{
PolicyId: testAppSignonPolicy.ApplyT(func(testAppSignonPolicy okta.GetAppSignonPolicyResult) (*string, error) {
return &testAppSignonPolicy.Id, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var testSaml = new Okta.App.Saml("testSaml", new()
{
Label = "My App",
SsoUrl = "https://google.com",
Recipient = "https://here.com",
Destination = "https://its-about-the-journey.com",
Audience = "https://audience.com",
Status = "ACTIVE",
SubjectNameIdTemplate = "${user.userName}",
SubjectNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SignatureAlgorithm = "RSA_SHA256",
ResponseSigned = true,
DigestAlgorithm = "SHA256",
HonorForceAuthn = false,
AuthnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
});
var testAppSignonPolicy = Okta.GetAppSignonPolicy.Invoke(new()
{
AppId = testSaml.Id,
});
var testAppSignonPolicyRule = new Okta.AppSignonPolicyRule("testAppSignonPolicyRule", new()
{
PolicyId = testAppSignonPolicy.Apply(getAppSignonPolicyResult => getAppSignonPolicyResult.Id),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.Saml;
import com.pulumi.okta.app.SamlArgs;
import com.pulumi.okta.OktaFunctions;
import com.pulumi.okta.inputs.GetAppSignonPolicyArgs;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testSaml = new Saml("testSaml", SamlArgs.builder()
.label("My App")
.ssoUrl("https://google.com")
.recipient("https://here.com")
.destination("https://its-about-the-journey.com")
.audience("https://audience.com")
.status("ACTIVE")
.subjectNameIdTemplate("${user.userName}")
.subjectNameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
.signatureAlgorithm("RSA_SHA256")
.responseSigned(true)
.digestAlgorithm("SHA256")
.honorForceAuthn(false)
.authnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
.build());
final var testAppSignonPolicy = OktaFunctions.getAppSignonPolicy(GetAppSignonPolicyArgs.builder()
.appId(testSaml.id())
.build());
var testAppSignonPolicyRule = new AppSignonPolicyRule("testAppSignonPolicyRule", AppSignonPolicyRuleArgs.builder()
.policyId(testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult).applyValue(testAppSignonPolicy -> testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult.id())))
.build());
}
}
resources:
testSaml:
type: okta:app:Saml
properties:
label: My App
ssoUrl: https://google.com
recipient: https://here.com
destination: https://its-about-the-journey.com
audience: https://audience.com
status: ACTIVE
subjectNameIdTemplate: ${user.userName}
subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
signatureAlgorithm: RSA_SHA256
responseSigned: true
digestAlgorithm: SHA256
honorForceAuthn: false
authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
testAppSignonPolicyRule:
type: okta:AppSignonPolicyRule
properties:
policyId: ${testAppSignonPolicy.id}
variables:
testAppSignonPolicy:
fn::invoke:
Function: okta:getAppSignonPolicy
Arguments:
appId: ${testSaml.id}
This will create an app sign-on policy rule with the following THEN
block:
THEN Access is 'Allowed after successful authentication'
AND User must authenticate with 'Any 2 fator types'
AND Possession factor constraints are '-'
AND Access with Okta FastPass is granted 'If the user approves a prompt in Okta Verify or provides biometrics (meets NIST AAL2 requirements)'
Rule with Constraints
Example 1:
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const test = new okta.AppSignonPolicyRule("test", {
policyId: data.okta_app_signon_policy.test.id,
constraints: [JSON.stringify({
knowledge: {
types: ["password"],
},
})],
});
import pulumi
import json
import pulumi_okta as okta
test = okta.AppSignonPolicyRule("test",
policy_id=data["okta_app_signon_policy"]["test"]["id"],
constraints=[json.dumps({
"knowledge": {
"types": ["password"],
},
})])
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"knowledge": map[string]interface{}{
"types": []string{
"password",
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
Constraints: pulumi.StringArray{
pulumi.String(json0),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var test = new Okta.AppSignonPolicyRule("test", new()
{
PolicyId = data.Okta_app_signon_policy.Test.Id,
Constraints = new[]
{
JsonSerializer.Serialize(new Dictionary<string, object?>
{
["knowledge"] = new Dictionary<string, object?>
{
["types"] = new[]
{
"password",
},
},
}),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()
.policyId(data.okta_app_signon_policy().test().id())
.constraints(serializeJson(
jsonObject(
jsonProperty("knowledge", jsonObject(
jsonProperty("types", jsonArray("password"))
))
)))
.build());
}
}
resources:
test:
type: okta:AppSignonPolicyRule
properties:
policyId: ${data.okta_app_signon_policy.test.id}
constraints:
- fn::toJSON:
knowledge:
types:
- password
This will create an app sign-on policy rule with the following THEN
block:
THEN Access is 'Allowed after successful authentication'
AND User must authenticate with 'Password + Another factor'
AND Possession factor constraints are '-'
AND Access with Okta FastPass is granted 'If the user approves a prompt in Okta Verify or provides biometrics (meets NIST AAL2 requirements)'
Example 2:
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const test = new okta.AppSignonPolicyRule("test", {
policyId: data.okta_app_signon_policy.test.id,
constraints: [JSON.stringify({
knowledge: {
reauthenticateIn: "PT2H",
types: ["password"],
},
possession: {
deviceBound: "REQUIRED",
hardwareProtection: "REQUIRED",
},
})],
});
import pulumi
import json
import pulumi_okta as okta
test = okta.AppSignonPolicyRule("test",
policy_id=data["okta_app_signon_policy"]["test"]["id"],
constraints=[json.dumps({
"knowledge": {
"reauthenticateIn": "PT2H",
"types": ["password"],
},
"possession": {
"deviceBound": "REQUIRED",
"hardwareProtection": "REQUIRED",
},
})])
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
tmpJSON0, err := json.Marshal(map[string]interface{}{
"knowledge": map[string]interface{}{
"reauthenticateIn": "PT2H",
"types": []string{
"password",
},
},
"possession": map[string]interface{}{
"deviceBound": "REQUIRED",
"hardwareProtection": "REQUIRED",
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
Constraints: pulumi.StringArray{
pulumi.String(json0),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var test = new Okta.AppSignonPolicyRule("test", new()
{
PolicyId = data.Okta_app_signon_policy.Test.Id,
Constraints = new[]
{
JsonSerializer.Serialize(new Dictionary<string, object?>
{
["knowledge"] = new Dictionary<string, object?>
{
["reauthenticateIn"] = "PT2H",
["types"] = new[]
{
"password",
},
},
["possession"] = new Dictionary<string, object?>
{
["deviceBound"] = "REQUIRED",
["hardwareProtection"] = "REQUIRED",
},
}),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()
.policyId(data.okta_app_signon_policy().test().id())
.constraints(serializeJson(
jsonObject(
jsonProperty("knowledge", jsonObject(
jsonProperty("reauthenticateIn", "PT2H"),
jsonProperty("types", jsonArray("password"))
)),
jsonProperty("possession", jsonObject(
jsonProperty("deviceBound", "REQUIRED"),
jsonProperty("hardwareProtection", "REQUIRED")
))
)))
.build());
}
}
resources:
test:
type: okta:AppSignonPolicyRule
properties:
policyId: ${data.okta_app_signon_policy.test.id}
constraints:
- fn::toJSON:
knowledge:
reauthenticateIn: PT2H
types:
- password
possession:
deviceBound: REQUIRED
hardwareProtection: REQUIRED
This will create an app sign-on policy rule with the following THEN
block:
THEN Access is 'Allowed after successful authentication'
AND User must authenticate with 'Password + Another factor'
AND Possession factor constraints are 'Hardware protected' and 'Device Bound (excludes phone and email)'
AND Access with Okta FastPass is granted 'Without the user approving a prompt in Okta Verify or providing biometrics'
More examples can be found here.
Complex example
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const testSaml = new okta.app.Saml("testSaml", {
label: "testAcc_replace_with_uuid",
ssoUrl: "https://google.com",
recipient: "https://here.com",
destination: "https://its-about-the-journey.com",
audience: "https://audience.com",
subjectNameIdTemplate: "${user.userName}",
subjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
responseSigned: true,
signatureAlgorithm: "RSA_SHA256",
digestAlgorithm: "SHA256",
honorForceAuthn: false,
authnContextClassRef: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
singleLogoutIssuer: "https://dunshire.okta.com",
singleLogoutUrl: "https://dunshire.okta.com/logout",
singleLogoutCertificate: `MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
`,
attributeStatements: [{
type: "GROUP",
name: "groups",
filterType: "REGEX",
filterValue: ".*",
}],
});
const testAppSignonPolicy = okta.getAppSignonPolicyOutput({
appId: testSaml.id,
});
const testUser: okta.user.User[] = [];
for (const range = {value: 0}; range.value < 5; range.value++) {
testUser.push(new okta.user.User(`testUser-${range.value}`, {
firstName: "TestAcc",
lastName: "Smith",
login: `testAcc_${range.value}@example.com`,
email: `testAcc_${range.value}@example.com`,
}));
}
const _this: okta.group.Group[] = [];
for (const range = {value: 0}; range.value < 5; range.value++) {
_this.push(new okta.group.Group(`this-${range.value}`, {description: `testAcc_${range.value}`}));
}
const testUserType = new okta.user.UserType("testUserType", {
displayName: "Terraform Acceptance Test User Type Updated",
description: "Terraform Acceptance Test User Type Updated",
});
const testZone = new okta.network.Zone("testZone", {
type: "IP",
gateways: [
"1.2.3.4/24",
"2.3.4.5-2.3.4.15",
],
proxies: [
"2.2.3.4/24",
"3.3.4.5-3.3.4.15",
],
});
const default = okta.user.getUserType({
name: "user",
});
const testDeviceAssuranceAndroid = new okta.policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid", {
osVersion: "12",
jailbreak: false,
});
const testAppSignonPolicyRule = new okta.AppSignonPolicyRule("testAppSignonPolicyRule", {
policyId: testAppSignonPolicy.apply(testAppSignonPolicy => testAppSignonPolicy.id),
access: "ALLOW",
customExpression: "user.status == \"ACTIVE\"",
deviceIsManaged: false,
deviceIsRegistered: true,
factorMode: "2FA",
groupsExcludeds: [
_this[2].id,
_this[3].id,
_this[4].id,
],
groupsIncludeds: [
_this[0].id,
_this[1].id,
],
deviceAssurancesIncludeds: [testDeviceAssuranceAndroid.id],
networkConnection: "ZONE",
networkIncludes: [testZone.id],
platformIncludes: [
{
osType: "ANDROID",
type: "MOBILE",
},
{
osType: "IOS",
type: "MOBILE",
},
{
osType: "MACOS",
type: "DESKTOP",
},
{
osType: "OTHER",
type: "DESKTOP",
},
{
osType: "OTHER",
type: "MOBILE",
},
{
osType: "WINDOWS",
type: "DESKTOP",
},
{
osType: "CHROMEOS",
type: "DESKTOP",
},
],
priority: 98,
reAuthenticationFrequency: "PT43800H",
type: "ASSURANCE",
userTypesExcludeds: [testUserType.id],
userTypesIncludeds: [_default.then(_default => _default.id)],
usersExcludeds: [
testUser[2].id,
testUser[3].id,
testUser[4].id,
],
usersIncludeds: [
testUser[0].id,
testUser[1].id,
],
constraints: [
JSON.stringify({
knowledge: {
reauthenticateIn: "PT2H",
types: ["password"],
},
possession: {
deviceBound: "REQUIRED",
},
}),
JSON.stringify({
possession: {
deviceBound: "REQUIRED",
hardwareProtection: "REQUIRED",
userPresence: "OPTIONAL",
},
}),
],
});
import pulumi
import json
import pulumi_okta as okta
test_saml = okta.app.Saml("testSaml",
label="testAcc_replace_with_uuid",
sso_url="https://google.com",
recipient="https://here.com",
destination="https://its-about-the-journey.com",
audience="https://audience.com",
subject_name_id_template="${user.userName}",
subject_name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
response_signed=True,
signature_algorithm="RSA_SHA256",
digest_algorithm="SHA256",
honor_force_authn=False,
authn_context_class_ref="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
single_logout_issuer="https://dunshire.okta.com",
single_logout_url="https://dunshire.okta.com/logout",
single_logout_certificate="""MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
""",
attribute_statements=[okta.app.SamlAttributeStatementArgs(
type="GROUP",
name="groups",
filter_type="REGEX",
filter_value=".*",
)])
test_app_signon_policy = okta.get_app_signon_policy_output(app_id=test_saml.id)
test_user = []
for range in [{"value": i} for i in range(0, 5)]:
test_user.append(okta.user.User(f"testUser-{range['value']}",
first_name="TestAcc",
last_name="Smith",
login=f"testAcc_{range['value']}@example.com",
email=f"testAcc_{range['value']}@example.com"))
this = []
for range in [{"value": i} for i in range(0, 5)]:
this.append(okta.group.Group(f"this-{range['value']}", description=f"testAcc_{range['value']}"))
test_user_type = okta.user.UserType("testUserType",
display_name="Terraform Acceptance Test User Type Updated",
description="Terraform Acceptance Test User Type Updated")
test_zone = okta.network.Zone("testZone",
type="IP",
gateways=[
"1.2.3.4/24",
"2.3.4.5-2.3.4.15",
],
proxies=[
"2.2.3.4/24",
"3.3.4.5-3.3.4.15",
])
default = okta.user.get_user_type(name="user")
test_device_assurance_android = okta.policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid",
os_version="12",
jailbreak=False)
test_app_signon_policy_rule = okta.AppSignonPolicyRule("testAppSignonPolicyRule",
policy_id=test_app_signon_policy.id,
access="ALLOW",
custom_expression="user.status == \"ACTIVE\"",
device_is_managed=False,
device_is_registered=True,
factor_mode="2FA",
groups_excludeds=[
this[2].id,
this[3].id,
this[4].id,
],
groups_includeds=[
this[0].id,
this[1].id,
],
device_assurances_includeds=[test_device_assurance_android.id],
network_connection="ZONE",
network_includes=[test_zone.id],
platform_includes=[
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="ANDROID",
type="MOBILE",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="IOS",
type="MOBILE",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="MACOS",
type="DESKTOP",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="OTHER",
type="DESKTOP",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="OTHER",
type="MOBILE",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="WINDOWS",
type="DESKTOP",
),
okta.AppSignonPolicyRulePlatformIncludeArgs(
os_type="CHROMEOS",
type="DESKTOP",
),
],
priority=98,
re_authentication_frequency="PT43800H",
type="ASSURANCE",
user_types_excludeds=[test_user_type.id],
user_types_includeds=[default.id],
users_excludeds=[
test_user[2].id,
test_user[3].id,
test_user[4].id,
],
users_includeds=[
test_user[0].id,
test_user[1].id,
],
constraints=[
json.dumps({
"knowledge": {
"reauthenticateIn": "PT2H",
"types": ["password"],
},
"possession": {
"deviceBound": "REQUIRED",
},
}),
json.dumps({
"possession": {
"deviceBound": "REQUIRED",
"hardwareProtection": "REQUIRED",
"userPresence": "OPTIONAL",
},
}),
])
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/group"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/network"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/policy"
"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/user"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testSaml, err := app.NewSaml(ctx, "testSaml", &app.SamlArgs{
Label: pulumi.String("testAcc_replace_with_uuid"),
SsoUrl: pulumi.String("https://google.com"),
Recipient: pulumi.String("https://here.com"),
Destination: pulumi.String("https://its-about-the-journey.com"),
Audience: pulumi.String("https://audience.com"),
SubjectNameIdTemplate: pulumi.String("${user.userName}"),
SubjectNameIdFormat: pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
ResponseSigned: pulumi.Bool(true),
SignatureAlgorithm: pulumi.String("RSA_SHA256"),
DigestAlgorithm: pulumi.String("SHA256"),
HonorForceAuthn: pulumi.Bool(false),
AuthnContextClassRef: pulumi.String("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
SingleLogoutIssuer: pulumi.String("https://dunshire.okta.com"),
SingleLogoutUrl: pulumi.String("https://dunshire.okta.com/logout"),
SingleLogoutCertificate: pulumi.String(`MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
`),
AttributeStatements: app.SamlAttributeStatementArray{
&app.SamlAttributeStatementArgs{
Type: pulumi.String("GROUP"),
Name: pulumi.String("groups"),
FilterType: pulumi.String("REGEX"),
FilterValue: pulumi.String(".*"),
},
},
})
if err != nil {
return err
}
testAppSignonPolicy := okta.LookupAppSignonPolicyOutput(ctx, okta.GetAppSignonPolicyOutputArgs{
AppId: testSaml.ID(),
}, nil)
var testUser []*user.User
for index := 0; index < 5; index++ {
key0 := index
val0 := index
__res, err := user.NewUser(ctx, fmt.Sprintf("testUser-%v", key0), &user.UserArgs{
FirstName: pulumi.String("TestAcc"),
LastName: pulumi.String("Smith"),
Login: pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
Email: pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
})
if err != nil {
return err
}
testUser = append(testUser, __res)
}
var this []*group.Group
for index := 0; index < 5; index++ {
key0 := index
val0 := index
__res, err := group.NewGroup(ctx, fmt.Sprintf("this-%v", key0), &group.GroupArgs{
Description: pulumi.String(fmt.Sprintf("testAcc_%v", val0)),
})
if err != nil {
return err
}
this = append(this, __res)
}
testUserType, err := user.NewUserType(ctx, "testUserType", &user.UserTypeArgs{
DisplayName: pulumi.String("Terraform Acceptance Test User Type Updated"),
Description: pulumi.String("Terraform Acceptance Test User Type Updated"),
})
if err != nil {
return err
}
testZone, err := network.NewZone(ctx, "testZone", &network.ZoneArgs{
Type: pulumi.String("IP"),
Gateways: pulumi.StringArray{
pulumi.String("1.2.3.4/24"),
pulumi.String("2.3.4.5-2.3.4.15"),
},
Proxies: pulumi.StringArray{
pulumi.String("2.2.3.4/24"),
pulumi.String("3.3.4.5-3.3.4.15"),
},
})
if err != nil {
return err
}
_default, err := user.LookupUserType(ctx, &user.LookupUserTypeArgs{
Name: "user",
}, nil)
if err != nil {
return err
}
testDeviceAssuranceAndroid, err := policy.NewDeviceAssuranceAndroid(ctx, "testDeviceAssuranceAndroid", &policy.DeviceAssuranceAndroidArgs{
OsVersion: pulumi.String("12"),
Jailbreak: pulumi.Bool(false),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"knowledge": map[string]interface{}{
"reauthenticateIn": "PT2H",
"types": []string{
"password",
},
},
"possession": map[string]interface{}{
"deviceBound": "REQUIRED",
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
tmpJSON1, err := json.Marshal(map[string]interface{}{
"possession": map[string]interface{}{
"deviceBound": "REQUIRED",
"hardwareProtection": "REQUIRED",
"userPresence": "OPTIONAL",
},
})
if err != nil {
return err
}
json1 := string(tmpJSON1)
_, err = okta.NewAppSignonPolicyRule(ctx, "testAppSignonPolicyRule", &okta.AppSignonPolicyRuleArgs{
PolicyId: testAppSignonPolicy.ApplyT(func(testAppSignonPolicy okta.GetAppSignonPolicyResult) (*string, error) {
return &testAppSignonPolicy.Id, nil
}).(pulumi.StringPtrOutput),
Access: pulumi.String("ALLOW"),
CustomExpression: pulumi.String("user.status == \"ACTIVE\""),
DeviceIsManaged: pulumi.Bool(false),
DeviceIsRegistered: pulumi.Bool(true),
FactorMode: pulumi.String("2FA"),
GroupsExcludeds: pulumi.StringArray{
this[2].ID(),
this[3].ID(),
this[4].ID(),
},
GroupsIncludeds: pulumi.StringArray{
this[0].ID(),
this[1].ID(),
},
DeviceAssurancesIncludeds: pulumi.StringArray{
testDeviceAssuranceAndroid.ID(),
},
NetworkConnection: pulumi.String("ZONE"),
NetworkIncludes: pulumi.StringArray{
testZone.ID(),
},
PlatformIncludes: okta.AppSignonPolicyRulePlatformIncludeArray{
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("ANDROID"),
Type: pulumi.String("MOBILE"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("IOS"),
Type: pulumi.String("MOBILE"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("MACOS"),
Type: pulumi.String("DESKTOP"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("OTHER"),
Type: pulumi.String("DESKTOP"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("OTHER"),
Type: pulumi.String("MOBILE"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("WINDOWS"),
Type: pulumi.String("DESKTOP"),
},
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsType: pulumi.String("CHROMEOS"),
Type: pulumi.String("DESKTOP"),
},
},
Priority: pulumi.Int(98),
ReAuthenticationFrequency: pulumi.String("PT43800H"),
Type: pulumi.String("ASSURANCE"),
UserTypesExcludeds: pulumi.StringArray{
testUserType.ID(),
},
UserTypesIncludeds: pulumi.StringArray{
pulumi.String(_default.Id),
},
UsersExcludeds: pulumi.StringArray{
testUser[2].ID(),
testUser[3].ID(),
testUser[4].ID(),
},
UsersIncludeds: pulumi.StringArray{
testUser[0].ID(),
testUser[1].ID(),
},
Constraints: pulumi.StringArray{
pulumi.String(json0),
pulumi.String(json1),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var testSaml = new Okta.App.Saml("testSaml", new()
{
Label = "testAcc_replace_with_uuid",
SsoUrl = "https://google.com",
Recipient = "https://here.com",
Destination = "https://its-about-the-journey.com",
Audience = "https://audience.com",
SubjectNameIdTemplate = "${user.userName}",
SubjectNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
ResponseSigned = true,
SignatureAlgorithm = "RSA_SHA256",
DigestAlgorithm = "SHA256",
HonorForceAuthn = false,
AuthnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
SingleLogoutIssuer = "https://dunshire.okta.com",
SingleLogoutUrl = "https://dunshire.okta.com/logout",
SingleLogoutCertificate = @"MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
",
AttributeStatements = new[]
{
new Okta.App.Inputs.SamlAttributeStatementArgs
{
Type = "GROUP",
Name = "groups",
FilterType = "REGEX",
FilterValue = ".*",
},
},
});
var testAppSignonPolicy = Okta.GetAppSignonPolicy.Invoke(new()
{
AppId = testSaml.Id,
});
var testUser = new List<Okta.User.User>();
for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
{
var range = new { Value = rangeIndex };
testUser.Add(new Okta.User.User($"testUser-{range.Value}", new()
{
FirstName = "TestAcc",
LastName = "Smith",
Login = $"testAcc_{range.Value}@example.com",
Email = $"testAcc_{range.Value}@example.com",
}));
}
var @this = new List<Okta.Group.Group>();
for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
{
var range = new { Value = rangeIndex };
@this.Add(new Okta.Group.Group($"this-{range.Value}", new()
{
Description = $"testAcc_{range.Value}",
}));
}
var testUserType = new Okta.User.UserType("testUserType", new()
{
DisplayName = "Terraform Acceptance Test User Type Updated",
Description = "Terraform Acceptance Test User Type Updated",
});
var testZone = new Okta.Network.Zone("testZone", new()
{
Type = "IP",
Gateways = new[]
{
"1.2.3.4/24",
"2.3.4.5-2.3.4.15",
},
Proxies = new[]
{
"2.2.3.4/24",
"3.3.4.5-3.3.4.15",
},
});
var @default = Okta.User.GetUserType.Invoke(new()
{
Name = "user",
});
var testDeviceAssuranceAndroid = new Okta.Policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid", new()
{
OsVersion = "12",
Jailbreak = false,
});
var testAppSignonPolicyRule = new Okta.AppSignonPolicyRule("testAppSignonPolicyRule", new()
{
PolicyId = testAppSignonPolicy.Apply(getAppSignonPolicyResult => getAppSignonPolicyResult.Id),
Access = "ALLOW",
CustomExpression = "user.status == \"ACTIVE\"",
DeviceIsManaged = false,
DeviceIsRegistered = true,
FactorMode = "2FA",
GroupsExcludeds = new[]
{
@this[2].Id,
@this[3].Id,
@this[4].Id,
},
GroupsIncludeds = new[]
{
@this[0].Id,
@this[1].Id,
},
DeviceAssurancesIncludeds = new[]
{
testDeviceAssuranceAndroid.Id,
},
NetworkConnection = "ZONE",
NetworkIncludes = new[]
{
testZone.Id,
},
PlatformIncludes = new[]
{
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "ANDROID",
Type = "MOBILE",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "IOS",
Type = "MOBILE",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "MACOS",
Type = "DESKTOP",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "OTHER",
Type = "DESKTOP",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "OTHER",
Type = "MOBILE",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "WINDOWS",
Type = "DESKTOP",
},
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsType = "CHROMEOS",
Type = "DESKTOP",
},
},
Priority = 98,
ReAuthenticationFrequency = "PT43800H",
Type = "ASSURANCE",
UserTypesExcludeds = new[]
{
testUserType.Id,
},
UserTypesIncludeds = new[]
{
@default.Apply(@default => @default.Apply(getUserTypeResult => getUserTypeResult.Id)),
},
UsersExcludeds = new[]
{
testUser[2].Id,
testUser[3].Id,
testUser[4].Id,
},
UsersIncludeds = new[]
{
testUser[0].Id,
testUser[1].Id,
},
Constraints = new[]
{
JsonSerializer.Serialize(new Dictionary<string, object?>
{
["knowledge"] = new Dictionary<string, object?>
{
["reauthenticateIn"] = "PT2H",
["types"] = new[]
{
"password",
},
},
["possession"] = new Dictionary<string, object?>
{
["deviceBound"] = "REQUIRED",
},
}),
JsonSerializer.Serialize(new Dictionary<string, object?>
{
["possession"] = new Dictionary<string, object?>
{
["deviceBound"] = "REQUIRED",
["hardwareProtection"] = "REQUIRED",
["userPresence"] = "OPTIONAL",
},
}),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.Saml;
import com.pulumi.okta.app.SamlArgs;
import com.pulumi.okta.app.inputs.SamlAttributeStatementArgs;
import com.pulumi.okta.OktaFunctions;
import com.pulumi.okta.inputs.GetAppSignonPolicyArgs;
import com.pulumi.okta.user.User;
import com.pulumi.okta.user.UserArgs;
import com.pulumi.okta.group.Group;
import com.pulumi.okta.group.GroupArgs;
import com.pulumi.okta.user.UserType;
import com.pulumi.okta.user.UserTypeArgs;
import com.pulumi.okta.network.Zone;
import com.pulumi.okta.network.ZoneArgs;
import com.pulumi.okta.user.UserFunctions;
import com.pulumi.okta.user.inputs.GetUserTypeArgs;
import com.pulumi.okta.policy.DeviceAssuranceAndroid;
import com.pulumi.okta.policy.DeviceAssuranceAndroidArgs;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import com.pulumi.okta.inputs.AppSignonPolicyRulePlatformIncludeArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testSaml = new Saml("testSaml", SamlArgs.builder()
.label("testAcc_replace_with_uuid")
.ssoUrl("https://google.com")
.recipient("https://here.com")
.destination("https://its-about-the-journey.com")
.audience("https://audience.com")
.subjectNameIdTemplate("${user.userName}")
.subjectNameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
.responseSigned(true)
.signatureAlgorithm("RSA_SHA256")
.digestAlgorithm("SHA256")
.honorForceAuthn(false)
.authnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
.singleLogoutIssuer("https://dunshire.okta.com")
.singleLogoutUrl("https://dunshire.okta.com/logout")
.singleLogoutCertificate("""
MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
""")
.attributeStatements(SamlAttributeStatementArgs.builder()
.type("GROUP")
.name("groups")
.filterType("REGEX")
.filterValue(".*")
.build())
.build());
final var testAppSignonPolicy = OktaFunctions.getAppSignonPolicy(GetAppSignonPolicyArgs.builder()
.appId(testSaml.id())
.build());
for (var i = 0; i < 5; i++) {
new User("testUser-" + i, UserArgs.builder()
.firstName("TestAcc")
.lastName("Smith")
.login(String.format("testAcc_%s@example.com", range.value()))
.email(String.format("testAcc_%s@example.com", range.value()))
.build());
}
for (var i = 0; i < 5; i++) {
new Group("this-" + i, GroupArgs.builder()
.description(String.format("testAcc_%s", range.value()))
.build());
}
var testUserType = new UserType("testUserType", UserTypeArgs.builder()
.displayName("Terraform Acceptance Test User Type Updated")
.description("Terraform Acceptance Test User Type Updated")
.build());
var testZone = new Zone("testZone", ZoneArgs.builder()
.type("IP")
.gateways(
"1.2.3.4/24",
"2.3.4.5-2.3.4.15")
.proxies(
"2.2.3.4/24",
"3.3.4.5-3.3.4.15")
.build());
final var default = UserFunctions.getUserType(GetUserTypeArgs.builder()
.name("user")
.build());
var testDeviceAssuranceAndroid = new DeviceAssuranceAndroid("testDeviceAssuranceAndroid", DeviceAssuranceAndroidArgs.builder()
.osVersion("12")
.jailbreak(false)
.build());
var testAppSignonPolicyRule = new AppSignonPolicyRule("testAppSignonPolicyRule", AppSignonPolicyRuleArgs.builder()
.policyId(testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult).applyValue(testAppSignonPolicy -> testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult.id())))
.access("ALLOW")
.customExpression("user.status == \"ACTIVE\"")
.deviceIsManaged(false)
.deviceIsRegistered(true)
.factorMode("2FA")
.groupsExcludeds(
this_[2].id(),
this_[3].id(),
this_[4].id())
.groupsIncludeds(
this_[0].id(),
this_[1].id())
.deviceAssurancesIncludeds(testDeviceAssuranceAndroid.id())
.networkConnection("ZONE")
.networkIncludes(testZone.id())
.platformIncludes(
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("ANDROID")
.type("MOBILE")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("IOS")
.type("MOBILE")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("MACOS")
.type("DESKTOP")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("OTHER")
.type("DESKTOP")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("OTHER")
.type("MOBILE")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("WINDOWS")
.type("DESKTOP")
.build(),
AppSignonPolicyRulePlatformIncludeArgs.builder()
.osType("CHROMEOS")
.type("DESKTOP")
.build())
.priority(98)
.reAuthenticationFrequency("PT43800H")
.type("ASSURANCE")
.userTypesExcludeds(testUserType.id())
.userTypesIncludeds(default_.id())
.usersExcludeds(
testUser[2].id(),
testUser[3].id(),
testUser[4].id())
.usersIncludeds(
testUser[0].id(),
testUser[1].id())
.constraints(
serializeJson(
jsonObject(
jsonProperty("knowledge", jsonObject(
jsonProperty("reauthenticateIn", "PT2H"),
jsonProperty("types", jsonArray("password"))
)),
jsonProperty("possession", jsonObject(
jsonProperty("deviceBound", "REQUIRED")
))
)),
serializeJson(
jsonObject(
jsonProperty("possession", jsonObject(
jsonProperty("deviceBound", "REQUIRED"),
jsonProperty("hardwareProtection", "REQUIRED"),
jsonProperty("userPresence", "OPTIONAL")
))
)))
.build());
}
}
resources:
testSaml:
type: okta:app:Saml
properties:
label: testAcc_replace_with_uuid
ssoUrl: https://google.com
recipient: https://here.com
destination: https://its-about-the-journey.com
audience: https://audience.com
subjectNameIdTemplate: ${user.userName}
subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
responseSigned: true
signatureAlgorithm: RSA_SHA256
digestAlgorithm: SHA256
honorForceAuthn: false
authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
singleLogoutIssuer: https://dunshire.okta.com
singleLogoutUrl: https://dunshire.okta.com/logout
singleLogoutCertificate: "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"
attributeStatements:
- type: GROUP
name: groups
filterType: REGEX
filterValue: .*
testUser:
type: okta:user:User
properties:
firstName: TestAcc
lastName: Smith
login: testAcc_${range.value}@example.com
email: testAcc_${range.value}@example.com
options: {}
this:
type: okta:group:Group
properties:
description: testAcc_${range.value}
options: {}
testUserType:
type: okta:user:UserType
properties:
displayName: Terraform Acceptance Test User Type Updated
description: Terraform Acceptance Test User Type Updated
testZone:
type: okta:network:Zone
properties:
type: IP
gateways:
- 1.2.3.4/24
- 2.3.4.5-2.3.4.15
proxies:
- 2.2.3.4/24
- 3.3.4.5-3.3.4.15
testDeviceAssuranceAndroid:
type: okta:policy:DeviceAssuranceAndroid
properties:
osVersion: '12'
jailbreak: false
testAppSignonPolicyRule:
type: okta:AppSignonPolicyRule
properties:
policyId: ${testAppSignonPolicy.id}
access: ALLOW
customExpression: user.status == "ACTIVE"
deviceIsManaged: false
deviceIsRegistered: true
factorMode: 2FA
groupsExcludeds:
- ${this[2].id}
- ${this[3].id}
- ${this[4].id}
groupsIncludeds:
- ${this[0].id}
- ${this[1].id}
deviceAssurancesIncludeds:
- ${testDeviceAssuranceAndroid.id}
networkConnection: ZONE
networkIncludes:
- ${testZone.id}
platformIncludes:
- osType: ANDROID
type: MOBILE
- osType: IOS
type: MOBILE
- osType: MACOS
type: DESKTOP
- osType: OTHER
type: DESKTOP
- osType: OTHER
type: MOBILE
- osType: WINDOWS
type: DESKTOP
- osType: CHROMEOS
type: DESKTOP
priority: 98
reAuthenticationFrequency: PT43800H
type: ASSURANCE
userTypesExcludeds:
- ${testUserType.id}
userTypesIncludeds:
- ${default.id}
usersExcludeds:
- ${testUser[2].id}
- ${testUser[3].id}
- ${testUser[4].id}
usersIncludeds:
- ${testUser[0].id}
- ${testUser[1].id}
constraints:
- fn::toJSON:
knowledge:
reauthenticateIn: PT2H
types:
- password
possession:
deviceBound: REQUIRED
- fn::toJSON:
possession:
deviceBound: REQUIRED
hardwareProtection: REQUIRED
userPresence: OPTIONAL
variables:
testAppSignonPolicy:
fn::invoke:
Function: okta:getAppSignonPolicy
Arguments:
appId: ${testSaml.id}
default:
fn::invoke:
Function: okta:user:getUserType
Arguments:
name: user
Create AppSignonPolicyRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AppSignonPolicyRule(name: string, args: AppSignonPolicyRuleArgs, opts?: CustomResourceOptions);
@overload
def AppSignonPolicyRule(resource_name: str,
args: AppSignonPolicyRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AppSignonPolicyRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy_id: Optional[str] = None,
network_excludes: Optional[Sequence[str]] = None,
user_types_includeds: Optional[Sequence[str]] = None,
device_assurances_includeds: Optional[Sequence[str]] = None,
device_is_managed: Optional[bool] = None,
device_is_registered: Optional[bool] = None,
factor_mode: Optional[str] = None,
groups_excludeds: Optional[Sequence[str]] = None,
groups_includeds: Optional[Sequence[str]] = None,
inactivity_period: Optional[str] = None,
name: Optional[str] = None,
users_includeds: Optional[Sequence[str]] = None,
custom_expression: Optional[str] = None,
constraints: Optional[Sequence[str]] = None,
platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
network_includes: Optional[Sequence[str]] = None,
priority: Optional[int] = None,
re_authentication_frequency: Optional[str] = None,
risk_score: Optional[str] = None,
status: Optional[str] = None,
type: Optional[str] = None,
user_types_excludeds: Optional[Sequence[str]] = None,
access: Optional[str] = None,
users_excludeds: Optional[Sequence[str]] = None,
network_connection: Optional[str] = None)
func NewAppSignonPolicyRule(ctx *Context, name string, args AppSignonPolicyRuleArgs, opts ...ResourceOption) (*AppSignonPolicyRule, error)
public AppSignonPolicyRule(string name, AppSignonPolicyRuleArgs args, CustomResourceOptions? opts = null)
public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args)
public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args, CustomResourceOptions options)
type: okta:AppSignonPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AppSignonPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AppSignonPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AppSignonPolicyRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AppSignonPolicyRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AppSignonPolicyRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var appSignonPolicyRuleResource = new Okta.AppSignonPolicyRule("appSignonPolicyRuleResource", new()
{
PolicyId = "string",
NetworkExcludes = new[]
{
"string",
},
UserTypesIncludeds = new[]
{
"string",
},
DeviceAssurancesIncludeds = new[]
{
"string",
},
DeviceIsManaged = false,
DeviceIsRegistered = false,
FactorMode = "string",
GroupsExcludeds = new[]
{
"string",
},
GroupsIncludeds = new[]
{
"string",
},
InactivityPeriod = "string",
Name = "string",
UsersIncludeds = new[]
{
"string",
},
CustomExpression = "string",
Constraints = new[]
{
"string",
},
PlatformIncludes = new[]
{
new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
{
OsExpression = "string",
OsType = "string",
Type = "string",
},
},
NetworkIncludes = new[]
{
"string",
},
Priority = 0,
ReAuthenticationFrequency = "string",
RiskScore = "string",
Status = "string",
Type = "string",
UserTypesExcludeds = new[]
{
"string",
},
Access = "string",
UsersExcludeds = new[]
{
"string",
},
NetworkConnection = "string",
});
example, err := okta.NewAppSignonPolicyRule(ctx, "appSignonPolicyRuleResource", &okta.AppSignonPolicyRuleArgs{
PolicyId: pulumi.String("string"),
NetworkExcludes: pulumi.StringArray{
pulumi.String("string"),
},
UserTypesIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
DeviceAssurancesIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
DeviceIsManaged: pulumi.Bool(false),
DeviceIsRegistered: pulumi.Bool(false),
FactorMode: pulumi.String("string"),
GroupsExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
GroupsIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
InactivityPeriod: pulumi.String("string"),
Name: pulumi.String("string"),
UsersIncludeds: pulumi.StringArray{
pulumi.String("string"),
},
CustomExpression: pulumi.String("string"),
Constraints: pulumi.StringArray{
pulumi.String("string"),
},
PlatformIncludes: okta.AppSignonPolicyRulePlatformIncludeArray{
&okta.AppSignonPolicyRulePlatformIncludeArgs{
OsExpression: pulumi.String("string"),
OsType: pulumi.String("string"),
Type: pulumi.String("string"),
},
},
NetworkIncludes: pulumi.StringArray{
pulumi.String("string"),
},
Priority: pulumi.Int(0),
ReAuthenticationFrequency: pulumi.String("string"),
RiskScore: pulumi.String("string"),
Status: pulumi.String("string"),
Type: pulumi.String("string"),
UserTypesExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
Access: pulumi.String("string"),
UsersExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
NetworkConnection: pulumi.String("string"),
})
var appSignonPolicyRuleResource = new AppSignonPolicyRule("appSignonPolicyRuleResource", AppSignonPolicyRuleArgs.builder()
.policyId("string")
.networkExcludes("string")
.userTypesIncludeds("string")
.deviceAssurancesIncludeds("string")
.deviceIsManaged(false)
.deviceIsRegistered(false)
.factorMode("string")
.groupsExcludeds("string")
.groupsIncludeds("string")
.inactivityPeriod("string")
.name("string")
.usersIncludeds("string")
.customExpression("string")
.constraints("string")
.platformIncludes(AppSignonPolicyRulePlatformIncludeArgs.builder()
.osExpression("string")
.osType("string")
.type("string")
.build())
.networkIncludes("string")
.priority(0)
.reAuthenticationFrequency("string")
.riskScore("string")
.status("string")
.type("string")
.userTypesExcludeds("string")
.access("string")
.usersExcludeds("string")
.networkConnection("string")
.build());
app_signon_policy_rule_resource = okta.AppSignonPolicyRule("appSignonPolicyRuleResource",
policy_id="string",
network_excludes=["string"],
user_types_includeds=["string"],
device_assurances_includeds=["string"],
device_is_managed=False,
device_is_registered=False,
factor_mode="string",
groups_excludeds=["string"],
groups_includeds=["string"],
inactivity_period="string",
name="string",
users_includeds=["string"],
custom_expression="string",
constraints=["string"],
platform_includes=[okta.AppSignonPolicyRulePlatformIncludeArgs(
os_expression="string",
os_type="string",
type="string",
)],
network_includes=["string"],
priority=0,
re_authentication_frequency="string",
risk_score="string",
status="string",
type="string",
user_types_excludeds=["string"],
access="string",
users_excludeds=["string"],
network_connection="string")
const appSignonPolicyRuleResource = new okta.AppSignonPolicyRule("appSignonPolicyRuleResource", {
policyId: "string",
networkExcludes: ["string"],
userTypesIncludeds: ["string"],
deviceAssurancesIncludeds: ["string"],
deviceIsManaged: false,
deviceIsRegistered: false,
factorMode: "string",
groupsExcludeds: ["string"],
groupsIncludeds: ["string"],
inactivityPeriod: "string",
name: "string",
usersIncludeds: ["string"],
customExpression: "string",
constraints: ["string"],
platformIncludes: [{
osExpression: "string",
osType: "string",
type: "string",
}],
networkIncludes: ["string"],
priority: 0,
reAuthenticationFrequency: "string",
riskScore: "string",
status: "string",
type: "string",
userTypesExcludeds: ["string"],
access: "string",
usersExcludeds: ["string"],
networkConnection: "string",
});
type: okta:AppSignonPolicyRule
properties:
access: string
constraints:
- string
customExpression: string
deviceAssurancesIncludeds:
- string
deviceIsManaged: false
deviceIsRegistered: false
factorMode: string
groupsExcludeds:
- string
groupsIncludeds:
- string
inactivityPeriod: string
name: string
networkConnection: string
networkExcludes:
- string
networkIncludes:
- string
platformIncludes:
- osExpression: string
osType: string
type: string
policyId: string
priority: 0
reAuthenticationFrequency: string
riskScore: string
status: string
type: string
userTypesExcludeds:
- string
userTypesIncludeds:
- string
usersExcludeds:
- string
usersIncludeds:
- string
AppSignonPolicyRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AppSignonPolicyRule resource accepts the following input properties:
- Policy
Id string - ID of the app sign-on policy.
- Access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - Constraints List<string>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- Custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- Device
Assurances List<string>Includeds - List of device assurances IDs to be included.
- Device
Is boolManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - Device
Is boolRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - Factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - Groups
Excludeds List<string> - List of groups IDs to be excluded.
- Groups
Includeds List<string> - List of groups IDs to be included.
- Inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - Name string
- Name of the policy rule.
- Network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - Network
Excludes List<string> - List of network zones IDs to exclude. Conflicts with
network_includes
. - Network
Includes List<string> - List of network zones IDs to include. Conflicts with
network_excludes
. - Platform
Includes List<AppSignon Policy Rule Platform Include> - List of particular platforms or devices to match on.
- Priority int
- Priority of the rule.
- Re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - Risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - Status string
- Status of the rule
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - User
Types List<string>Excludeds - List of user types IDs to be excluded.
- User
Types List<string>Includeds - List of user types IDs to be included.
- Users
Excludeds List<string> - List of users IDs to be excluded.
- Users
Includeds List<string> - List of users IDs to be included.
- Policy
Id string - ID of the app sign-on policy.
- Access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - Constraints []string
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- Custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- Device
Assurances []stringIncludeds - List of device assurances IDs to be included.
- Device
Is boolManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - Device
Is boolRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - Factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - Groups
Excludeds []string - List of groups IDs to be excluded.
- Groups
Includeds []string - List of groups IDs to be included.
- Inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - Name string
- Name of the policy rule.
- Network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - Network
Excludes []string - List of network zones IDs to exclude. Conflicts with
network_includes
. - Network
Includes []string - List of network zones IDs to include. Conflicts with
network_excludes
. - Platform
Includes []AppSignon Policy Rule Platform Include Args - List of particular platforms or devices to match on.
- Priority int
- Priority of the rule.
- Re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - Risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - Status string
- Status of the rule
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - User
Types []stringExcludeds - List of user types IDs to be excluded.
- User
Types []stringIncludeds - List of user types IDs to be included.
- Users
Excludeds []string - List of users IDs to be excluded.
- Users
Includeds []string - List of users IDs to be included.
- policy
Id String - ID of the app sign-on policy.
- access String
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints List<String>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression String - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances List<String>Includeds - List of device assurances IDs to be included.
- device
Is BooleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is BooleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode String - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds List<String> - List of groups IDs to be excluded.
- groups
Includeds List<String> - List of groups IDs to be included.
- inactivity
Period String - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name String
- Name of the policy rule.
- network
Connection String - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes List<String> - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes List<String> - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes List<AppSignon Policy Rule Platform Include> - List of particular platforms or devices to match on.
- priority Integer
- Priority of the rule.
- re
Authentication StringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score String - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status String
- Status of the rule
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types List<String>Excludeds - List of user types IDs to be excluded.
- user
Types List<String>Includeds - List of user types IDs to be included.
- users
Excludeds List<String> - List of users IDs to be excluded.
- users
Includeds List<String> - List of users IDs to be included.
- policy
Id string - ID of the app sign-on policy.
- access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints string[]
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances string[]Includeds - List of device assurances IDs to be included.
- device
Is booleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is booleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds string[] - List of groups IDs to be excluded.
- groups
Includeds string[] - List of groups IDs to be included.
- inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name string
- Name of the policy rule.
- network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes string[] - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes string[] - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes AppSignon Policy Rule Platform Include[] - List of particular platforms or devices to match on.
- priority number
- Priority of the rule.
- re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status string
- Status of the rule
- type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types string[]Excludeds - List of user types IDs to be excluded.
- user
Types string[]Includeds - List of user types IDs to be included.
- users
Excludeds string[] - List of users IDs to be excluded.
- users
Includeds string[] - List of users IDs to be included.
- policy_
id str - ID of the app sign-on policy.
- access str
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints Sequence[str]
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom_
expression str - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device_
assurances_ Sequence[str]includeds - List of device assurances IDs to be included.
- device_
is_ boolmanaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device_
is_ boolregistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor_
mode str - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups_
excludeds Sequence[str] - List of groups IDs to be excluded.
- groups_
includeds Sequence[str] - List of groups IDs to be included.
- inactivity_
period str - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name str
- Name of the policy rule.
- network_
connection str - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network_
excludes Sequence[str] - List of network zones IDs to exclude. Conflicts with
network_includes
. - network_
includes Sequence[str] - List of network zones IDs to include. Conflicts with
network_excludes
. - platform_
includes Sequence[AppSignon Policy Rule Platform Include Args] - List of particular platforms or devices to match on.
- priority int
- Priority of the rule.
- re_
authentication_ strfrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk_
score str - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status str
- Status of the rule
- type str
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user_
types_ Sequence[str]excludeds - List of user types IDs to be excluded.
- user_
types_ Sequence[str]includeds - List of user types IDs to be included.
- users_
excludeds Sequence[str] - List of users IDs to be excluded.
- users_
includeds Sequence[str] - List of users IDs to be included.
- policy
Id String - ID of the app sign-on policy.
- access String
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints List<String>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression String - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances List<String>Includeds - List of device assurances IDs to be included.
- device
Is BooleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is BooleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode String - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds List<String> - List of groups IDs to be excluded.
- groups
Includeds List<String> - List of groups IDs to be included.
- inactivity
Period String - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name String
- Name of the policy rule.
- network
Connection String - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes List<String> - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes List<String> - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes List<Property Map> - List of particular platforms or devices to match on.
- priority Number
- Priority of the rule.
- re
Authentication StringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score String - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status String
- Status of the rule
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types List<String>Excludeds - List of user types IDs to be excluded.
- user
Types List<String>Includeds - List of user types IDs to be included.
- users
Excludeds List<String> - List of users IDs to be excluded.
- users
Includeds List<String> - List of users IDs to be included.
Outputs
All input properties are implicitly available as output properties. Additionally, the AppSignonPolicyRule resource produces the following output properties:
Look up Existing AppSignonPolicyRule Resource
Get an existing AppSignonPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AppSignonPolicyRuleState, opts?: CustomResourceOptions): AppSignonPolicyRule
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access: Optional[str] = None,
constraints: Optional[Sequence[str]] = None,
custom_expression: Optional[str] = None,
device_assurances_includeds: Optional[Sequence[str]] = None,
device_is_managed: Optional[bool] = None,
device_is_registered: Optional[bool] = None,
factor_mode: Optional[str] = None,
groups_excludeds: Optional[Sequence[str]] = None,
groups_includeds: Optional[Sequence[str]] = None,
inactivity_period: Optional[str] = None,
name: Optional[str] = None,
network_connection: Optional[str] = None,
network_excludes: Optional[Sequence[str]] = None,
network_includes: Optional[Sequence[str]] = None,
platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
policy_id: Optional[str] = None,
priority: Optional[int] = None,
re_authentication_frequency: Optional[str] = None,
risk_score: Optional[str] = None,
status: Optional[str] = None,
system: Optional[bool] = None,
type: Optional[str] = None,
user_types_excludeds: Optional[Sequence[str]] = None,
user_types_includeds: Optional[Sequence[str]] = None,
users_excludeds: Optional[Sequence[str]] = None,
users_includeds: Optional[Sequence[str]] = None) -> AppSignonPolicyRule
func GetAppSignonPolicyRule(ctx *Context, name string, id IDInput, state *AppSignonPolicyRuleState, opts ...ResourceOption) (*AppSignonPolicyRule, error)
public static AppSignonPolicyRule Get(string name, Input<string> id, AppSignonPolicyRuleState? state, CustomResourceOptions? opts = null)
public static AppSignonPolicyRule get(String name, Output<String> id, AppSignonPolicyRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - Constraints List<string>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- Custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- Device
Assurances List<string>Includeds - List of device assurances IDs to be included.
- Device
Is boolManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - Device
Is boolRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - Factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - Groups
Excludeds List<string> - List of groups IDs to be excluded.
- Groups
Includeds List<string> - List of groups IDs to be included.
- Inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - Name string
- Name of the policy rule.
- Network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - Network
Excludes List<string> - List of network zones IDs to exclude. Conflicts with
network_includes
. - Network
Includes List<string> - List of network zones IDs to include. Conflicts with
network_excludes
. - Platform
Includes List<AppSignon Policy Rule Platform Include> - List of particular platforms or devices to match on.
- Policy
Id string - ID of the app sign-on policy.
- Priority int
- Priority of the rule.
- Re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - Risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - Status string
- Status of the rule
- System bool
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - User
Types List<string>Excludeds - List of user types IDs to be excluded.
- User
Types List<string>Includeds - List of user types IDs to be included.
- Users
Excludeds List<string> - List of users IDs to be excluded.
- Users
Includeds List<string> - List of users IDs to be included.
- Access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - Constraints []string
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- Custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- Device
Assurances []stringIncludeds - List of device assurances IDs to be included.
- Device
Is boolManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - Device
Is boolRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - Factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - Groups
Excludeds []string - List of groups IDs to be excluded.
- Groups
Includeds []string - List of groups IDs to be included.
- Inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - Name string
- Name of the policy rule.
- Network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - Network
Excludes []string - List of network zones IDs to exclude. Conflicts with
network_includes
. - Network
Includes []string - List of network zones IDs to include. Conflicts with
network_excludes
. - Platform
Includes []AppSignon Policy Rule Platform Include Args - List of particular platforms or devices to match on.
- Policy
Id string - ID of the app sign-on policy.
- Priority int
- Priority of the rule.
- Re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - Risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - Status string
- Status of the rule
- System bool
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - User
Types []stringExcludeds - List of user types IDs to be excluded.
- User
Types []stringIncludeds - List of user types IDs to be included.
- Users
Excludeds []string - List of users IDs to be excluded.
- Users
Includeds []string - List of users IDs to be included.
- access String
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints List<String>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression String - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances List<String>Includeds - List of device assurances IDs to be included.
- device
Is BooleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is BooleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode String - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds List<String> - List of groups IDs to be excluded.
- groups
Includeds List<String> - List of groups IDs to be included.
- inactivity
Period String - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name String
- Name of the policy rule.
- network
Connection String - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes List<String> - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes List<String> - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes List<AppSignon Policy Rule Platform Include> - List of particular platforms or devices to match on.
- policy
Id String - ID of the app sign-on policy.
- priority Integer
- Priority of the rule.
- re
Authentication StringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score String - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status String
- Status of the rule
- system Boolean
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types List<String>Excludeds - List of user types IDs to be excluded.
- user
Types List<String>Includeds - List of user types IDs to be included.
- users
Excludeds List<String> - List of users IDs to be excluded.
- users
Includeds List<String> - List of users IDs to be included.
- access string
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints string[]
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression string - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances string[]Includeds - List of device assurances IDs to be included.
- device
Is booleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is booleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode string - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds string[] - List of groups IDs to be excluded.
- groups
Includeds string[] - List of groups IDs to be included.
- inactivity
Period string - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name string
- Name of the policy rule.
- network
Connection string - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes string[] - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes string[] - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes AppSignon Policy Rule Platform Include[] - List of particular platforms or devices to match on.
- policy
Id string - ID of the app sign-on policy.
- priority number
- Priority of the rule.
- re
Authentication stringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score string - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status string
- Status of the rule
- system boolean
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types string[]Excludeds - List of user types IDs to be excluded.
- user
Types string[]Includeds - List of user types IDs to be included.
- users
Excludeds string[] - List of users IDs to be excluded.
- users
Includeds string[] - List of users IDs to be included.
- access str
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints Sequence[str]
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom_
expression str - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device_
assurances_ Sequence[str]includeds - List of device assurances IDs to be included.
- device_
is_ boolmanaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device_
is_ boolregistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor_
mode str - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups_
excludeds Sequence[str] - List of groups IDs to be excluded.
- groups_
includeds Sequence[str] - List of groups IDs to be included.
- inactivity_
period str - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name str
- Name of the policy rule.
- network_
connection str - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network_
excludes Sequence[str] - List of network zones IDs to exclude. Conflicts with
network_includes
. - network_
includes Sequence[str] - List of network zones IDs to include. Conflicts with
network_excludes
. - platform_
includes Sequence[AppSignon Policy Rule Platform Include Args] - List of particular platforms or devices to match on.
- policy_
id str - ID of the app sign-on policy.
- priority int
- Priority of the rule.
- re_
authentication_ strfrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk_
score str - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status str
- Status of the rule
- system bool
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- type str
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user_
types_ Sequence[str]excludeds - List of user types IDs to be excluded.
- user_
types_ Sequence[str]includeds - List of user types IDs to be included.
- users_
excludeds Sequence[str] - List of users IDs to be excluded.
- users_
includeds Sequence[str] - List of users IDs to be included.
- access String
- Allow or deny access based on the rule conditions. It can be set to
"ALLOW"
or"DENY"
. Default is"ALLOW"
. - constraints List<String>
- An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
- custom
Expression String - This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
- device
Assurances List<String>Includeds - List of device assurances IDs to be included.
- device
Is BooleanManaged - If the device is managed. A device is managed if it's managed by a device management
system. When managed is passed,
device_is_registered
must also be included and must be set totrue
. - device
Is BooleanRegistered - If the device is registered. A device is registered if the User enrolls with Okta
Verify that is installed on the device. Can only be set to
true
. - factor
Mode String - The number of factors required to satisfy this assurance level. It can be set to
"1FA"
or"2FA"
. Default is"2FA"
. - groups
Excludeds List<String> - List of groups IDs to be excluded.
- groups
Includeds List<String> - List of groups IDs to be included.
- inactivity
Period String - The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is
"PT1H"
. - name String
- Name of the policy rule.
- network
Connection String - Network selection mode:
"ANYWHERE"
,"ZONE"
,"ON_NETWORK"
, or"OFF_NETWORK"
. - network
Excludes List<String> - List of network zones IDs to exclude. Conflicts with
network_includes
. - network
Includes List<String> - List of network zones IDs to include. Conflicts with
network_excludes
. - platform
Includes List<Property Map> - List of particular platforms or devices to match on.
- policy
Id String - ID of the app sign-on policy.
- priority Number
- Priority of the rule.
- re
Authentication StringFrequency - The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals.
"PT0S"
- every sign-in attempt,"PT43800H"
- once per session. Default is"PT2H"
. - risk
Score String - The risk score specifies a particular level of risk to match on. Valid values are:
"ANY"
,"LOW"
,"MEDIUM"
,"HIGH"
. Default is"ANY"
. - status String
- Status of the rule
- system Boolean
- Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
. - user
Types List<String>Excludeds - List of user types IDs to be excluded.
- user
Types List<String>Includeds - List of user types IDs to be included.
- users
Excludeds List<String> - List of users IDs to be excluded.
- users
Includeds List<String> - List of users IDs to be included.
Supporting Types
AppSignonPolicyRulePlatformInclude, AppSignonPolicyRulePlatformIncludeArgs
- Os
Expression string - Only available and required when using
os_type = "OTHER"
- Os
Type string - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
- Os
Expression string - Only available and required when using
os_type = "OTHER"
- Os
Type string - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- Type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
- os
Expression String - Only available and required when using
os_type = "OTHER"
- os
Type String - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
- os
Expression string - Only available and required when using
os_type = "OTHER"
- os
Type string - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- type string
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
- os_
expression str - Only available and required when using
os_type = "OTHER"
- os_
type str - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- type str
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
- os
Expression String - Only available and required when using
os_type = "OTHER"
- os
Type String - One of:
"ANY"
,"IOS"
,"WINDOWS"
,"ANDROID"
,"OTHER"
,"OSX"
,"MACOS"
,"CHROMEOS"
- type String
- The Verification Method type. It can be set to
"ASSURANCE"
. Default is"ASSURANCE"
.
Import
Okta app sign-on policy rule can be imported via the Okta ID.
$ pulumi import okta:index/appSignonPolicyRule:AppSignonPolicyRule example <policy_id>/<rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
okta
Terraform Provider.