1. Packages
  2. Okta
  3. API Docs
  4. AppSignonPolicyRule
Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi

okta.AppSignonPolicyRule

Explore with Pulumi AI

okta logo
Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi

    WARNING: This feature is only available as a part of the Identity Engine. Contact support for further information.

    This resource allows you to create and configure a sign-on policy rule for the application.

    A default or Catch-all Rule sign-on policy rule can be imported and managed as a custom rule. The only difference is that these fields are immutable and can not be managed: network_connection, network_excludes, network_includes, platform_include, custom_expression, device_is_registered, device_is_managed, users_excluded, users_included, groups_excluded, groups_included, user_types_excluded and user_types_included.

    Example Usage

    Example 1:

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var test = new Okta.AppSignonPolicyRule("test", new()
        {
            PolicyId = data.Okta_app_signon_policy.Test.Id,
            Constraints = new[]
            {
                JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["knowledge"] = new Dictionary<string, object?>
                    {
                        ["types"] = new[]
                        {
                            "password",
                        },
                    },
                }),
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"knowledge": map[string]interface{}{
    				"types": []string{
    					"password",
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
    			PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
    			Constraints: pulumi.StringArray{
    				pulumi.String(json0),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.AppSignonPolicyRule;
    import com.pulumi.okta.AppSignonPolicyRuleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()        
                .policyId(data.okta_app_signon_policy().test().id())
                .constraints(serializeJson(
                    jsonObject(
                        jsonProperty("knowledge", jsonObject(
                            jsonProperty("types", jsonArray("password"))
                        ))
                    )))
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_okta as okta
    
    test = okta.AppSignonPolicyRule("test",
        policy_id=data["okta_app_signon_policy"]["test"]["id"],
        constraints=[json.dumps({
            "knowledge": {
                "types": ["password"],
            },
        })])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const test = new okta.AppSignonPolicyRule("test", {
        policyId: data.okta_app_signon_policy.test.id,
        constraints: [JSON.stringify({
            knowledge: {
                types: ["password"],
            },
        })],
    });
    
    resources:
      test:
        type: okta:AppSignonPolicyRule
        properties:
          policyId: ${data.okta_app_signon_policy.test.id}
          constraints:
            - fn::toJSON:
                knowledge:
                  types:
                    - password
    

    block

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example 2:

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var test = new Okta.AppSignonPolicyRule("test", new()
        {
            PolicyId = data.Okta_app_signon_policy.Test.Id,
            Constraints = new[]
            {
                JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["knowledge"] = new Dictionary<string, object?>
                    {
                        ["reauthenticateIn"] = "PT2H",
                        ["types"] = new[]
                        {
                            "password",
                        },
                    },
                    ["possession"] = new Dictionary<string, object?>
                    {
                        ["deviceBound"] = "REQUIRED",
                        ["hardwareProtection"] = "REQUIRED",
                    },
                }),
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"knowledge": map[string]interface{}{
    				"reauthenticateIn": "PT2H",
    				"types": []string{
    					"password",
    				},
    			},
    			"possession": map[string]interface{}{
    				"deviceBound":        "REQUIRED",
    				"hardwareProtection": "REQUIRED",
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
    			PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
    			Constraints: pulumi.StringArray{
    				pulumi.String(json0),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.AppSignonPolicyRule;
    import com.pulumi.okta.AppSignonPolicyRuleArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()        
                .policyId(data.okta_app_signon_policy().test().id())
                .constraints(serializeJson(
                    jsonObject(
                        jsonProperty("knowledge", jsonObject(
                            jsonProperty("reauthenticateIn", "PT2H"),
                            jsonProperty("types", jsonArray("password"))
                        )),
                        jsonProperty("possession", jsonObject(
                            jsonProperty("deviceBound", "REQUIRED"),
                            jsonProperty("hardwareProtection", "REQUIRED")
                        ))
                    )))
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_okta as okta
    
    test = okta.AppSignonPolicyRule("test",
        policy_id=data["okta_app_signon_policy"]["test"]["id"],
        constraints=[json.dumps({
            "knowledge": {
                "reauthenticateIn": "PT2H",
                "types": ["password"],
            },
            "possession": {
                "deviceBound": "REQUIRED",
                "hardwareProtection": "REQUIRED",
            },
        })])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const test = new okta.AppSignonPolicyRule("test", {
        policyId: data.okta_app_signon_policy.test.id,
        constraints: [JSON.stringify({
            knowledge: {
                reauthenticateIn: "PT2H",
                types: ["password"],
            },
            possession: {
                deviceBound: "REQUIRED",
                hardwareProtection: "REQUIRED",
            },
        })],
    });
    
    resources:
      test:
        type: okta:AppSignonPolicyRule
        properties:
          policyId: ${data.okta_app_signon_policy.test.id}
          constraints:
            - fn::toJSON:
                knowledge:
                  reauthenticateIn: PT2H
                  types:
                    - password
                possession:
                  deviceBound: REQUIRED
                  hardwareProtection: REQUIRED
    

    block

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Complex example

    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Okta = Pulumi.Okta;
    
    return await Deployment.RunAsync(() => 
    {
        var testSaml = new Okta.App.Saml("testSaml", new()
        {
            Label = "testAcc_replace_with_uuid",
            SsoUrl = "https://google.com",
            Recipient = "https://here.com",
            Destination = "https://its-about-the-journey.com",
            Audience = "https://audience.com",
            SubjectNameIdTemplate = "${user.userName}",
            SubjectNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            ResponseSigned = true,
            SignatureAlgorithm = "RSA_SHA256",
            DigestAlgorithm = "SHA256",
            HonorForceAuthn = false,
            AuthnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
            SingleLogoutIssuer = "https://dunshire.okta.com",
            SingleLogoutUrl = "https://dunshire.okta.com/logout",
            SingleLogoutCertificate = @"MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
    BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
    A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
    YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
    MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
    bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
    bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
    PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
    O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
    2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
    fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
    Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
    CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
    sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
    ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
    DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
    KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
    wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
    t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
    P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
    ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
    hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
    wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
    DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
    JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
    zOYQQatrnBagM7MI2/T4
    ",
            AttributeStatements = new[]
            {
                new Okta.App.Inputs.SamlAttributeStatementArgs
                {
                    Type = "GROUP",
                    Name = "groups",
                    FilterType = "REGEX",
                    FilterValue = ".*",
                },
            },
        });
    
        var testAppSignonPolicy = Okta.GetAppSignonPolicy.Invoke(new()
        {
            AppId = testSaml.Id,
        });
    
        var testUser = new List<Okta.User.User>();
        for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
        {
            var range = new { Value = rangeIndex };
            testUser.Add(new Okta.User.User($"testUser-{range.Value}", new()
            {
                FirstName = "TestAcc",
                LastName = "Smith",
                Login = $"testAcc_{range.Value}@example.com",
                Email = $"testAcc_{range.Value}@example.com",
            }));
        }
        var @this = new List<Okta.Group.Group>();
        for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
        {
            var range = new { Value = rangeIndex };
            @this.Add(new Okta.Group.Group($"this-{range.Value}", new()
            {
                Description = $"testAcc_{range.Value}",
            }));
        }
        var testUserType = new Okta.User.UserType("testUserType", new()
        {
            DisplayName = "Terraform Acceptance Test User Type Updated",
            Description = "Terraform Acceptance Test User Type Updated",
        });
    
        var testZone = new Okta.Network.Zone("testZone", new()
        {
            Type = "IP",
            Gateways = new[]
            {
                "1.2.3.4/24",
                "2.3.4.5-2.3.4.15",
            },
            Proxies = new[]
            {
                "2.2.3.4/24",
                "3.3.4.5-3.3.4.15",
            },
        });
    
        var @default = Okta.User.GetUserType.Invoke(new()
        {
            Name = "user",
        });
    
        var testDeviceAssuranceAndroid = new Okta.Policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid", new()
        {
            OsVersion = "12",
            Jailbreak = false,
        });
    
        var testAppSignonPolicyRule = new Okta.AppSignonPolicyRule("testAppSignonPolicyRule", new()
        {
            PolicyId = testAppSignonPolicy.Apply(getAppSignonPolicyResult => getAppSignonPolicyResult.Id),
            Access = "ALLOW",
            CustomExpression = "user.status == \"ACTIVE\"",
            DeviceIsManaged = false,
            DeviceIsRegistered = true,
            FactorMode = "2FA",
            GroupsExcludeds = new[]
            {
                @this[2].Id,
                @this[3].Id,
                @this[4].Id,
            },
            GroupsIncludeds = new[]
            {
                @this[0].Id,
                @this[1].Id,
            },
            DeviceAssurancesIncludeds = new[]
            {
                testDeviceAssuranceAndroid.Id,
            },
            NetworkConnection = "ZONE",
            NetworkIncludes = new[]
            {
                testZone.Id,
            },
            PlatformIncludes = new[]
            {
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "ANDROID",
                    Type = "MOBILE",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "IOS",
                    Type = "MOBILE",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "MACOS",
                    Type = "DESKTOP",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "OTHER",
                    Type = "DESKTOP",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "OTHER",
                    Type = "MOBILE",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "WINDOWS",
                    Type = "DESKTOP",
                },
                new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
                {
                    OsType = "CHROMEOS",
                    Type = "DESKTOP",
                },
            },
            Priority = 98,
            ReAuthenticationFrequency = "PT43800H",
            Type = "ASSURANCE",
            UserTypesExcludeds = new[]
            {
                testUserType.Id,
            },
            UserTypesIncludeds = new[]
            {
                @default.Apply(@default => @default.Apply(getUserTypeResult => getUserTypeResult.Id)),
            },
            UsersExcludeds = new[]
            {
                testUser[2].Id,
                testUser[3].Id,
                testUser[4].Id,
            },
            UsersIncludeds = new[]
            {
                testUser[0].Id,
                testUser[1].Id,
            },
            Constraints = new[]
            {
                JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["knowledge"] = new Dictionary<string, object?>
                    {
                        ["reauthenticateIn"] = "PT2H",
                        ["types"] = new[]
                        {
                            "password",
                        },
                    },
                    ["possession"] = new Dictionary<string, object?>
                    {
                        ["deviceBound"] = "REQUIRED",
                    },
                }),
                JsonSerializer.Serialize(new Dictionary<string, object?>
                {
                    ["possession"] = new Dictionary<string, object?>
                    {
                        ["deviceBound"] = "REQUIRED",
                        ["hardwareProtection"] = "REQUIRED",
                        ["userPresence"] = "OPTIONAL",
                    },
                }),
            },
        });
    
    });
    
    package main
    
    import (
    	"encoding/json"
    	"fmt"
    
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta"
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/app"
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/group"
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/network"
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/policy"
    	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/user"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		testSaml, err := app.NewSaml(ctx, "testSaml", &app.SamlArgs{
    			Label:                 pulumi.String("testAcc_replace_with_uuid"),
    			SsoUrl:                pulumi.String("https://google.com"),
    			Recipient:             pulumi.String("https://here.com"),
    			Destination:           pulumi.String("https://its-about-the-journey.com"),
    			Audience:              pulumi.String("https://audience.com"),
    			SubjectNameIdTemplate: pulumi.String("${user.userName}"),
    			SubjectNameIdFormat:   pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
    			ResponseSigned:        pulumi.Bool(true),
    			SignatureAlgorithm:    pulumi.String("RSA_SHA256"),
    			DigestAlgorithm:       pulumi.String("SHA256"),
    			HonorForceAuthn:       pulumi.Bool(false),
    			AuthnContextClassRef:  pulumi.String("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
    			SingleLogoutIssuer:    pulumi.String("https://dunshire.okta.com"),
    			SingleLogoutUrl:       pulumi.String("https://dunshire.okta.com/logout"),
    			SingleLogoutCertificate: pulumi.String(`MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
    BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
    A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
    YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
    MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
    bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
    bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
    PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
    O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
    2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
    fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
    Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
    CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
    sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
    ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
    DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
    KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
    wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
    t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
    P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
    ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
    hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
    wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
    DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
    JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
    zOYQQatrnBagM7MI2/T4
    `),
    			AttributeStatements: app.SamlAttributeStatementArray{
    				&app.SamlAttributeStatementArgs{
    					Type:        pulumi.String("GROUP"),
    					Name:        pulumi.String("groups"),
    					FilterType:  pulumi.String("REGEX"),
    					FilterValue: pulumi.String(".*"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		testAppSignonPolicy := okta.LookupAppSignonPolicyOutput(ctx, okta.GetAppSignonPolicyOutputArgs{
    			AppId: testSaml.ID(),
    		}, nil)
    		var testUser []*user.User
    		for index := 0; index < 5; index++ {
    			key0 := index
    			val0 := index
    			__res, err := user.NewUser(ctx, fmt.Sprintf("testUser-%v", key0), &user.UserArgs{
    				FirstName: pulumi.String("TestAcc"),
    				LastName:  pulumi.String("Smith"),
    				Login:     pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
    				Email:     pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
    			})
    			if err != nil {
    				return err
    			}
    			testUser = append(testUser, __res)
    		}
    		var this []*group.Group
    		for index := 0; index < 5; index++ {
    			key0 := index
    			val0 := index
    			__res, err := group.NewGroup(ctx, fmt.Sprintf("this-%v", key0), &group.GroupArgs{
    				Description: pulumi.String(fmt.Sprintf("testAcc_%v", val0)),
    			})
    			if err != nil {
    				return err
    			}
    			this = append(this, __res)
    		}
    		testUserType, err := user.NewUserType(ctx, "testUserType", &user.UserTypeArgs{
    			DisplayName: pulumi.String("Terraform Acceptance Test User Type Updated"),
    			Description: pulumi.String("Terraform Acceptance Test User Type Updated"),
    		})
    		if err != nil {
    			return err
    		}
    		testZone, err := network.NewZone(ctx, "testZone", &network.ZoneArgs{
    			Type: pulumi.String("IP"),
    			Gateways: pulumi.StringArray{
    				pulumi.String("1.2.3.4/24"),
    				pulumi.String("2.3.4.5-2.3.4.15"),
    			},
    			Proxies: pulumi.StringArray{
    				pulumi.String("2.2.3.4/24"),
    				pulumi.String("3.3.4.5-3.3.4.15"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_default, err := user.LookupUserType(ctx, &user.LookupUserTypeArgs{
    			Name: "user",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		testDeviceAssuranceAndroid, err := policy.NewDeviceAssuranceAndroid(ctx, "testDeviceAssuranceAndroid", &policy.DeviceAssuranceAndroidArgs{
    			OsVersion: pulumi.String("12"),
    			Jailbreak: pulumi.Bool(false),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"knowledge": map[string]interface{}{
    				"reauthenticateIn": "PT2H",
    				"types": []string{
    					"password",
    				},
    			},
    			"possession": map[string]interface{}{
    				"deviceBound": "REQUIRED",
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		tmpJSON1, err := json.Marshal(map[string]interface{}{
    			"possession": map[string]interface{}{
    				"deviceBound":        "REQUIRED",
    				"hardwareProtection": "REQUIRED",
    				"userPresence":       "OPTIONAL",
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json1 := string(tmpJSON1)
    		_, err = okta.NewAppSignonPolicyRule(ctx, "testAppSignonPolicyRule", &okta.AppSignonPolicyRuleArgs{
    			PolicyId: testAppSignonPolicy.ApplyT(func(testAppSignonPolicy okta.GetAppSignonPolicyResult) (*string, error) {
    				return &testAppSignonPolicy.Id, nil
    			}).(pulumi.StringPtrOutput),
    			Access:             pulumi.String("ALLOW"),
    			CustomExpression:   pulumi.String("user.status == \"ACTIVE\""),
    			DeviceIsManaged:    pulumi.Bool(false),
    			DeviceIsRegistered: pulumi.Bool(true),
    			FactorMode:         pulumi.String("2FA"),
    			GroupsExcludeds: pulumi.StringArray{
    				this[2].ID(),
    				this[3].ID(),
    				this[4].ID(),
    			},
    			GroupsIncludeds: pulumi.StringArray{
    				this[0].ID(),
    				this[1].ID(),
    			},
    			DeviceAssurancesIncludeds: pulumi.StringArray{
    				testDeviceAssuranceAndroid.ID(),
    			},
    			NetworkConnection: pulumi.String("ZONE"),
    			NetworkIncludes: pulumi.StringArray{
    				testZone.ID(),
    			},
    			PlatformIncludes: okta.AppSignonPolicyRulePlatformIncludeArray{
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("ANDROID"),
    					Type:   pulumi.String("MOBILE"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("IOS"),
    					Type:   pulumi.String("MOBILE"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("MACOS"),
    					Type:   pulumi.String("DESKTOP"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("OTHER"),
    					Type:   pulumi.String("DESKTOP"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("OTHER"),
    					Type:   pulumi.String("MOBILE"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("WINDOWS"),
    					Type:   pulumi.String("DESKTOP"),
    				},
    				&okta.AppSignonPolicyRulePlatformIncludeArgs{
    					OsType: pulumi.String("CHROMEOS"),
    					Type:   pulumi.String("DESKTOP"),
    				},
    			},
    			Priority:                  pulumi.Int(98),
    			ReAuthenticationFrequency: pulumi.String("PT43800H"),
    			Type:                      pulumi.String("ASSURANCE"),
    			UserTypesExcludeds: pulumi.StringArray{
    				testUserType.ID(),
    			},
    			UserTypesIncludeds: pulumi.StringArray{
    				*pulumi.String(_default.Id),
    			},
    			UsersExcludeds: pulumi.StringArray{
    				testUser[2].ID(),
    				testUser[3].ID(),
    				testUser[4].ID(),
    			},
    			UsersIncludeds: pulumi.StringArray{
    				testUser[0].ID(),
    				testUser[1].ID(),
    			},
    			Constraints: pulumi.StringArray{
    				pulumi.String(json0),
    				pulumi.String(json1),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.okta.app.Saml;
    import com.pulumi.okta.app.SamlArgs;
    import com.pulumi.okta.app.inputs.SamlAttributeStatementArgs;
    import com.pulumi.okta.OktaFunctions;
    import com.pulumi.okta.inputs.GetAppSignonPolicyArgs;
    import com.pulumi.okta.user.User;
    import com.pulumi.okta.user.UserArgs;
    import com.pulumi.okta.group.Group;
    import com.pulumi.okta.group.GroupArgs;
    import com.pulumi.okta.user.UserType;
    import com.pulumi.okta.user.UserTypeArgs;
    import com.pulumi.okta.network.Zone;
    import com.pulumi.okta.network.ZoneArgs;
    import com.pulumi.okta.user.UserFunctions;
    import com.pulumi.okta.user.inputs.GetUserTypeArgs;
    import com.pulumi.okta.policy.DeviceAssuranceAndroid;
    import com.pulumi.okta.policy.DeviceAssuranceAndroidArgs;
    import com.pulumi.okta.AppSignonPolicyRule;
    import com.pulumi.okta.AppSignonPolicyRuleArgs;
    import com.pulumi.okta.inputs.AppSignonPolicyRulePlatformIncludeArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import com.pulumi.codegen.internal.KeyedValue;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var testSaml = new Saml("testSaml", SamlArgs.builder()        
                .label("testAcc_replace_with_uuid")
                .ssoUrl("https://google.com")
                .recipient("https://here.com")
                .destination("https://its-about-the-journey.com")
                .audience("https://audience.com")
                .subjectNameIdTemplate("${user.userName}")
                .subjectNameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
                .responseSigned(true)
                .signatureAlgorithm("RSA_SHA256")
                .digestAlgorithm("SHA256")
                .honorForceAuthn(false)
                .authnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
                .singleLogoutIssuer("https://dunshire.okta.com")
                .singleLogoutUrl("https://dunshire.okta.com/logout")
                .singleLogoutCertificate("""
    MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
    BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
    A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
    YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
    MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
    bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
    bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
    PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
    O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
    2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
    fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
    Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
    CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
    sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
    ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
    DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
    KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
    wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
    t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
    P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
    ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
    hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
    wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
    DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
    JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
    zOYQQatrnBagM7MI2/T4
                """)
                .attributeStatements(SamlAttributeStatementArgs.builder()
                    .type("GROUP")
                    .name("groups")
                    .filterType("REGEX")
                    .filterValue(".*")
                    .build())
                .build());
    
            final var testAppSignonPolicy = OktaFunctions.getAppSignonPolicy(GetAppSignonPolicyArgs.builder()
                .appId(testSaml.id())
                .build());
    
            for (var i = 0; i < 5; i++) {
                new User("testUser-" + i, UserArgs.builder()            
                    .firstName("TestAcc")
                    .lastName("Smith")
                    .login(String.format("testAcc_%s@example.com", range.value()))
                    .email(String.format("testAcc_%s@example.com", range.value()))
                    .build());
    
            
    }
            for (var i = 0; i < 5; i++) {
                new Group("this-" + i, GroupArgs.builder()            
                    .description(String.format("testAcc_%s", range.value()))
                    .build());
    
            
    }
            var testUserType = new UserType("testUserType", UserTypeArgs.builder()        
                .displayName("Terraform Acceptance Test User Type Updated")
                .description("Terraform Acceptance Test User Type Updated")
                .build());
    
            var testZone = new Zone("testZone", ZoneArgs.builder()        
                .type("IP")
                .gateways(            
                    "1.2.3.4/24",
                    "2.3.4.5-2.3.4.15")
                .proxies(            
                    "2.2.3.4/24",
                    "3.3.4.5-3.3.4.15")
                .build());
    
            final var default = UserFunctions.getUserType(GetUserTypeArgs.builder()
                .name("user")
                .build());
    
            var testDeviceAssuranceAndroid = new DeviceAssuranceAndroid("testDeviceAssuranceAndroid", DeviceAssuranceAndroidArgs.builder()        
                .osVersion("12")
                .jailbreak(false)
                .build());
    
            var testAppSignonPolicyRule = new AppSignonPolicyRule("testAppSignonPolicyRule", AppSignonPolicyRuleArgs.builder()        
                .policyId(testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult).applyValue(testAppSignonPolicy -> testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult.id())))
                .access("ALLOW")
                .customExpression("user.status == \"ACTIVE\"")
                .deviceIsManaged(false)
                .deviceIsRegistered(true)
                .factorMode("2FA")
                .groupsExcludeds(            
                    this_[2].id(),
                    this_[3].id(),
                    this_[4].id())
                .groupsIncludeds(            
                    this_[0].id(),
                    this_[1].id())
                .deviceAssurancesIncludeds(testDeviceAssuranceAndroid.id())
                .networkConnection("ZONE")
                .networkIncludes(testZone.id())
                .platformIncludes(            
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("ANDROID")
                        .type("MOBILE")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("IOS")
                        .type("MOBILE")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("MACOS")
                        .type("DESKTOP")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("OTHER")
                        .type("DESKTOP")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("OTHER")
                        .type("MOBILE")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("WINDOWS")
                        .type("DESKTOP")
                        .build(),
                    AppSignonPolicyRulePlatformIncludeArgs.builder()
                        .osType("CHROMEOS")
                        .type("DESKTOP")
                        .build())
                .priority(98)
                .reAuthenticationFrequency("PT43800H")
                .type("ASSURANCE")
                .userTypesExcludeds(testUserType.id())
                .userTypesIncludeds(default_.id())
                .usersExcludeds(            
                    testUser[2].id(),
                    testUser[3].id(),
                    testUser[4].id())
                .usersIncludeds(            
                    testUser[0].id(),
                    testUser[1].id())
                .constraints(            
                    serializeJson(
                        jsonObject(
                            jsonProperty("knowledge", jsonObject(
                                jsonProperty("reauthenticateIn", "PT2H"),
                                jsonProperty("types", jsonArray("password"))
                            )),
                            jsonProperty("possession", jsonObject(
                                jsonProperty("deviceBound", "REQUIRED")
                            ))
                        )),
                    serializeJson(
                        jsonObject(
                            jsonProperty("possession", jsonObject(
                                jsonProperty("deviceBound", "REQUIRED"),
                                jsonProperty("hardwareProtection", "REQUIRED"),
                                jsonProperty("userPresence", "OPTIONAL")
                            ))
                        )))
                .build());
    
        }
    }
    
    import pulumi
    import json
    import pulumi_okta as okta
    
    test_saml = okta.app.Saml("testSaml",
        label="testAcc_replace_with_uuid",
        sso_url="https://google.com",
        recipient="https://here.com",
        destination="https://its-about-the-journey.com",
        audience="https://audience.com",
        subject_name_id_template="${user.userName}",
        subject_name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        response_signed=True,
        signature_algorithm="RSA_SHA256",
        digest_algorithm="SHA256",
        honor_force_authn=False,
        authn_context_class_ref="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
        single_logout_issuer="https://dunshire.okta.com",
        single_logout_url="https://dunshire.okta.com/logout",
        single_logout_certificate="""MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
    BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
    A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
    YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
    MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
    bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
    bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
    PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
    O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
    2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
    fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
    Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
    CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
    sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
    ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
    DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
    KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
    wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
    t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
    P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
    ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
    hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
    wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
    DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
    JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
    zOYQQatrnBagM7MI2/T4
    """,
        attribute_statements=[okta.app.SamlAttributeStatementArgs(
            type="GROUP",
            name="groups",
            filter_type="REGEX",
            filter_value=".*",
        )])
    test_app_signon_policy = okta.get_app_signon_policy_output(app_id=test_saml.id)
    test_user = []
    for range in [{"value": i} for i in range(0, 5)]:
        test_user.append(okta.user.User(f"testUser-{range['value']}",
            first_name="TestAcc",
            last_name="Smith",
            login=f"testAcc_{range['value']}@example.com",
            email=f"testAcc_{range['value']}@example.com"))
    this = []
    for range in [{"value": i} for i in range(0, 5)]:
        this.append(okta.group.Group(f"this-{range['value']}", description=f"testAcc_{range['value']}"))
    test_user_type = okta.user.UserType("testUserType",
        display_name="Terraform Acceptance Test User Type Updated",
        description="Terraform Acceptance Test User Type Updated")
    test_zone = okta.network.Zone("testZone",
        type="IP",
        gateways=[
            "1.2.3.4/24",
            "2.3.4.5-2.3.4.15",
        ],
        proxies=[
            "2.2.3.4/24",
            "3.3.4.5-3.3.4.15",
        ])
    default = okta.user.get_user_type(name="user")
    test_device_assurance_android = okta.policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid",
        os_version="12",
        jailbreak=False)
    test_app_signon_policy_rule = okta.AppSignonPolicyRule("testAppSignonPolicyRule",
        policy_id=test_app_signon_policy.id,
        access="ALLOW",
        custom_expression="user.status == \"ACTIVE\"",
        device_is_managed=False,
        device_is_registered=True,
        factor_mode="2FA",
        groups_excludeds=[
            this[2].id,
            this[3].id,
            this[4].id,
        ],
        groups_includeds=[
            this[0].id,
            this[1].id,
        ],
        device_assurances_includeds=[test_device_assurance_android.id],
        network_connection="ZONE",
        network_includes=[test_zone.id],
        platform_includes=[
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="ANDROID",
                type="MOBILE",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="IOS",
                type="MOBILE",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="MACOS",
                type="DESKTOP",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="OTHER",
                type="DESKTOP",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="OTHER",
                type="MOBILE",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="WINDOWS",
                type="DESKTOP",
            ),
            okta.AppSignonPolicyRulePlatformIncludeArgs(
                os_type="CHROMEOS",
                type="DESKTOP",
            ),
        ],
        priority=98,
        re_authentication_frequency="PT43800H",
        type="ASSURANCE",
        user_types_excludeds=[test_user_type.id],
        user_types_includeds=[default.id],
        users_excludeds=[
            test_user[2].id,
            test_user[3].id,
            test_user[4].id,
        ],
        users_includeds=[
            test_user[0].id,
            test_user[1].id,
        ],
        constraints=[
            json.dumps({
                "knowledge": {
                    "reauthenticateIn": "PT2H",
                    "types": ["password"],
                },
                "possession": {
                    "deviceBound": "REQUIRED",
                },
            }),
            json.dumps({
                "possession": {
                    "deviceBound": "REQUIRED",
                    "hardwareProtection": "REQUIRED",
                    "userPresence": "OPTIONAL",
                },
            }),
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as okta from "@pulumi/okta";
    
    const testSaml = new okta.app.Saml("testSaml", {
        label: "testAcc_replace_with_uuid",
        ssoUrl: "https://google.com",
        recipient: "https://here.com",
        destination: "https://its-about-the-journey.com",
        audience: "https://audience.com",
        subjectNameIdTemplate: "${user.userName}",
        subjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        responseSigned: true,
        signatureAlgorithm: "RSA_SHA256",
        digestAlgorithm: "SHA256",
        honorForceAuthn: false,
        authnContextClassRef: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
        singleLogoutIssuer: "https://dunshire.okta.com",
        singleLogoutUrl: "https://dunshire.okta.com/logout",
        singleLogoutCertificate: `MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
    BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
    A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
    YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
    MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
    bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
    bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
    PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
    O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
    2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
    fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
    Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
    CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
    sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
    ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
    DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
    KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
    wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
    t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
    P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
    ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
    hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
    wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
    DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
    JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
    zOYQQatrnBagM7MI2/T4
    `,
        attributeStatements: [{
            type: "GROUP",
            name: "groups",
            filterType: "REGEX",
            filterValue: ".*",
        }],
    });
    const testAppSignonPolicy = okta.getAppSignonPolicyOutput({
        appId: testSaml.id,
    });
    const testUser: okta.user.User[] = [];
    for (const range = {value: 0}; range.value < 5; range.value++) {
        testUser.push(new okta.user.User(`testUser-${range.value}`, {
            firstName: "TestAcc",
            lastName: "Smith",
            login: `testAcc_${range.value}@example.com`,
            email: `testAcc_${range.value}@example.com`,
        }));
    }
    const _this: okta.group.Group[] = [];
    for (const range = {value: 0}; range.value < 5; range.value++) {
        _this.push(new okta.group.Group(`this-${range.value}`, {description: `testAcc_${range.value}`}));
    }
    const testUserType = new okta.user.UserType("testUserType", {
        displayName: "Terraform Acceptance Test User Type Updated",
        description: "Terraform Acceptance Test User Type Updated",
    });
    const testZone = new okta.network.Zone("testZone", {
        type: "IP",
        gateways: [
            "1.2.3.4/24",
            "2.3.4.5-2.3.4.15",
        ],
        proxies: [
            "2.2.3.4/24",
            "3.3.4.5-3.3.4.15",
        ],
    });
    const default = okta.user.getUserType({
        name: "user",
    });
    const testDeviceAssuranceAndroid = new okta.policy.DeviceAssuranceAndroid("testDeviceAssuranceAndroid", {
        osVersion: "12",
        jailbreak: false,
    });
    const testAppSignonPolicyRule = new okta.AppSignonPolicyRule("testAppSignonPolicyRule", {
        policyId: testAppSignonPolicy.apply(testAppSignonPolicy => testAppSignonPolicy.id),
        access: "ALLOW",
        customExpression: "user.status == \"ACTIVE\"",
        deviceIsManaged: false,
        deviceIsRegistered: true,
        factorMode: "2FA",
        groupsExcludeds: [
            _this[2].id,
            _this[3].id,
            _this[4].id,
        ],
        groupsIncludeds: [
            _this[0].id,
            _this[1].id,
        ],
        deviceAssurancesIncludeds: [testDeviceAssuranceAndroid.id],
        networkConnection: "ZONE",
        networkIncludes: [testZone.id],
        platformIncludes: [
            {
                osType: "ANDROID",
                type: "MOBILE",
            },
            {
                osType: "IOS",
                type: "MOBILE",
            },
            {
                osType: "MACOS",
                type: "DESKTOP",
            },
            {
                osType: "OTHER",
                type: "DESKTOP",
            },
            {
                osType: "OTHER",
                type: "MOBILE",
            },
            {
                osType: "WINDOWS",
                type: "DESKTOP",
            },
            {
                osType: "CHROMEOS",
                type: "DESKTOP",
            },
        ],
        priority: 98,
        reAuthenticationFrequency: "PT43800H",
        type: "ASSURANCE",
        userTypesExcludeds: [testUserType.id],
        userTypesIncludeds: [_default.then(_default => _default.id)],
        usersExcludeds: [
            testUser[2].id,
            testUser[3].id,
            testUser[4].id,
        ],
        usersIncludeds: [
            testUser[0].id,
            testUser[1].id,
        ],
        constraints: [
            JSON.stringify({
                knowledge: {
                    reauthenticateIn: "PT2H",
                    types: ["password"],
                },
                possession: {
                    deviceBound: "REQUIRED",
                },
            }),
            JSON.stringify({
                possession: {
                    deviceBound: "REQUIRED",
                    hardwareProtection: "REQUIRED",
                    userPresence: "OPTIONAL",
                },
            }),
        ],
    });
    
    resources:
      testSaml:
        type: okta:app:Saml
        properties:
          label: testAcc_replace_with_uuid
          ssoUrl: https://google.com
          recipient: https://here.com
          destination: https://its-about-the-journey.com
          audience: https://audience.com
          subjectNameIdTemplate: ${user.userName}
          subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
          responseSigned: true
          signatureAlgorithm: RSA_SHA256
          digestAlgorithm: SHA256
          honorForceAuthn: false
          authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
          singleLogoutIssuer: https://dunshire.okta.com
          singleLogoutUrl: https://dunshire.okta.com/logout
          singleLogoutCertificate: "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"
          attributeStatements:
            - type: GROUP
              name: groups
              filterType: REGEX
              filterValue: .*
      testUser:
        type: okta:user:User
        properties:
          firstName: TestAcc
          lastName: Smith
          login: testAcc_${range.value}@example.com
          email: testAcc_${range.value}@example.com
        options: {}
      this:
        type: okta:group:Group
        properties:
          description: testAcc_${range.value}
        options: {}
      testUserType:
        type: okta:user:UserType
        properties:
          displayName: Terraform Acceptance Test User Type Updated
          description: Terraform Acceptance Test User Type Updated
      testZone:
        type: okta:network:Zone
        properties:
          type: IP
          gateways:
            - 1.2.3.4/24
            - 2.3.4.5-2.3.4.15
          proxies:
            - 2.2.3.4/24
            - 3.3.4.5-3.3.4.15
      testDeviceAssuranceAndroid:
        type: okta:policy:DeviceAssuranceAndroid
        properties:
          osVersion: '12'
          jailbreak: false
      testAppSignonPolicyRule:
        type: okta:AppSignonPolicyRule
        properties:
          policyId: ${testAppSignonPolicy.id}
          access: ALLOW
          customExpression: user.status == "ACTIVE"
          deviceIsManaged: false
          deviceIsRegistered: true
          factorMode: 2FA
          groupsExcludeds:
            - ${this[2].id}
            - ${this[3].id}
            - ${this[4].id}
          groupsIncludeds:
            - ${this[0].id}
            - ${this[1].id}
          deviceAssurancesIncludeds:
            - ${testDeviceAssuranceAndroid.id}
          networkConnection: ZONE
          networkIncludes:
            - ${testZone.id}
          platformIncludes:
            - osType: ANDROID
              type: MOBILE
            - osType: IOS
              type: MOBILE
            - osType: MACOS
              type: DESKTOP
            - osType: OTHER
              type: DESKTOP
            - osType: OTHER
              type: MOBILE
            - osType: WINDOWS
              type: DESKTOP
            - osType: CHROMEOS
              type: DESKTOP
          priority: 98
          reAuthenticationFrequency: PT43800H
          type: ASSURANCE
          userTypesExcludeds:
            - ${testUserType.id}
          userTypesIncludeds:
            - ${default.id}
          usersExcludeds:
            - ${testUser[2].id}
            - ${testUser[3].id}
            - ${testUser[4].id}
          usersIncludeds:
            - ${testUser[0].id}
            - ${testUser[1].id}
          constraints:
            - fn::toJSON:
                knowledge:
                  reauthenticateIn: PT2H
                  types:
                    - password
                possession:
                  deviceBound: REQUIRED
            - fn::toJSON:
                possession:
                  deviceBound: REQUIRED
                  hardwareProtection: REQUIRED
                  userPresence: OPTIONAL
    variables:
      testAppSignonPolicy:
        fn::invoke:
          Function: okta:getAppSignonPolicy
          Arguments:
            appId: ${testSaml.id}
      default:
        fn::invoke:
          Function: okta:user:getUserType
          Arguments:
            name: user
    

    Create AppSignonPolicyRule Resource

    new AppSignonPolicyRule(name: string, args: AppSignonPolicyRuleArgs, opts?: CustomResourceOptions);
    @overload
    def AppSignonPolicyRule(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            access: Optional[str] = None,
                            constraints: Optional[Sequence[str]] = None,
                            custom_expression: Optional[str] = None,
                            device_assurances_includeds: Optional[Sequence[str]] = None,
                            device_is_managed: Optional[bool] = None,
                            device_is_registered: Optional[bool] = None,
                            factor_mode: Optional[str] = None,
                            groups_excludeds: Optional[Sequence[str]] = None,
                            groups_includeds: Optional[Sequence[str]] = None,
                            inactivity_period: Optional[str] = None,
                            name: Optional[str] = None,
                            network_connection: Optional[str] = None,
                            network_excludes: Optional[Sequence[str]] = None,
                            network_includes: Optional[Sequence[str]] = None,
                            platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
                            policy_id: Optional[str] = None,
                            priority: Optional[int] = None,
                            re_authentication_frequency: Optional[str] = None,
                            risk_score: Optional[str] = None,
                            status: Optional[str] = None,
                            type: Optional[str] = None,
                            user_types_excludeds: Optional[Sequence[str]] = None,
                            user_types_includeds: Optional[Sequence[str]] = None,
                            users_excludeds: Optional[Sequence[str]] = None,
                            users_includeds: Optional[Sequence[str]] = None)
    @overload
    def AppSignonPolicyRule(resource_name: str,
                            args: AppSignonPolicyRuleArgs,
                            opts: Optional[ResourceOptions] = None)
    func NewAppSignonPolicyRule(ctx *Context, name string, args AppSignonPolicyRuleArgs, opts ...ResourceOption) (*AppSignonPolicyRule, error)
    public AppSignonPolicyRule(string name, AppSignonPolicyRuleArgs args, CustomResourceOptions? opts = null)
    public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args)
    public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args, CustomResourceOptions options)
    
    type: okta:AppSignonPolicyRule
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args AppSignonPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AppSignonPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AppSignonPolicyRuleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AppSignonPolicyRuleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AppSignonPolicyRuleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    AppSignonPolicyRule Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AppSignonPolicyRule resource accepts the following input properties:

    PolicyId string
    ID of the app sign-on policy.
    Access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    Constraints List<string>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    CustomExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    DeviceAssurancesIncludeds List<string>
    List of device assurances IDs to be included.
    DeviceIsManaged bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    DeviceIsRegistered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    FactorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    GroupsExcludeds List<string>
    List of groups IDs to be excluded.
    GroupsIncludeds List<string>
    List of groups IDs to be included.
    InactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    Name string
    Name of the policy rule.
    NetworkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    NetworkExcludes List<string>
    List of network zones IDs to exclude. Conflicts with network_includes.
    NetworkIncludes List<string>
    List of network zones IDs to include. Conflicts with network_excludes.
    PlatformIncludes List<AppSignonPolicyRulePlatformInclude>
    List of particular platforms or devices to match on.
    Priority int
    Priority of the rule.
    ReAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    RiskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    Status string
    Status of the rule
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    UserTypesExcludeds List<string>
    List of user types IDs to be excluded.
    UserTypesIncludeds List<string>
    List of user types IDs to be included.
    UsersExcludeds List<string>
    List of users IDs to be excluded.
    UsersIncludeds List<string>
    List of users IDs to be included.
    PolicyId string
    ID of the app sign-on policy.
    Access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    Constraints []string
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    CustomExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    DeviceAssurancesIncludeds []string
    List of device assurances IDs to be included.
    DeviceIsManaged bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    DeviceIsRegistered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    FactorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    GroupsExcludeds []string
    List of groups IDs to be excluded.
    GroupsIncludeds []string
    List of groups IDs to be included.
    InactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    Name string
    Name of the policy rule.
    NetworkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    NetworkExcludes []string
    List of network zones IDs to exclude. Conflicts with network_includes.
    NetworkIncludes []string
    List of network zones IDs to include. Conflicts with network_excludes.
    PlatformIncludes []AppSignonPolicyRulePlatformIncludeArgs
    List of particular platforms or devices to match on.
    Priority int
    Priority of the rule.
    ReAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    RiskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    Status string
    Status of the rule
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    UserTypesExcludeds []string
    List of user types IDs to be excluded.
    UserTypesIncludeds []string
    List of user types IDs to be included.
    UsersExcludeds []string
    List of users IDs to be excluded.
    UsersIncludeds []string
    List of users IDs to be included.
    policyId String
    ID of the app sign-on policy.
    access String
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints List<String>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression String
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds List<String>
    List of device assurances IDs to be included.
    deviceIsManaged Boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered Boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode String
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds List<String>
    List of groups IDs to be excluded.
    groupsIncludeds List<String>
    List of groups IDs to be included.
    inactivityPeriod String
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name String
    Name of the policy rule.
    networkConnection String
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes List<String>
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes List<String>
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes List<AppSignonPolicyRulePlatformInclude>
    List of particular platforms or devices to match on.
    priority Integer
    Priority of the rule.
    reAuthenticationFrequency String
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore String
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status String
    Status of the rule
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds List<String>
    List of user types IDs to be excluded.
    userTypesIncludeds List<String>
    List of user types IDs to be included.
    usersExcludeds List<String>
    List of users IDs to be excluded.
    usersIncludeds List<String>
    List of users IDs to be included.
    policyId string
    ID of the app sign-on policy.
    access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints string[]
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds string[]
    List of device assurances IDs to be included.
    deviceIsManaged boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds string[]
    List of groups IDs to be excluded.
    groupsIncludeds string[]
    List of groups IDs to be included.
    inactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name string
    Name of the policy rule.
    networkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes string[]
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes string[]
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes AppSignonPolicyRulePlatformInclude[]
    List of particular platforms or devices to match on.
    priority number
    Priority of the rule.
    reAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status string
    Status of the rule
    type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds string[]
    List of user types IDs to be excluded.
    userTypesIncludeds string[]
    List of user types IDs to be included.
    usersExcludeds string[]
    List of users IDs to be excluded.
    usersIncludeds string[]
    List of users IDs to be included.
    policy_id str
    ID of the app sign-on policy.
    access str
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints Sequence[str]
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    custom_expression str
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    device_assurances_includeds Sequence[str]
    List of device assurances IDs to be included.
    device_is_managed bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    device_is_registered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factor_mode str
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groups_excludeds Sequence[str]
    List of groups IDs to be excluded.
    groups_includeds Sequence[str]
    List of groups IDs to be included.
    inactivity_period str
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name str
    Name of the policy rule.
    network_connection str
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    network_excludes Sequence[str]
    List of network zones IDs to exclude. Conflicts with network_includes.
    network_includes Sequence[str]
    List of network zones IDs to include. Conflicts with network_excludes.
    platform_includes Sequence[AppSignonPolicyRulePlatformIncludeArgs]
    List of particular platforms or devices to match on.
    priority int
    Priority of the rule.
    re_authentication_frequency str
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    risk_score str
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status str
    Status of the rule
    type str
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    user_types_excludeds Sequence[str]
    List of user types IDs to be excluded.
    user_types_includeds Sequence[str]
    List of user types IDs to be included.
    users_excludeds Sequence[str]
    List of users IDs to be excluded.
    users_includeds Sequence[str]
    List of users IDs to be included.
    policyId String
    ID of the app sign-on policy.
    access String
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints List<String>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression String
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds List<String>
    List of device assurances IDs to be included.
    deviceIsManaged Boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered Boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode String
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds List<String>
    List of groups IDs to be excluded.
    groupsIncludeds List<String>
    List of groups IDs to be included.
    inactivityPeriod String
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name String
    Name of the policy rule.
    networkConnection String
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes List<String>
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes List<String>
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes List<Property Map>
    List of particular platforms or devices to match on.
    priority Number
    Priority of the rule.
    reAuthenticationFrequency String
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore String
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status String
    Status of the rule
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds List<String>
    List of user types IDs to be excluded.
    userTypesIncludeds List<String>
    List of user types IDs to be included.
    usersExcludeds List<String>
    List of users IDs to be excluded.
    usersIncludeds List<String>
    List of users IDs to be included.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AppSignonPolicyRule resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    System bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    System bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    id String
    The provider-assigned unique ID for this managed resource.
    system Boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    id string
    The provider-assigned unique ID for this managed resource.
    system boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    id str
    The provider-assigned unique ID for this managed resource.
    system bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    id String
    The provider-assigned unique ID for this managed resource.
    system Boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.

    Look up Existing AppSignonPolicyRule Resource

    Get an existing AppSignonPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AppSignonPolicyRuleState, opts?: CustomResourceOptions): AppSignonPolicyRule
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access: Optional[str] = None,
            constraints: Optional[Sequence[str]] = None,
            custom_expression: Optional[str] = None,
            device_assurances_includeds: Optional[Sequence[str]] = None,
            device_is_managed: Optional[bool] = None,
            device_is_registered: Optional[bool] = None,
            factor_mode: Optional[str] = None,
            groups_excludeds: Optional[Sequence[str]] = None,
            groups_includeds: Optional[Sequence[str]] = None,
            inactivity_period: Optional[str] = None,
            name: Optional[str] = None,
            network_connection: Optional[str] = None,
            network_excludes: Optional[Sequence[str]] = None,
            network_includes: Optional[Sequence[str]] = None,
            platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
            policy_id: Optional[str] = None,
            priority: Optional[int] = None,
            re_authentication_frequency: Optional[str] = None,
            risk_score: Optional[str] = None,
            status: Optional[str] = None,
            system: Optional[bool] = None,
            type: Optional[str] = None,
            user_types_excludeds: Optional[Sequence[str]] = None,
            user_types_includeds: Optional[Sequence[str]] = None,
            users_excludeds: Optional[Sequence[str]] = None,
            users_includeds: Optional[Sequence[str]] = None) -> AppSignonPolicyRule
    func GetAppSignonPolicyRule(ctx *Context, name string, id IDInput, state *AppSignonPolicyRuleState, opts ...ResourceOption) (*AppSignonPolicyRule, error)
    public static AppSignonPolicyRule Get(string name, Input<string> id, AppSignonPolicyRuleState? state, CustomResourceOptions? opts = null)
    public static AppSignonPolicyRule get(String name, Output<String> id, AppSignonPolicyRuleState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    Constraints List<string>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    CustomExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    DeviceAssurancesIncludeds List<string>
    List of device assurances IDs to be included.
    DeviceIsManaged bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    DeviceIsRegistered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    FactorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    GroupsExcludeds List<string>
    List of groups IDs to be excluded.
    GroupsIncludeds List<string>
    List of groups IDs to be included.
    InactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    Name string
    Name of the policy rule.
    NetworkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    NetworkExcludes List<string>
    List of network zones IDs to exclude. Conflicts with network_includes.
    NetworkIncludes List<string>
    List of network zones IDs to include. Conflicts with network_excludes.
    PlatformIncludes List<AppSignonPolicyRulePlatformInclude>
    List of particular platforms or devices to match on.
    PolicyId string
    ID of the app sign-on policy.
    Priority int
    Priority of the rule.
    ReAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    RiskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    Status string
    Status of the rule
    System bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    UserTypesExcludeds List<string>
    List of user types IDs to be excluded.
    UserTypesIncludeds List<string>
    List of user types IDs to be included.
    UsersExcludeds List<string>
    List of users IDs to be excluded.
    UsersIncludeds List<string>
    List of users IDs to be included.
    Access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    Constraints []string
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    CustomExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    DeviceAssurancesIncludeds []string
    List of device assurances IDs to be included.
    DeviceIsManaged bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    DeviceIsRegistered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    FactorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    GroupsExcludeds []string
    List of groups IDs to be excluded.
    GroupsIncludeds []string
    List of groups IDs to be included.
    InactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    Name string
    Name of the policy rule.
    NetworkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    NetworkExcludes []string
    List of network zones IDs to exclude. Conflicts with network_includes.
    NetworkIncludes []string
    List of network zones IDs to include. Conflicts with network_excludes.
    PlatformIncludes []AppSignonPolicyRulePlatformIncludeArgs
    List of particular platforms or devices to match on.
    PolicyId string
    ID of the app sign-on policy.
    Priority int
    Priority of the rule.
    ReAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    RiskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    Status string
    Status of the rule
    System bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    UserTypesExcludeds []string
    List of user types IDs to be excluded.
    UserTypesIncludeds []string
    List of user types IDs to be included.
    UsersExcludeds []string
    List of users IDs to be excluded.
    UsersIncludeds []string
    List of users IDs to be included.
    access String
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints List<String>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression String
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds List<String>
    List of device assurances IDs to be included.
    deviceIsManaged Boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered Boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode String
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds List<String>
    List of groups IDs to be excluded.
    groupsIncludeds List<String>
    List of groups IDs to be included.
    inactivityPeriod String
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name String
    Name of the policy rule.
    networkConnection String
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes List<String>
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes List<String>
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes List<AppSignonPolicyRulePlatformInclude>
    List of particular platforms or devices to match on.
    policyId String
    ID of the app sign-on policy.
    priority Integer
    Priority of the rule.
    reAuthenticationFrequency String
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore String
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status String
    Status of the rule
    system Boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds List<String>
    List of user types IDs to be excluded.
    userTypesIncludeds List<String>
    List of user types IDs to be included.
    usersExcludeds List<String>
    List of users IDs to be excluded.
    usersIncludeds List<String>
    List of users IDs to be included.
    access string
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints string[]
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression string
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds string[]
    List of device assurances IDs to be included.
    deviceIsManaged boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode string
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds string[]
    List of groups IDs to be excluded.
    groupsIncludeds string[]
    List of groups IDs to be included.
    inactivityPeriod string
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name string
    Name of the policy rule.
    networkConnection string
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes string[]
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes string[]
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes AppSignonPolicyRulePlatformInclude[]
    List of particular platforms or devices to match on.
    policyId string
    ID of the app sign-on policy.
    priority number
    Priority of the rule.
    reAuthenticationFrequency string
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore string
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status string
    Status of the rule
    system boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds string[]
    List of user types IDs to be excluded.
    userTypesIncludeds string[]
    List of user types IDs to be included.
    usersExcludeds string[]
    List of users IDs to be excluded.
    usersIncludeds string[]
    List of users IDs to be included.
    access str
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints Sequence[str]
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    custom_expression str
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    device_assurances_includeds Sequence[str]
    List of device assurances IDs to be included.
    device_is_managed bool
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    device_is_registered bool
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factor_mode str
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groups_excludeds Sequence[str]
    List of groups IDs to be excluded.
    groups_includeds Sequence[str]
    List of groups IDs to be included.
    inactivity_period str
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name str
    Name of the policy rule.
    network_connection str
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    network_excludes Sequence[str]
    List of network zones IDs to exclude. Conflicts with network_includes.
    network_includes Sequence[str]
    List of network zones IDs to include. Conflicts with network_excludes.
    platform_includes Sequence[AppSignonPolicyRulePlatformIncludeArgs]
    List of particular platforms or devices to match on.
    policy_id str
    ID of the app sign-on policy.
    priority int
    Priority of the rule.
    re_authentication_frequency str
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    risk_score str
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status str
    Status of the rule
    system bool
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    type str
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    user_types_excludeds Sequence[str]
    List of user types IDs to be excluded.
    user_types_includeds Sequence[str]
    List of user types IDs to be included.
    users_excludeds Sequence[str]
    List of users IDs to be excluded.
    users_includeds Sequence[str]
    List of users IDs to be included.
    access String
    Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".
    constraints List<String>
    An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.
    customExpression String
    This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.
    deviceAssurancesIncludeds List<String>
    List of device assurances IDs to be included.
    deviceIsManaged Boolean
    If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.
    deviceIsRegistered Boolean
    If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.
    factorMode String
    The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".
    groupsExcludeds List<String>
    List of groups IDs to be excluded.
    groupsIncludeds List<String>
    List of groups IDs to be included.
    inactivityPeriod String
    The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".
    name String
    Name of the policy rule.
    networkConnection String
    Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".
    networkExcludes List<String>
    List of network zones IDs to exclude. Conflicts with network_includes.
    networkIncludes List<String>
    List of network zones IDs to include. Conflicts with network_excludes.
    platformIncludes List<Property Map>
    List of particular platforms or devices to match on.
    policyId String
    ID of the app sign-on policy.
    priority Number
    Priority of the rule.
    reAuthenticationFrequency String
    The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".
    riskScore String
    The risk score specifies a particular level of risk to match on. Valid values are: "ANY", "LOW", "MEDIUM", "HIGH". Default is "ANY".
    status String
    Status of the rule
    system Boolean
    Often the "Catch-all Rule" this rule is the system (default) rule for its associated policy.
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    userTypesExcludeds List<String>
    List of user types IDs to be excluded.
    userTypesIncludeds List<String>
    List of user types IDs to be included.
    usersExcludeds List<String>
    List of users IDs to be excluded.
    usersIncludeds List<String>
    List of users IDs to be included.

    Supporting Types

    AppSignonPolicyRulePlatformInclude, AppSignonPolicyRulePlatformIncludeArgs

    OsExpression string
    Only available and required when using os_type = "OTHER"
    OsType string
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    OsExpression string
    Only available and required when using os_type = "OTHER"
    OsType string
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    Type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    osExpression String
    Only available and required when using os_type = "OTHER"
    osType String
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    osExpression string
    Only available and required when using os_type = "OTHER"
    osType string
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    type string
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    os_expression str
    Only available and required when using os_type = "OTHER"
    os_type str
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    type str
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".
    osExpression String
    Only available and required when using os_type = "OTHER"
    osType String
    One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS", "CHROMEOS"
    type String
    The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

    Import

    Okta app sign-on policy rule can be imported via the Okta ID.

     $ pulumi import okta:index/appSignonPolicyRule:AppSignonPolicyRule example &#60;policy_id&#62;/&#60;rule_id&#62;
    

    Package Details

    Repository
    Okta pulumi/pulumi-okta
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the okta Terraform Provider.
    okta logo
    Okta v4.8.0 published on Saturday, Mar 2, 2024 by Pulumi