okta logo
Okta v3.21.0, Mar 15 23

okta.AppSignonPolicyRule

WARNING: This feature is only available as a part of the Identity Engine. Contact support for further information.

This resource allows you to create and configure a sign-on policy rule for the application.

A default or Catch-all Rule sign-on policy rule can be imported and managed as a custom rule. The only difference is that these fields are immutable and can not be managed: network_connection, network_excludes, network_includes, platform_include, custom_expression, device_is_registered, device_is_managed, users_excluded, users_included, groups_excluded, groups_included, user_types_excluded and user_types_included.

Example Usage

Example 1:

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var test = new Okta.AppSignonPolicyRule("test", new()
    {
        PolicyId = data.Okta_app_signon_policy.Test.Id,
        Constraints = new[]
        {
            JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["knowledge"] = new Dictionary<string, object?>
                {
                    ["types"] = new[]
                    {
                        "password",
                    },
                },
            }),
        },
    });

});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"knowledge": map[string]interface{}{
				"types": []string{
					"password",
				},
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
			PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
			Constraints: pulumi.StringArray{
				pulumi.String(json0),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()        
            .policyId(data.okta_app_signon_policy().test().id())
            .constraints(serializeJson(
                jsonObject(
                    jsonProperty("knowledge", jsonObject(
                        jsonProperty("types", jsonArray("password"))
                    ))
                )))
            .build());

    }
}
import pulumi
import json
import pulumi_okta as okta

test = okta.AppSignonPolicyRule("test",
    policy_id=data["okta_app_signon_policy"]["test"]["id"],
    constraints=[json.dumps({
        "knowledge": {
            "types": ["password"],
        },
    })])
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const test = new okta.AppSignonPolicyRule("test", {
    policyId: data.okta_app_signon_policy.test.id,
    constraints: [JSON.stringify({
        knowledge: {
            types: ["password"],
        },
    })],
});
resources:
  test:
    type: okta:AppSignonPolicyRule
    properties:
      policyId: ${data.okta_app_signon_policy.test.id}
      constraints:
        - fn::toJSON:
            knowledge:
              types:
                - password

block

using System.Collections.Generic;
using Pulumi;

return await Deployment.RunAsync(() => 
{
});
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
    }
}
import pulumi
import * as pulumi from "@pulumi/pulumi";
{}

Example 2:

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var test = new Okta.AppSignonPolicyRule("test", new()
    {
        PolicyId = data.Okta_app_signon_policy.Test.Id,
        Constraints = new[]
        {
            JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["knowledge"] = new Dictionary<string, object?>
                {
                    ["reauthenticateIn"] = "PT2H",
                    ["types"] = new[]
                    {
                        "password",
                    },
                },
                ["possession"] = new Dictionary<string, object?>
                {
                    ["deviceBound"] = "REQUIRED",
                    ["hardwareProtection"] = "REQUIRED",
                },
            }),
        },
    });

});
package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"knowledge": map[string]interface{}{
				"reauthenticateIn": "PT2H",
				"types": []string{
					"password",
				},
			},
			"possession": map[string]interface{}{
				"deviceBound":        "REQUIRED",
				"hardwareProtection": "REQUIRED",
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		_, err = okta.NewAppSignonPolicyRule(ctx, "test", &okta.AppSignonPolicyRuleArgs{
			PolicyId: pulumi.Any(data.Okta_app_signon_policy.Test.Id),
			Constraints: pulumi.StringArray{
				pulumi.String(json0),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var test = new AppSignonPolicyRule("test", AppSignonPolicyRuleArgs.builder()        
            .policyId(data.okta_app_signon_policy().test().id())
            .constraints(serializeJson(
                jsonObject(
                    jsonProperty("knowledge", jsonObject(
                        jsonProperty("reauthenticateIn", "PT2H"),
                        jsonProperty("types", jsonArray("password"))
                    )),
                    jsonProperty("possession", jsonObject(
                        jsonProperty("deviceBound", "REQUIRED"),
                        jsonProperty("hardwareProtection", "REQUIRED")
                    ))
                )))
            .build());

    }
}
import pulumi
import json
import pulumi_okta as okta

test = okta.AppSignonPolicyRule("test",
    policy_id=data["okta_app_signon_policy"]["test"]["id"],
    constraints=[json.dumps({
        "knowledge": {
            "reauthenticateIn": "PT2H",
            "types": ["password"],
        },
        "possession": {
            "deviceBound": "REQUIRED",
            "hardwareProtection": "REQUIRED",
        },
    })])
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const test = new okta.AppSignonPolicyRule("test", {
    policyId: data.okta_app_signon_policy.test.id,
    constraints: [JSON.stringify({
        knowledge: {
            reauthenticateIn: "PT2H",
            types: ["password"],
        },
        possession: {
            deviceBound: "REQUIRED",
            hardwareProtection: "REQUIRED",
        },
    })],
});
resources:
  test:
    type: okta:AppSignonPolicyRule
    properties:
      policyId: ${data.okta_app_signon_policy.test.id}
      constraints:
        - fn::toJSON:
            knowledge:
              reauthenticateIn: PT2H
              types:
                - password
            possession:
              deviceBound: REQUIRED
              hardwareProtection: REQUIRED

block

using System.Collections.Generic;
using Pulumi;

return await Deployment.RunAsync(() => 
{
});
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
    }
}
import pulumi
import * as pulumi from "@pulumi/pulumi";
{}

Complex example

using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var testSaml = new Okta.App.Saml("testSaml", new()
    {
        Label = "testAcc_replace_with_uuid",
        SsoUrl = "https://google.com",
        Recipient = "https://here.com",
        Destination = "https://its-about-the-journey.com",
        Audience = "https://audience.com",
        SubjectNameIdTemplate = "${user.userName}",
        SubjectNameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        ResponseSigned = true,
        SignatureAlgorithm = "RSA_SHA256",
        DigestAlgorithm = "SHA256",
        HonorForceAuthn = false,
        AuthnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
        SingleLogoutIssuer = "https://dunshire.okta.com",
        SingleLogoutUrl = "https://dunshire.okta.com/logout",
        SingleLogoutCertificate = @"MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
",
        AttributeStatements = new[]
        {
            new Okta.App.Inputs.SamlAttributeStatementArgs
            {
                Type = "GROUP",
                Name = "groups",
                FilterType = "REGEX",
                FilterValue = ".*",
            },
        },
    });

    var testAppSignonPolicy = Okta.GetAppSignonPolicy.Invoke(new()
    {
        AppId = testSaml.Id,
    });

    var testUser = new List<Okta.User.User>();
    for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
    {
        var range = new { Value = rangeIndex };
        testUser.Add(new Okta.User.User($"testUser-{range.Value}", new()
        {
            FirstName = "TestAcc",
            LastName = "Smith",
            Login = $"testAcc_{range.Value}@example.com",
            Email = $"testAcc_{range.Value}@example.com",
        }));
    }
    var @this = new List<Okta.Group.Group>();
    for (var rangeIndex = 0; rangeIndex < 5; rangeIndex++)
    {
        var range = new { Value = rangeIndex };
        @this.Add(new Okta.Group.Group($"this-{range.Value}", new()
        {
            Description = $"testAcc_{range.Value}",
        }));
    }
    var testUserType = new Okta.User.UserType("testUserType", new()
    {
        DisplayName = "Terraform Acceptance Test User Type Updated",
        Description = "Terraform Acceptance Test User Type Updated",
    });

    var testZone = new Okta.Network.Zone("testZone", new()
    {
        Type = "IP",
        Gateways = new[]
        {
            "1.2.3.4/24",
            "2.3.4.5-2.3.4.15",
        },
        Proxies = new[]
        {
            "2.2.3.4/24",
            "3.3.4.5-3.3.4.15",
        },
    });

    var @default = Okta.User.GetUserType.Invoke(new()
    {
        Name = "user",
    });

    var testAppSignonPolicyRule = new Okta.AppSignonPolicyRule("testAppSignonPolicyRule", new()
    {
        PolicyId = testAppSignonPolicy.Apply(getAppSignonPolicyResult => getAppSignonPolicyResult.Id),
        Access = "ALLOW",
        CustomExpression = "user.status == \"ACTIVE\"",
        DeviceIsManaged = false,
        DeviceIsRegistered = true,
        FactorMode = "2FA",
        GroupsExcludeds = new[]
        {
            @this[2].Id,
            @this[3].Id,
            @this[4].Id,
        },
        GroupsIncludeds = new[]
        {
            @this[0].Id,
            @this[1].Id,
        },
        NetworkConnection = "ZONE",
        NetworkIncludes = new[]
        {
            testZone.Id,
        },
        PlatformIncludes = new[]
        {
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "ANDROID",
                Type = "MOBILE",
            },
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "IOS",
                Type = "MOBILE",
            },
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "MACOS",
                Type = "DESKTOP",
            },
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "OTHER",
                Type = "DESKTOP",
            },
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "OTHER",
                Type = "MOBILE",
            },
            new Okta.Inputs.AppSignonPolicyRulePlatformIncludeArgs
            {
                OsType = "WINDOWS",
                Type = "DESKTOP",
            },
        },
        Priority = 98,
        ReAuthenticationFrequency = "PT43800H",
        Type = "ASSURANCE",
        UserTypesExcludeds = new[]
        {
            testUserType.Id,
        },
        UserTypesIncludeds = new[]
        {
            @default.Apply(@default => @default.Apply(getUserTypeResult => getUserTypeResult.Id)),
        },
        UsersExcludeds = new[]
        {
            testUser[2].Id,
            testUser[3].Id,
            testUser[4].Id,
        },
        UsersIncludeds = new[]
        {
            testUser[0].Id,
            testUser[1].Id,
        },
        Constraints = new[]
        {
            JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["knowledge"] = new Dictionary<string, object?>
                {
                    ["reauthenticateIn"] = "PT2H",
                    ["types"] = new[]
                    {
                        "password",
                    },
                },
                ["possession"] = new Dictionary<string, object?>
                {
                    ["deviceBound"] = "REQUIRED",
                },
            }),
            JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["possession"] = new Dictionary<string, object?>
                {
                    ["deviceBound"] = "REQUIRED",
                    ["hardwareProtection"] = "REQUIRED",
                    ["userPresence"] = "OPTIONAL",
                },
            }),
        },
    });

});
package main

import (
	"encoding/json"
	"fmt"

	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta"
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/app"
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/group"
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/network"
	"github.com/pulumi/pulumi-okta/sdk/v3/go/okta/user"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		testSaml, err := app.NewSaml(ctx, "testSaml", &app.SamlArgs{
			Label:                   pulumi.String("testAcc_replace_with_uuid"),
			SsoUrl:                  pulumi.String("https://google.com"),
			Recipient:               pulumi.String("https://here.com"),
			Destination:             pulumi.String("https://its-about-the-journey.com"),
			Audience:                pulumi.String("https://audience.com"),
			SubjectNameIdTemplate:   pulumi.String("${user.userName}"),
			SubjectNameIdFormat:     pulumi.String("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"),
			ResponseSigned:          pulumi.Bool(true),
			SignatureAlgorithm:      pulumi.String("RSA_SHA256"),
			DigestAlgorithm:         pulumi.String("SHA256"),
			HonorForceAuthn:         pulumi.Bool(false),
			AuthnContextClassRef:    pulumi.String("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
			SingleLogoutIssuer:      pulumi.String("https://dunshire.okta.com"),
			SingleLogoutUrl:         pulumi.String("https://dunshire.okta.com/logout"),
			SingleLogoutCertificate: pulumi.String("MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
\nzOYQQatrnBagM7MI2/T4
\n"),
			AttributeStatements: app.SamlAttributeStatementArray{
				&app.SamlAttributeStatementArgs{
					Type:        pulumi.String("GROUP"),
					Name:        pulumi.String("groups"),
					FilterType:  pulumi.String("REGEX"),
					FilterValue: pulumi.String(".*"),
				},
			},
		})
		if err != nil {
			return err
		}
		testAppSignonPolicy := okta.LookupAppSignonPolicyOutput(ctx, okta.GetAppSignonPolicyOutputArgs{
			AppId: testSaml.ID(),
		}, nil)
		var testUser []*user.User
		for index := 0; index < 5; index++ {
			key0 := index
			val0 := index
			__res, err := user.NewUser(ctx, fmt.Sprintf("testUser-%v", key0), &user.UserArgs{
				FirstName: pulumi.String("TestAcc"),
				LastName:  pulumi.String("Smith"),
				Login:     pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
				Email:     pulumi.String(fmt.Sprintf("testAcc_%v@example.com", val0)),
			})
			if err != nil {
				return err
			}
			testUser = append(testUser, __res)
		}
		var this []*group.Group
		for index := 0; index < 5; index++ {
			key0 := index
			val0 := index
			__res, err := group.NewGroup(ctx, fmt.Sprintf("this-%v", key0), &group.GroupArgs{
				Description: pulumi.String(fmt.Sprintf("testAcc_%v", val0)),
			})
			if err != nil {
				return err
			}
			this = append(this, __res)
		}
		testUserType, err := user.NewUserType(ctx, "testUserType", &user.UserTypeArgs{
			DisplayName: pulumi.String("Terraform Acceptance Test User Type Updated"),
			Description: pulumi.String("Terraform Acceptance Test User Type Updated"),
		})
		if err != nil {
			return err
		}
		testZone, err := network.NewZone(ctx, "testZone", &network.ZoneArgs{
			Type: pulumi.String("IP"),
			Gateways: pulumi.StringArray{
				pulumi.String("1.2.3.4/24"),
				pulumi.String("2.3.4.5-2.3.4.15"),
			},
			Proxies: pulumi.StringArray{
				pulumi.String("2.2.3.4/24"),
				pulumi.String("3.3.4.5-3.3.4.15"),
			},
		})
		if err != nil {
			return err
		}
		_default, err := user.LookupUserType(ctx, &user.LookupUserTypeArgs{
			Name: "user",
		}, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"knowledge": map[string]interface{}{
				"reauthenticateIn": "PT2H",
				"types": []string{
					"password",
				},
			},
			"possession": map[string]interface{}{
				"deviceBound": "REQUIRED",
			},
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		tmpJSON1, err := json.Marshal(map[string]interface{}{
			"possession": map[string]interface{}{
				"deviceBound":        "REQUIRED",
				"hardwareProtection": "REQUIRED",
				"userPresence":       "OPTIONAL",
			},
		})
		if err != nil {
			return err
		}
		json1 := string(tmpJSON1)
		_, err = okta.NewAppSignonPolicyRule(ctx, "testAppSignonPolicyRule", &okta.AppSignonPolicyRuleArgs{
			PolicyId: testAppSignonPolicy.ApplyT(func(testAppSignonPolicy okta.GetAppSignonPolicyResult) (*string, error) {
				return &testAppSignonPolicy.Id, nil
			}).(pulumi.StringPtrOutput),
			Access:             pulumi.String("ALLOW"),
			CustomExpression:   pulumi.String("user.status == \"ACTIVE\""),
			DeviceIsManaged:    pulumi.Bool(false),
			DeviceIsRegistered: pulumi.Bool(true),
			FactorMode:         pulumi.String("2FA"),
			GroupsExcludeds: pulumi.StringArray{
				this[2].ID(),
				this[3].ID(),
				this[4].ID(),
			},
			GroupsIncludeds: pulumi.StringArray{
				this[0].ID(),
				this[1].ID(),
			},
			NetworkConnection: pulumi.String("ZONE"),
			NetworkIncludes: pulumi.StringArray{
				testZone.ID(),
			},
			PlatformIncludes: okta.AppSignonPolicyRulePlatformIncludeArray{
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("ANDROID"),
					Type:   pulumi.String("MOBILE"),
				},
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("IOS"),
					Type:   pulumi.String("MOBILE"),
				},
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("MACOS"),
					Type:   pulumi.String("DESKTOP"),
				},
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("OTHER"),
					Type:   pulumi.String("DESKTOP"),
				},
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("OTHER"),
					Type:   pulumi.String("MOBILE"),
				},
				&okta.AppSignonPolicyRulePlatformIncludeArgs{
					OsType: pulumi.String("WINDOWS"),
					Type:   pulumi.String("DESKTOP"),
				},
			},
			Priority:                  pulumi.Int(98),
			ReAuthenticationFrequency: pulumi.String("PT43800H"),
			Type:                      pulumi.String("ASSURANCE"),
			UserTypesExcludeds: pulumi.StringArray{
				testUserType.ID(),
			},
			UserTypesIncludeds: pulumi.StringArray{
				*pulumi.String(_default.Id),
			},
			UsersExcludeds: pulumi.StringArray{
				testUser[2].ID(),
				testUser[3].ID(),
				testUser[4].ID(),
			},
			UsersIncludeds: pulumi.StringArray{
				testUser[0].ID(),
				testUser[1].ID(),
			},
			Constraints: pulumi.StringArray{
				pulumi.String(json0),
				pulumi.String(json1),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.app.Saml;
import com.pulumi.okta.app.SamlArgs;
import com.pulumi.okta.app.inputs.SamlAttributeStatementArgs;
import com.pulumi.okta.OktaFunctions;
import com.pulumi.okta.inputs.GetAppSignonPolicyArgs;
import com.pulumi.okta.user.User;
import com.pulumi.okta.user.UserArgs;
import com.pulumi.okta.group.Group;
import com.pulumi.okta.group.GroupArgs;
import com.pulumi.okta.user.UserType;
import com.pulumi.okta.user.UserTypeArgs;
import com.pulumi.okta.network.Zone;
import com.pulumi.okta.network.ZoneArgs;
import com.pulumi.okta.user.UserFunctions;
import com.pulumi.okta.user.inputs.GetUserTypeArgs;
import com.pulumi.okta.AppSignonPolicyRule;
import com.pulumi.okta.AppSignonPolicyRuleArgs;
import com.pulumi.okta.inputs.AppSignonPolicyRulePlatformIncludeArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.codegen.internal.KeyedValue;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var testSaml = new Saml("testSaml", SamlArgs.builder()        
            .label("testAcc_replace_with_uuid")
            .ssoUrl("https://google.com")
            .recipient("https://here.com")
            .destination("https://its-about-the-journey.com")
            .audience("https://audience.com")
            .subjectNameIdTemplate("${user.userName}")
            .subjectNameIdFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress")
            .responseSigned(true)
            .signatureAlgorithm("RSA_SHA256")
            .digestAlgorithm("SHA256")
            .honorForceAuthn(false)
            .authnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport")
            .singleLogoutIssuer("https://dunshire.okta.com")
            .singleLogoutUrl("https://dunshire.okta.com/logout")
            .singleLogoutCertificate("""
MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
            """)
            .attributeStatements(SamlAttributeStatementArgs.builder()
                .type("GROUP")
                .name("groups")
                .filterType("REGEX")
                .filterValue(".*")
                .build())
            .build());

        final var testAppSignonPolicy = OktaFunctions.getAppSignonPolicy(GetAppSignonPolicyArgs.builder()
            .appId(testSaml.id())
            .build());

        for (var i = 0; i < 5; i++) {
            new User("testUser-" + i, UserArgs.builder()            
                .firstName("TestAcc")
                .lastName("Smith")
                .login(String.format("testAcc_%s@example.com", range.value()))
                .email(String.format("testAcc_%s@example.com", range.value()))
                .build());

        
}
        for (var i = 0; i < 5; i++) {
            new Group("this-" + i, GroupArgs.builder()            
                .description(String.format("testAcc_%s", range.value()))
                .build());

        
}
        var testUserType = new UserType("testUserType", UserTypeArgs.builder()        
            .displayName("Terraform Acceptance Test User Type Updated")
            .description("Terraform Acceptance Test User Type Updated")
            .build());

        var testZone = new Zone("testZone", ZoneArgs.builder()        
            .type("IP")
            .gateways(            
                "1.2.3.4/24",
                "2.3.4.5-2.3.4.15")
            .proxies(            
                "2.2.3.4/24",
                "3.3.4.5-3.3.4.15")
            .build());

        final var default = UserFunctions.getUserType(GetUserTypeArgs.builder()
            .name("user")
            .build());

        var testAppSignonPolicyRule = new AppSignonPolicyRule("testAppSignonPolicyRule", AppSignonPolicyRuleArgs.builder()        
            .policyId(testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult).applyValue(testAppSignonPolicy -> testAppSignonPolicy.applyValue(getAppSignonPolicyResult -> getAppSignonPolicyResult.id())))
            .access("ALLOW")
            .customExpression("user.status == \"ACTIVE\"")
            .deviceIsManaged(false)
            .deviceIsRegistered(true)
            .factorMode("2FA")
            .groupsExcludeds(            
                this_[2].id(),
                this_[3].id(),
                this_[4].id())
            .groupsIncludeds(            
                this_[0].id(),
                this_[1].id())
            .networkConnection("ZONE")
            .networkIncludes(testZone.id())
            .platformIncludes(            
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("ANDROID")
                    .type("MOBILE")
                    .build(),
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("IOS")
                    .type("MOBILE")
                    .build(),
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("MACOS")
                    .type("DESKTOP")
                    .build(),
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("OTHER")
                    .type("DESKTOP")
                    .build(),
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("OTHER")
                    .type("MOBILE")
                    .build(),
                AppSignonPolicyRulePlatformIncludeArgs.builder()
                    .osType("WINDOWS")
                    .type("DESKTOP")
                    .build())
            .priority(98)
            .reAuthenticationFrequency("PT43800H")
            .type("ASSURANCE")
            .userTypesExcludeds(testUserType.id())
            .userTypesIncludeds(default_.id())
            .usersExcludeds(            
                testUser[2].id(),
                testUser[3].id(),
                testUser[4].id())
            .usersIncludeds(            
                testUser[0].id(),
                testUser[1].id())
            .constraints(            
                serializeJson(
                    jsonObject(
                        jsonProperty("knowledge", jsonObject(
                            jsonProperty("reauthenticateIn", "PT2H"),
                            jsonProperty("types", jsonArray("password"))
                        )),
                        jsonProperty("possession", jsonObject(
                            jsonProperty("deviceBound", "REQUIRED")
                        ))
                    )),
                serializeJson(
                    jsonObject(
                        jsonProperty("possession", jsonObject(
                            jsonProperty("deviceBound", "REQUIRED"),
                            jsonProperty("hardwareProtection", "REQUIRED"),
                            jsonProperty("userPresence", "OPTIONAL")
                        ))
                    )))
            .build());

    }
}
import pulumi
import json
import pulumi_okta as okta

test_saml = okta.app.Saml("testSaml",
    label="testAcc_replace_with_uuid",
    sso_url="https://google.com",
    recipient="https://here.com",
    destination="https://its-about-the-journey.com",
    audience="https://audience.com",
    subject_name_id_template="${user.userName}",
    subject_name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    response_signed=True,
    signature_algorithm="RSA_SHA256",
    digest_algorithm="SHA256",
    honor_force_authn=False,
    authn_context_class_ref="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
    single_logout_issuer="https://dunshire.okta.com",
    single_logout_url="https://dunshire.okta.com/logout",
    single_logout_certificate="""MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
""",
    attribute_statements=[okta.app.SamlAttributeStatementArgs(
        type="GROUP",
        name="groups",
        filter_type="REGEX",
        filter_value=".*",
    )])
test_app_signon_policy = okta.get_app_signon_policy_output(app_id=test_saml.id)
test_user = []
for range in [{"value": i} for i in range(0, 5)]:
    test_user.append(okta.user.User(f"testUser-{range['value']}",
        first_name="TestAcc",
        last_name="Smith",
        login=f"testAcc_{range['value']}@example.com",
        email=f"testAcc_{range['value']}@example.com"))
this = []
for range in [{"value": i} for i in range(0, 5)]:
    this.append(okta.group.Group(f"this-{range['value']}", description=f"testAcc_{range['value']}"))
test_user_type = okta.user.UserType("testUserType",
    display_name="Terraform Acceptance Test User Type Updated",
    description="Terraform Acceptance Test User Type Updated")
test_zone = okta.network.Zone("testZone",
    type="IP",
    gateways=[
        "1.2.3.4/24",
        "2.3.4.5-2.3.4.15",
    ],
    proxies=[
        "2.2.3.4/24",
        "3.3.4.5-3.3.4.15",
    ])
default = okta.user.get_user_type(name="user")
test_app_signon_policy_rule = okta.AppSignonPolicyRule("testAppSignonPolicyRule",
    policy_id=test_app_signon_policy.id,
    access="ALLOW",
    custom_expression="user.status == \"ACTIVE\"",
    device_is_managed=False,
    device_is_registered=True,
    factor_mode="2FA",
    groups_excludeds=[
        this[2].id,
        this[3].id,
        this[4].id,
    ],
    groups_includeds=[
        this[0].id,
        this[1].id,
    ],
    network_connection="ZONE",
    network_includes=[test_zone.id],
    platform_includes=[
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="ANDROID",
            type="MOBILE",
        ),
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="IOS",
            type="MOBILE",
        ),
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="MACOS",
            type="DESKTOP",
        ),
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="OTHER",
            type="DESKTOP",
        ),
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="OTHER",
            type="MOBILE",
        ),
        okta.AppSignonPolicyRulePlatformIncludeArgs(
            os_type="WINDOWS",
            type="DESKTOP",
        ),
    ],
    priority=98,
    re_authentication_frequency="PT43800H",
    type="ASSURANCE",
    user_types_excludeds=[test_user_type.id],
    user_types_includeds=[default.id],
    users_excludeds=[
        test_user[2].id,
        test_user[3].id,
        test_user[4].id,
    ],
    users_includeds=[
        test_user[0].id,
        test_user[1].id,
    ],
    constraints=[
        json.dumps({
            "knowledge": {
                "reauthenticateIn": "PT2H",
                "types": ["password"],
            },
            "possession": {
                "deviceBound": "REQUIRED",
            },
        }),
        json.dumps({
            "possession": {
                "deviceBound": "REQUIRED",
                "hardwareProtection": "REQUIRED",
                "userPresence": "OPTIONAL",
            },
        }),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const testSaml = new okta.app.Saml("testSaml", {
    label: "testAcc_replace_with_uuid",
    ssoUrl: "https://google.com",
    recipient: "https://here.com",
    destination: "https://its-about-the-journey.com",
    audience: "https://audience.com",
    subjectNameIdTemplate: "${user.userName}",
    subjectNameIdFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    responseSigned: true,
    signatureAlgorithm: "RSA_SHA256",
    digestAlgorithm: "SHA256",
    honorForceAuthn: false,
    authnContextClassRef: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
    singleLogoutIssuer: "https://dunshire.okta.com",
    singleLogoutUrl: "https://dunshire.okta.com/logout",
    singleLogoutCertificate: `MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV
BAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG
A1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4
YW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT
MQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ
bmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl
bWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa
PyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu
O/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu
2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c
fCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi
Vff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd
CJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf
sgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt
ieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ
DAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3
wLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG
t/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E
P72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij
ltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h
hfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5
wbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy
DaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL
JtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt
zOYQQatrnBagM7MI2/T4
`,
    attributeStatements: [{
        type: "GROUP",
        name: "groups",
        filterType: "REGEX",
        filterValue: ".*",
    }],
});
const testAppSignonPolicy = okta.getAppSignonPolicyOutput({
    appId: testSaml.id,
});
const testUser: okta.user.User[] = [];
for (const range = {value: 0}; range.value < 5; range.value++) {
    testUser.push(new okta.user.User(`testUser-${range.value}`, {
        firstName: "TestAcc",
        lastName: "Smith",
        login: `testAcc_${range.value}@example.com`,
        email: `testAcc_${range.value}@example.com`,
    }));
}
const _this: okta.group.Group[] = [];
for (const range = {value: 0}; range.value < 5; range.value++) {
    _this.push(new okta.group.Group(`this-${range.value}`, {description: `testAcc_${range.value}`}));
}
const testUserType = new okta.user.UserType("testUserType", {
    displayName: "Terraform Acceptance Test User Type Updated",
    description: "Terraform Acceptance Test User Type Updated",
});
const testZone = new okta.network.Zone("testZone", {
    type: "IP",
    gateways: [
        "1.2.3.4/24",
        "2.3.4.5-2.3.4.15",
    ],
    proxies: [
        "2.2.3.4/24",
        "3.3.4.5-3.3.4.15",
    ],
});
const default = okta.user.getUserType({
    name: "user",
});
const testAppSignonPolicyRule = new okta.AppSignonPolicyRule("testAppSignonPolicyRule", {
    policyId: testAppSignonPolicy.apply(testAppSignonPolicy => testAppSignonPolicy.id),
    access: "ALLOW",
    customExpression: "user.status == \"ACTIVE\"",
    deviceIsManaged: false,
    deviceIsRegistered: true,
    factorMode: "2FA",
    groupsExcludeds: [
        _this[2].id,
        _this[3].id,
        _this[4].id,
    ],
    groupsIncludeds: [
        _this[0].id,
        _this[1].id,
    ],
    networkConnection: "ZONE",
    networkIncludes: [testZone.id],
    platformIncludes: [
        {
            osType: "ANDROID",
            type: "MOBILE",
        },
        {
            osType: "IOS",
            type: "MOBILE",
        },
        {
            osType: "MACOS",
            type: "DESKTOP",
        },
        {
            osType: "OTHER",
            type: "DESKTOP",
        },
        {
            osType: "OTHER",
            type: "MOBILE",
        },
        {
            osType: "WINDOWS",
            type: "DESKTOP",
        },
    ],
    priority: 98,
    reAuthenticationFrequency: "PT43800H",
    type: "ASSURANCE",
    userTypesExcludeds: [testUserType.id],
    userTypesIncludeds: [_default.then(_default => _default.id)],
    usersExcludeds: [
        testUser[2].id,
        testUser[3].id,
        testUser[4].id,
    ],
    usersIncludeds: [
        testUser[0].id,
        testUser[1].id,
    ],
    constraints: [
        JSON.stringify({
            knowledge: {
                reauthenticateIn: "PT2H",
                types: ["password"],
            },
            possession: {
                deviceBound: "REQUIRED",
            },
        }),
        JSON.stringify({
            possession: {
                deviceBound: "REQUIRED",
                hardwareProtection: "REQUIRED",
                userPresence: "OPTIONAL",
            },
        }),
    ],
});
resources:
  testSaml:
    type: okta:app:Saml
    properties:
      label: testAcc_replace_with_uuid
      ssoUrl: https://google.com
      recipient: https://here.com
      destination: https://its-about-the-journey.com
      audience: https://audience.com
      subjectNameIdTemplate: ${user.userName}
      subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      responseSigned: true
      signatureAlgorithm: RSA_SHA256
      digestAlgorithm: SHA256
      honorForceAuthn: false
      authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
      singleLogoutIssuer: https://dunshire.okta.com
      singleLogoutUrl: https://dunshire.okta.com/logout
      singleLogoutCertificate: "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\nBAgMBU1haW5lMRAwDgYDVQQHDAdDYXJpYm91MRcwFQYDVQQKDA5Tbm93bWFrZXJzIEluYzEUMBIG\r\nA1UECwwLRW5naW5lZXJpbmcxDTALBgNVBAMMBFNub3cxIDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4\r\nYW1wbGUuY29tMB4XDTIwMTIwMzIyNDY0M1oXDTMwMTIwMTIyNDY0M1owgY8xCzAJBgNVBAYTAlVT\r\nMQ4wDAYDVQQIDAVNYWluZTEQMA4GA1UEBwwHQ2FyaWJvdTEXMBUGA1UECgwOU25vd21ha2VycyBJ\r\nbmMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMQ0wCwYDVQQDDARTbm93MSAwHgYJKoZIhvcNAQkBFhFl\r\nbWFpbEBleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMmWDjXPdoa\r\nPyzIENqeY9njLan2FqCbQPSestWUUcb6NhDsJVGSQ7XR+ozQA5TaJzbP7cAJUj8vCcbqMZsgOQAu\r\nO/pzYyQEKptLmrGvPn7xkJ1A1xLkp2NY18cpDTeUPueJUoidZ9EJwEuyUZIktzxNNU1pA1lGijiu\r\n2XNxs9d9JR/hm3tCu9Im8qLVB4JtX80YUa6QtlRjWR/H8a373AYCOASdoB3c57fIPD8ATDNy2w/c\r\nfCVGiyKDMFB+GA/WTsZpOP3iohRp8ltAncSuzypcztb2iE+jijtTsiC9kUA2abAJqqpoCJubNShi\r\nVff4822czpziS44MV2guC9wANi8u3Uyl5MKsU95j01jzadKRP5S+2f0K+n8n4UoV9fnqZFyuGAKd\r\nCJi9K6NlSAP+TgPe/JP9FOSuxQOHWJfmdLHdJD+evoKi9E55sr5lRFK0xU1Fj5Ld7zjC0pXPhtJf\r\nsgjEZzD433AsHnRzvRT1KSNCPkLYomznZo5n9rWYgCQ8HcytlQDTesmKE+s05E/VSWNtH84XdDrt\r\nieXwfwhHfaABSu+WjZYxi9CXdFCSvXhsgufUcK4FbYAHl/ga/cJxZc52yFC7Pcq0u9O2BSCjYPdQ\r\nDAHs9dhT1RhwVLM8RmoAzgxyyzau0gxnAlgSBD9FMW6dXqIHIp8yAAg9cRXhYRTNAgMBAAEwDQYJ\r\nKoZIhvcNAQELBQADggIBADofEC1SvG8qa7pmKCjB/E9Sxhk3mvUO9Gq43xzwVb721Ng3VYf4vGU3\r\nwLUwJeLt0wggnj26NJweN5T3q9T8UMxZhHSWvttEU3+S1nArRB0beti716HSlOCDx4wTmBu/D1MG\r\nt/kZYFJw+zuzvAcbYct2pK69AQhD8xAIbQvqADJI7cCK3yRry+aWtppc58P81KYabUlCfFXfhJ9E\r\nP72ffN4jVHpX3lxxYh7FKAdiKbY2FYzjsc7RdgKI1R3iAAZUCGBTvezNzaetGzTUjjl/g1tcVYij\r\nltH9ZOQBPlUMI88lxUxqgRTerpPmAJH00CACx4JFiZrweLM1trZyy06wNDQgLrqHr3EOagBF/O2h\r\nhfTehNdVr6iq3YhKWBo4/+RL0RCzHMh4u86VbDDnDn4Y6HzLuyIAtBFoikoKM6UHTOa0Pqv2bBr5\r\nwbkRkVUxl9yJJw/HmTCdfnsM9dTOJUKzEglnGF2184Gg+qJDZB6fSf0EAO1F6sTqiSswl+uHQZiy\r\nDaZzyU7Gg5seKOZ20zTRaX3Ihj9Zij/ORnrARE7eM/usKMECp+7syUwAUKxDCZkGiUdskmOhhBGL\r\nJtbyK3F2UvoJoLsm3pIcvMak9KwMjSTGJB47ABUP1+w+zGcNk0D5Co3IJ6QekiLfWJyQ+kKsWLKt\r\nzOYQQatrnBagM7MI2/T4\r\n"
      attributeStatements:
        - type: GROUP
          name: groups
          filterType: REGEX
          filterValue: .*
  testUser:
    type: okta:user:User
    properties:
      firstName: TestAcc
      lastName: Smith
      login: testAcc_${range.value}@example.com
      email: testAcc_${range.value}@example.com
    options: {}
  this:
    type: okta:group:Group
    properties:
      description: testAcc_${range.value}
    options: {}
  testUserType:
    type: okta:user:UserType
    properties:
      displayName: Terraform Acceptance Test User Type Updated
      description: Terraform Acceptance Test User Type Updated
  testZone:
    type: okta:network:Zone
    properties:
      type: IP
      gateways:
        - 1.2.3.4/24
        - 2.3.4.5-2.3.4.15
      proxies:
        - 2.2.3.4/24
        - 3.3.4.5-3.3.4.15
  testAppSignonPolicyRule:
    type: okta:AppSignonPolicyRule
    properties:
      policyId: ${testAppSignonPolicy.id}
      access: ALLOW
      customExpression: user.status == "ACTIVE"
      deviceIsManaged: false
      deviceIsRegistered: true
      factorMode: 2FA
      groupsExcludeds:
        - ${this[2].id}
        - ${this[3].id}
        - ${this[4].id}
      groupsIncludeds:
        - ${this[0].id}
        - ${this[1].id}
      networkConnection: ZONE
      networkIncludes:
        - ${testZone.id}
      platformIncludes:
        - osType: ANDROID
          type: MOBILE
        - osType: IOS
          type: MOBILE
        - osType: MACOS
          type: DESKTOP
        - osType: OTHER
          type: DESKTOP
        - osType: OTHER
          type: MOBILE
        - osType: WINDOWS
          type: DESKTOP
      priority: 98
      reAuthenticationFrequency: PT43800H
      type: ASSURANCE
      userTypesExcludeds:
        - ${testUserType.id}
      userTypesIncludeds:
        - ${default.id}
      usersExcludeds:
        - ${testUser[2].id}
        - ${testUser[3].id}
        - ${testUser[4].id}
      usersIncludeds:
        - ${testUser[0].id}
        - ${testUser[1].id}
      constraints:
        - fn::toJSON:
            knowledge:
              reauthenticateIn: PT2H
              types:
                - password
            possession:
              deviceBound: REQUIRED
        - fn::toJSON:
            possession:
              deviceBound: REQUIRED
              hardwareProtection: REQUIRED
              userPresence: OPTIONAL
variables:
  testAppSignonPolicy:
    fn::invoke:
      Function: okta:getAppSignonPolicy
      Arguments:
        appId: ${testSaml.id}
  default:
    fn::invoke:
      Function: okta:user:getUserType
      Arguments:
        name: user

Create AppSignonPolicyRule Resource

new AppSignonPolicyRule(name: string, args: AppSignonPolicyRuleArgs, opts?: CustomResourceOptions);
@overload
def AppSignonPolicyRule(resource_name: str,
                        opts: Optional[ResourceOptions] = None,
                        access: Optional[str] = None,
                        constraints: Optional[Sequence[str]] = None,
                        custom_expression: Optional[str] = None,
                        device_is_managed: Optional[bool] = None,
                        device_is_registered: Optional[bool] = None,
                        factor_mode: Optional[str] = None,
                        groups_excludeds: Optional[Sequence[str]] = None,
                        groups_includeds: Optional[Sequence[str]] = None,
                        inactivity_period: Optional[str] = None,
                        name: Optional[str] = None,
                        network_connection: Optional[str] = None,
                        network_excludes: Optional[Sequence[str]] = None,
                        network_includes: Optional[Sequence[str]] = None,
                        platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
                        policy_id: Optional[str] = None,
                        priority: Optional[int] = None,
                        re_authentication_frequency: Optional[str] = None,
                        status: Optional[str] = None,
                        type: Optional[str] = None,
                        user_types_excludeds: Optional[Sequence[str]] = None,
                        user_types_includeds: Optional[Sequence[str]] = None,
                        users_excludeds: Optional[Sequence[str]] = None,
                        users_includeds: Optional[Sequence[str]] = None)
@overload
def AppSignonPolicyRule(resource_name: str,
                        args: AppSignonPolicyRuleArgs,
                        opts: Optional[ResourceOptions] = None)
func NewAppSignonPolicyRule(ctx *Context, name string, args AppSignonPolicyRuleArgs, opts ...ResourceOption) (*AppSignonPolicyRule, error)
public AppSignonPolicyRule(string name, AppSignonPolicyRuleArgs args, CustomResourceOptions? opts = null)
public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args)
public AppSignonPolicyRule(String name, AppSignonPolicyRuleArgs args, CustomResourceOptions options)
type: okta:AppSignonPolicyRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AppSignonPolicyRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AppSignonPolicyRuleArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AppSignonPolicyRuleArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AppSignonPolicyRuleArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AppSignonPolicyRuleArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AppSignonPolicyRule Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AppSignonPolicyRule resource accepts the following input properties:

PolicyId string

ID of the app sign-on policy.

Access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

Constraints List<string>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

CustomExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

DeviceIsManaged bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

DeviceIsRegistered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

FactorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

GroupsExcludeds List<string>

List of groups IDs to be excluded.

GroupsIncludeds List<string>

List of groups IDs to be included.

InactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

Name string

Name of the policy rule.

NetworkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

NetworkExcludes List<string>

List of network zones IDs to exclude. Conflicts with network_includes.

NetworkIncludes List<string>

List of network zones IDs to include. Conflicts with network_excludes.

PlatformIncludes List<AppSignonPolicyRulePlatformIncludeArgs>

List of particular platforms or devices to match on.

Priority int

Priority of the rule.

ReAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

Status string

Status of the rule

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

UserTypesExcludeds List<string>

List of user types IDs to be excluded.

UserTypesIncludeds List<string>

List of user types IDs to be included.

UsersExcludeds List<string>

List of users IDs to be excluded.

UsersIncludeds List<string>

List of users IDs to be included.

PolicyId string

ID of the app sign-on policy.

Access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

Constraints []string

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

CustomExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

DeviceIsManaged bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

DeviceIsRegistered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

FactorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

GroupsExcludeds []string

List of groups IDs to be excluded.

GroupsIncludeds []string

List of groups IDs to be included.

InactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

Name string

Name of the policy rule.

NetworkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

NetworkExcludes []string

List of network zones IDs to exclude. Conflicts with network_includes.

NetworkIncludes []string

List of network zones IDs to include. Conflicts with network_excludes.

PlatformIncludes []AppSignonPolicyRulePlatformIncludeArgs

List of particular platforms or devices to match on.

Priority int

Priority of the rule.

ReAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

Status string

Status of the rule

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

UserTypesExcludeds []string

List of user types IDs to be excluded.

UserTypesIncludeds []string

List of user types IDs to be included.

UsersExcludeds []string

List of users IDs to be excluded.

UsersIncludeds []string

List of users IDs to be included.

policyId String

ID of the app sign-on policy.

access String

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints List<String>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression String

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged Boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered Boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode String

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds List<String>

List of groups IDs to be excluded.

groupsIncludeds List<String>

List of groups IDs to be included.

inactivityPeriod String

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name String

Name of the policy rule.

networkConnection String

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes List<String>

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes List<String>

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes List<AppSignonPolicyRulePlatformIncludeArgs>

List of particular platforms or devices to match on.

priority Integer

Priority of the rule.

reAuthenticationFrequency String

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status String

Status of the rule

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds List<String>

List of user types IDs to be excluded.

userTypesIncludeds List<String>

List of user types IDs to be included.

usersExcludeds List<String>

List of users IDs to be excluded.

usersIncludeds List<String>

List of users IDs to be included.

policyId string

ID of the app sign-on policy.

access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints string[]

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds string[]

List of groups IDs to be excluded.

groupsIncludeds string[]

List of groups IDs to be included.

inactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name string

Name of the policy rule.

networkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes string[]

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes string[]

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes AppSignonPolicyRulePlatformIncludeArgs[]

List of particular platforms or devices to match on.

priority number

Priority of the rule.

reAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status string

Status of the rule

type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds string[]

List of user types IDs to be excluded.

userTypesIncludeds string[]

List of user types IDs to be included.

usersExcludeds string[]

List of users IDs to be excluded.

usersIncludeds string[]

List of users IDs to be included.

policy_id str

ID of the app sign-on policy.

access str

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints Sequence[str]

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

custom_expression str

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

device_is_managed bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

device_is_registered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factor_mode str

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groups_excludeds Sequence[str]

List of groups IDs to be excluded.

groups_includeds Sequence[str]

List of groups IDs to be included.

inactivity_period str

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name str

Name of the policy rule.

network_connection str

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes Sequence[str]

List of network zones IDs to exclude. Conflicts with network_includes.

network_includes Sequence[str]

List of network zones IDs to include. Conflicts with network_excludes.

platform_includes Sequence[AppSignonPolicyRulePlatformIncludeArgs]

List of particular platforms or devices to match on.

priority int

Priority of the rule.

re_authentication_frequency str

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status str

Status of the rule

type str

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

user_types_excludeds Sequence[str]

List of user types IDs to be excluded.

user_types_includeds Sequence[str]

List of user types IDs to be included.

users_excludeds Sequence[str]

List of users IDs to be excluded.

users_includeds Sequence[str]

List of users IDs to be included.

policyId String

ID of the app sign-on policy.

access String

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints List<String>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression String

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged Boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered Boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode String

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds List<String>

List of groups IDs to be excluded.

groupsIncludeds List<String>

List of groups IDs to be included.

inactivityPeriod String

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name String

Name of the policy rule.

networkConnection String

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes List<String>

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes List<String>

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes List<Property Map>

List of particular platforms or devices to match on.

priority Number

Priority of the rule.

reAuthenticationFrequency String

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status String

Status of the rule

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds List<String>

List of user types IDs to be excluded.

userTypesIncludeds List<String>

List of user types IDs to be included.

usersExcludeds List<String>

List of users IDs to be excluded.

usersIncludeds List<String>

List of users IDs to be included.

Outputs

All input properties are implicitly available as output properties. Additionally, the AppSignonPolicyRule resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing AppSignonPolicyRule Resource

Get an existing AppSignonPolicyRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AppSignonPolicyRuleState, opts?: CustomResourceOptions): AppSignonPolicyRule
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access: Optional[str] = None,
        constraints: Optional[Sequence[str]] = None,
        custom_expression: Optional[str] = None,
        device_is_managed: Optional[bool] = None,
        device_is_registered: Optional[bool] = None,
        factor_mode: Optional[str] = None,
        groups_excludeds: Optional[Sequence[str]] = None,
        groups_includeds: Optional[Sequence[str]] = None,
        inactivity_period: Optional[str] = None,
        name: Optional[str] = None,
        network_connection: Optional[str] = None,
        network_excludes: Optional[Sequence[str]] = None,
        network_includes: Optional[Sequence[str]] = None,
        platform_includes: Optional[Sequence[AppSignonPolicyRulePlatformIncludeArgs]] = None,
        policy_id: Optional[str] = None,
        priority: Optional[int] = None,
        re_authentication_frequency: Optional[str] = None,
        status: Optional[str] = None,
        type: Optional[str] = None,
        user_types_excludeds: Optional[Sequence[str]] = None,
        user_types_includeds: Optional[Sequence[str]] = None,
        users_excludeds: Optional[Sequence[str]] = None,
        users_includeds: Optional[Sequence[str]] = None) -> AppSignonPolicyRule
func GetAppSignonPolicyRule(ctx *Context, name string, id IDInput, state *AppSignonPolicyRuleState, opts ...ResourceOption) (*AppSignonPolicyRule, error)
public static AppSignonPolicyRule Get(string name, Input<string> id, AppSignonPolicyRuleState? state, CustomResourceOptions? opts = null)
public static AppSignonPolicyRule get(String name, Output<String> id, AppSignonPolicyRuleState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

Constraints List<string>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

CustomExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

DeviceIsManaged bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

DeviceIsRegistered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

FactorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

GroupsExcludeds List<string>

List of groups IDs to be excluded.

GroupsIncludeds List<string>

List of groups IDs to be included.

InactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

Name string

Name of the policy rule.

NetworkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

NetworkExcludes List<string>

List of network zones IDs to exclude. Conflicts with network_includes.

NetworkIncludes List<string>

List of network zones IDs to include. Conflicts with network_excludes.

PlatformIncludes List<AppSignonPolicyRulePlatformIncludeArgs>

List of particular platforms or devices to match on.

PolicyId string

ID of the app sign-on policy.

Priority int

Priority of the rule.

ReAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

Status string

Status of the rule

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

UserTypesExcludeds List<string>

List of user types IDs to be excluded.

UserTypesIncludeds List<string>

List of user types IDs to be included.

UsersExcludeds List<string>

List of users IDs to be excluded.

UsersIncludeds List<string>

List of users IDs to be included.

Access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

Constraints []string

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

CustomExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

DeviceIsManaged bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

DeviceIsRegistered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

FactorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

GroupsExcludeds []string

List of groups IDs to be excluded.

GroupsIncludeds []string

List of groups IDs to be included.

InactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

Name string

Name of the policy rule.

NetworkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

NetworkExcludes []string

List of network zones IDs to exclude. Conflicts with network_includes.

NetworkIncludes []string

List of network zones IDs to include. Conflicts with network_excludes.

PlatformIncludes []AppSignonPolicyRulePlatformIncludeArgs

List of particular platforms or devices to match on.

PolicyId string

ID of the app sign-on policy.

Priority int

Priority of the rule.

ReAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

Status string

Status of the rule

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

UserTypesExcludeds []string

List of user types IDs to be excluded.

UserTypesIncludeds []string

List of user types IDs to be included.

UsersExcludeds []string

List of users IDs to be excluded.

UsersIncludeds []string

List of users IDs to be included.

access String

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints List<String>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression String

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged Boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered Boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode String

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds List<String>

List of groups IDs to be excluded.

groupsIncludeds List<String>

List of groups IDs to be included.

inactivityPeriod String

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name String

Name of the policy rule.

networkConnection String

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes List<String>

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes List<String>

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes List<AppSignonPolicyRulePlatformIncludeArgs>

List of particular platforms or devices to match on.

policyId String

ID of the app sign-on policy.

priority Integer

Priority of the rule.

reAuthenticationFrequency String

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status String

Status of the rule

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds List<String>

List of user types IDs to be excluded.

userTypesIncludeds List<String>

List of user types IDs to be included.

usersExcludeds List<String>

List of users IDs to be excluded.

usersIncludeds List<String>

List of users IDs to be included.

access string

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints string[]

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression string

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode string

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds string[]

List of groups IDs to be excluded.

groupsIncludeds string[]

List of groups IDs to be included.

inactivityPeriod string

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name string

Name of the policy rule.

networkConnection string

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes string[]

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes string[]

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes AppSignonPolicyRulePlatformIncludeArgs[]

List of particular platforms or devices to match on.

policyId string

ID of the app sign-on policy.

priority number

Priority of the rule.

reAuthenticationFrequency string

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status string

Status of the rule

type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds string[]

List of user types IDs to be excluded.

userTypesIncludeds string[]

List of user types IDs to be included.

usersExcludeds string[]

List of users IDs to be excluded.

usersIncludeds string[]

List of users IDs to be included.

access str

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints Sequence[str]

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

custom_expression str

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

device_is_managed bool

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

device_is_registered bool

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factor_mode str

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groups_excludeds Sequence[str]

List of groups IDs to be excluded.

groups_includeds Sequence[str]

List of groups IDs to be included.

inactivity_period str

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name str

Name of the policy rule.

network_connection str

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

network_excludes Sequence[str]

List of network zones IDs to exclude. Conflicts with network_includes.

network_includes Sequence[str]

List of network zones IDs to include. Conflicts with network_excludes.

platform_includes Sequence[AppSignonPolicyRulePlatformIncludeArgs]

List of particular platforms or devices to match on.

policy_id str

ID of the app sign-on policy.

priority int

Priority of the rule.

re_authentication_frequency str

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status str

Status of the rule

type str

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

user_types_excludeds Sequence[str]

List of user types IDs to be excluded.

user_types_includeds Sequence[str]

List of user types IDs to be included.

users_excludeds Sequence[str]

List of users IDs to be excluded.

users_includeds Sequence[str]

List of users IDs to be included.

access String

Allow or deny access based on the rule conditions. It can be set to "ALLOW" or "DENY". Default is "ALLOW".

constraints List<String>

An array that contains nested Authenticator Constraint objects that are organized by the Authenticator class. Each element should be in JSON format.

customExpression String

This is an advanced optional setting. If the expression is formatted incorrectly or conflicts with conditions set above, the rule may not match any users.

deviceIsManaged Boolean

If the device is managed. A device is managed if it's managed by a device management system. When managed is passed, device_is_registered must also be included and must be set to true.

deviceIsRegistered Boolean

If the device is registered. A device is registered if the User enrolls with Okta Verify that is installed on the device. Can only be set to true.

factorMode String

The number of factors required to satisfy this assurance level. It can be set to "1FA" or "2FA". Default is "2FA".

groupsExcludeds List<String>

List of groups IDs to be excluded.

groupsIncludeds List<String>

List of groups IDs to be included.

inactivityPeriod String

The inactivity duration after which the end user must re-authenticate. Use the ISO 8601 Period format for recurring time intervals. Default is "PT1H".

name String

Name of the policy rule.

networkConnection String

Network selection mode: "ANYWHERE", "ZONE", "ON_NETWORK", or "OFF_NETWORK".

networkExcludes List<String>

List of network zones IDs to exclude. Conflicts with network_includes.

networkIncludes List<String>

List of network zones IDs to include. Conflicts with network_excludes.

platformIncludes List<Property Map>

List of particular platforms or devices to match on.

policyId String

ID of the app sign-on policy.

priority Number

Priority of the rule.

reAuthenticationFrequency String

The duration after which the end user must re-authenticate, regardless of user activity. Use the ISO 8601 Period format for recurring time intervals. "PT0S" - every sign-in attempt, "PT43800H" - once per session. Default is "PT2H".

status String

Status of the rule

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

userTypesExcludeds List<String>

List of user types IDs to be excluded.

userTypesIncludeds List<String>

List of user types IDs to be included.

usersExcludeds List<String>

List of users IDs to be excluded.

usersIncludeds List<String>

List of users IDs to be included.

Supporting Types

AppSignonPolicyRulePlatformInclude

OsExpression string

Only available when using os_type = "OTHER"

OsType string

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

OsExpression string

Only available when using os_type = "OTHER"

OsType string

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

Type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

osExpression String

Only available when using os_type = "OTHER"

osType String

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

osExpression string

Only available when using os_type = "OTHER"

osType string

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

type string

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

os_expression str

Only available when using os_type = "OTHER"

os_type str

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

type str

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

osExpression String

Only available when using os_type = "OTHER"

osType String

One of: "ANY", "IOS", "WINDOWS", "ANDROID", "OTHER", "OSX", "MACOS"

type String

The Verification Method type. It can be set to "ASSURANCE". Default is "ASSURANCE".

Import

Okta app sign-on policy rule can be imported via the Okta ID.

 $ pulumi import okta:index/appSignonPolicyRule:AppSignonPolicyRule example &#60;policy_id&#62;/&#60;rule_id&#62;

Package Details

Repository
Okta pulumi/pulumi-okta
License
Apache-2.0
Notes

This Pulumi package is based on the okta Terraform Provider.