Okta v6.1.0 published on Wednesday, Oct 29, 2025 by Pulumi
okta.policy.RuleSignon
Creates a Sign On Policy Rule. In case Invalid condition type specified: riskScore. error is thrown, set risc_level to an empty string, since this feature is not enabled.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";
const test = new okta.policy.Signon("test", {
name: "Example Policy",
status: "ACTIVE",
description: "Example Policy",
});
const newCity = okta.getBehaviour({
name: "New City",
});
const example = new okta.policy.RuleSignon("example", {
access: "CHALLENGE",
authtype: "RADIUS",
name: "Example Policy Rule",
networkConnection: "ANYWHERE",
policyId: exampleOktaPolicySignon.id,
status: "ACTIVE",
riscLevel: "HIGH",
behaviors: [newCity.then(newCity => newCity.id)],
factorSequences: [
{
primaryCriteriaFactorType: "token:hotp",
primaryCriteriaProvider: "CUSTOM",
secondaryCriterias: [
{
factorType: "token:software:totp",
provider: "OKTA",
},
{
factorType: "push",
provider: "OKTA",
},
{
factorType: "password",
provider: "OKTA",
},
{
factorType: "question",
provider: "OKTA",
},
{
factorType: "sms",
provider: "OKTA",
},
{
factorType: "token:software:totp",
provider: "GOOGLE",
},
{
factorType: "email",
provider: "OKTA",
},
{
factorType: "call",
provider: "OKTA",
},
{
factorType: "webauthn",
provider: "FIDO",
},
{
factorType: "token",
provider: "RSA",
},
{
factorType: "token",
provider: "SYMANTEC",
},
],
},
{
primaryCriteriaFactorType: "token:software:totp",
primaryCriteriaProvider: "OKTA",
},
],
});
import pulumi
import pulumi_okta as okta
test = okta.policy.Signon("test",
name="Example Policy",
status="ACTIVE",
description="Example Policy")
new_city = okta.get_behaviour(name="New City")
example = okta.policy.RuleSignon("example",
access="CHALLENGE",
authtype="RADIUS",
name="Example Policy Rule",
network_connection="ANYWHERE",
policy_id=example_okta_policy_signon["id"],
status="ACTIVE",
risc_level="HIGH",
behaviors=[new_city.id],
factor_sequences=[
{
"primary_criteria_factor_type": "token:hotp",
"primary_criteria_provider": "CUSTOM",
"secondary_criterias": [
{
"factor_type": "token:software:totp",
"provider": "OKTA",
},
{
"factor_type": "push",
"provider": "OKTA",
},
{
"factor_type": "password",
"provider": "OKTA",
},
{
"factor_type": "question",
"provider": "OKTA",
},
{
"factor_type": "sms",
"provider": "OKTA",
},
{
"factor_type": "token:software:totp",
"provider": "GOOGLE",
},
{
"factor_type": "email",
"provider": "OKTA",
},
{
"factor_type": "call",
"provider": "OKTA",
},
{
"factor_type": "webauthn",
"provider": "FIDO",
},
{
"factor_type": "token",
"provider": "RSA",
},
{
"factor_type": "token",
"provider": "SYMANTEC",
},
],
},
{
"primary_criteria_factor_type": "token:software:totp",
"primary_criteria_provider": "OKTA",
},
])
package main
import (
"github.com/pulumi/pulumi-okta/sdk/v6/go/okta"
"github.com/pulumi/pulumi-okta/sdk/v6/go/okta/policy"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := policy.NewSignon(ctx, "test", &policy.SignonArgs{
Name: pulumi.String("Example Policy"),
Status: pulumi.String("ACTIVE"),
Description: pulumi.String("Example Policy"),
})
if err != nil {
return err
}
newCity, err := okta.LookupBehaviour(ctx, &okta.LookupBehaviourArgs{
Name: pulumi.StringRef("New City"),
}, nil)
if err != nil {
return err
}
_, err = policy.NewRuleSignon(ctx, "example", &policy.RuleSignonArgs{
Access: pulumi.String("CHALLENGE"),
Authtype: pulumi.String("RADIUS"),
Name: pulumi.String("Example Policy Rule"),
NetworkConnection: pulumi.String("ANYWHERE"),
PolicyId: pulumi.Any(exampleOktaPolicySignon.Id),
Status: pulumi.String("ACTIVE"),
RiscLevel: pulumi.String("HIGH"),
Behaviors: pulumi.StringArray{
pulumi.String(newCity.Id),
},
FactorSequences: policy.RuleSignonFactorSequenceArray{
&policy.RuleSignonFactorSequenceArgs{
PrimaryCriteriaFactorType: pulumi.String("token:hotp"),
PrimaryCriteriaProvider: pulumi.String("CUSTOM"),
SecondaryCriterias: policy.RuleSignonFactorSequenceSecondaryCriteriaArray{
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("token:software:totp"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("push"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("password"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("question"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("sms"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("token:software:totp"),
Provider: pulumi.String("GOOGLE"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("email"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("call"),
Provider: pulumi.String("OKTA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("webauthn"),
Provider: pulumi.String("FIDO"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("token"),
Provider: pulumi.String("RSA"),
},
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("token"),
Provider: pulumi.String("SYMANTEC"),
},
},
},
&policy.RuleSignonFactorSequenceArgs{
PrimaryCriteriaFactorType: pulumi.String("token:software:totp"),
PrimaryCriteriaProvider: pulumi.String("OKTA"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;
return await Deployment.RunAsync(() =>
{
var test = new Okta.Policy.Signon("test", new()
{
Name = "Example Policy",
Status = "ACTIVE",
Description = "Example Policy",
});
var newCity = Okta.GetBehaviour.Invoke(new()
{
Name = "New City",
});
var example = new Okta.Policy.RuleSignon("example", new()
{
Access = "CHALLENGE",
Authtype = "RADIUS",
Name = "Example Policy Rule",
NetworkConnection = "ANYWHERE",
PolicyId = exampleOktaPolicySignon.Id,
Status = "ACTIVE",
RiscLevel = "HIGH",
Behaviors = new[]
{
newCity.Apply(getBehaviourResult => getBehaviourResult.Id),
},
FactorSequences = new[]
{
new Okta.Policy.Inputs.RuleSignonFactorSequenceArgs
{
PrimaryCriteriaFactorType = "token:hotp",
PrimaryCriteriaProvider = "CUSTOM",
SecondaryCriterias = new[]
{
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "token:software:totp",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "push",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "password",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "question",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "sms",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "token:software:totp",
Provider = "GOOGLE",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "email",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "call",
Provider = "OKTA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "webauthn",
Provider = "FIDO",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "token",
Provider = "RSA",
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "token",
Provider = "SYMANTEC",
},
},
},
new Okta.Policy.Inputs.RuleSignonFactorSequenceArgs
{
PrimaryCriteriaFactorType = "token:software:totp",
PrimaryCriteriaProvider = "OKTA",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.policy.Signon;
import com.pulumi.okta.policy.SignonArgs;
import com.pulumi.okta.OktaFunctions;
import com.pulumi.okta.inputs.GetBehaviourArgs;
import com.pulumi.okta.policy.RuleSignon;
import com.pulumi.okta.policy.RuleSignonArgs;
import com.pulumi.okta.policy.inputs.RuleSignonFactorSequenceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Signon("test", SignonArgs.builder()
.name("Example Policy")
.status("ACTIVE")
.description("Example Policy")
.build());
final var newCity = OktaFunctions.getBehaviour(GetBehaviourArgs.builder()
.name("New City")
.build());
var example = new RuleSignon("example", RuleSignonArgs.builder()
.access("CHALLENGE")
.authtype("RADIUS")
.name("Example Policy Rule")
.networkConnection("ANYWHERE")
.policyId(exampleOktaPolicySignon.id())
.status("ACTIVE")
.riscLevel("HIGH")
.behaviors(newCity.id())
.factorSequences(
RuleSignonFactorSequenceArgs.builder()
.primaryCriteriaFactorType("token:hotp")
.primaryCriteriaProvider("CUSTOM")
.secondaryCriterias(
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("token:software:totp")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("push")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("password")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("question")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("sms")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("token:software:totp")
.provider("GOOGLE")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("email")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("call")
.provider("OKTA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("webauthn")
.provider("FIDO")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("token")
.provider("RSA")
.build(),
RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("token")
.provider("SYMANTEC")
.build())
.build(),
RuleSignonFactorSequenceArgs.builder()
.primaryCriteriaFactorType("token:software:totp")
.primaryCriteriaProvider("OKTA")
.build())
.build());
}
}
resources:
test:
type: okta:policy:Signon
properties:
name: Example Policy
status: ACTIVE
description: Example Policy
example:
type: okta:policy:RuleSignon
properties:
access: CHALLENGE
authtype: RADIUS
name: Example Policy Rule
networkConnection: ANYWHERE
policyId: ${exampleOktaPolicySignon.id}
status: ACTIVE
riscLevel: HIGH
behaviors:
- ${newCity.id}
factorSequences:
- primaryCriteriaFactorType: token:hotp
primaryCriteriaProvider: CUSTOM
secondaryCriterias:
- factorType: token:software:totp
provider: OKTA
- factorType: push
provider: OKTA
- factorType: password
provider: OKTA
- factorType: question
provider: OKTA
- factorType: sms
provider: OKTA
- factorType: token:software:totp
provider: GOOGLE
- factorType: email
provider: OKTA
- factorType: call
provider: OKTA
- factorType: webauthn
provider: FIDO
- factorType: token
provider: RSA
- factorType: token
provider: SYMANTEC
- primaryCriteriaFactorType: token:software:totp
primaryCriteriaProvider: OKTA
variables:
newCity:
fn::invoke:
function: okta:getBehaviour
arguments:
name: New City
Create RuleSignon Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RuleSignon(name: string, args?: RuleSignonArgs, opts?: CustomResourceOptions);@overload
def RuleSignon(resource_name: str,
args: Optional[RuleSignonArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def RuleSignon(resource_name: str,
opts: Optional[ResourceOptions] = None,
access: Optional[str] = None,
authtype: Optional[str] = None,
behaviors: Optional[Sequence[str]] = None,
factor_sequences: Optional[Sequence[RuleSignonFactorSequenceArgs]] = None,
identity_provider: Optional[str] = None,
identity_provider_ids: Optional[Sequence[str]] = None,
mfa_lifetime: Optional[int] = None,
mfa_prompt: Optional[str] = None,
mfa_remember_device: Optional[bool] = None,
mfa_required: Optional[bool] = None,
name: Optional[str] = None,
network_connection: Optional[str] = None,
network_excludes: Optional[Sequence[str]] = None,
network_includes: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
primary_factor: Optional[str] = None,
priority: Optional[int] = None,
risc_level: Optional[str] = None,
risk_level: Optional[str] = None,
session_idle: Optional[int] = None,
session_lifetime: Optional[int] = None,
session_persistent: Optional[bool] = None,
status: Optional[str] = None,
users_excludeds: Optional[Sequence[str]] = None)func NewRuleSignon(ctx *Context, name string, args *RuleSignonArgs, opts ...ResourceOption) (*RuleSignon, error)public RuleSignon(string name, RuleSignonArgs? args = null, CustomResourceOptions? opts = null)
public RuleSignon(String name, RuleSignonArgs args)
public RuleSignon(String name, RuleSignonArgs args, CustomResourceOptions options)
type: okta:policy:RuleSignon
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RuleSignonArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RuleSignonArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RuleSignonArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RuleSignonArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RuleSignonArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ruleSignonResource = new Okta.Policy.RuleSignon("ruleSignonResource", new()
{
Access = "string",
Authtype = "string",
Behaviors = new[]
{
"string",
},
FactorSequences = new[]
{
new Okta.Policy.Inputs.RuleSignonFactorSequenceArgs
{
PrimaryCriteriaFactorType = "string",
PrimaryCriteriaProvider = "string",
SecondaryCriterias = new[]
{
new Okta.Policy.Inputs.RuleSignonFactorSequenceSecondaryCriteriaArgs
{
FactorType = "string",
Provider = "string",
},
},
},
},
IdentityProvider = "string",
IdentityProviderIds = new[]
{
"string",
},
MfaLifetime = 0,
MfaPrompt = "string",
MfaRememberDevice = false,
MfaRequired = false,
Name = "string",
NetworkConnection = "string",
NetworkExcludes = new[]
{
"string",
},
NetworkIncludes = new[]
{
"string",
},
PolicyId = "string",
PrimaryFactor = "string",
Priority = 0,
RiskLevel = "string",
SessionIdle = 0,
SessionLifetime = 0,
SessionPersistent = false,
Status = "string",
UsersExcludeds = new[]
{
"string",
},
});
example, err := policy.NewRuleSignon(ctx, "ruleSignonResource", &policy.RuleSignonArgs{
Access: pulumi.String("string"),
Authtype: pulumi.String("string"),
Behaviors: pulumi.StringArray{
pulumi.String("string"),
},
FactorSequences: policy.RuleSignonFactorSequenceArray{
&policy.RuleSignonFactorSequenceArgs{
PrimaryCriteriaFactorType: pulumi.String("string"),
PrimaryCriteriaProvider: pulumi.String("string"),
SecondaryCriterias: policy.RuleSignonFactorSequenceSecondaryCriteriaArray{
&policy.RuleSignonFactorSequenceSecondaryCriteriaArgs{
FactorType: pulumi.String("string"),
Provider: pulumi.String("string"),
},
},
},
},
IdentityProvider: pulumi.String("string"),
IdentityProviderIds: pulumi.StringArray{
pulumi.String("string"),
},
MfaLifetime: pulumi.Int(0),
MfaPrompt: pulumi.String("string"),
MfaRememberDevice: pulumi.Bool(false),
MfaRequired: pulumi.Bool(false),
Name: pulumi.String("string"),
NetworkConnection: pulumi.String("string"),
NetworkExcludes: pulumi.StringArray{
pulumi.String("string"),
},
NetworkIncludes: pulumi.StringArray{
pulumi.String("string"),
},
PolicyId: pulumi.String("string"),
PrimaryFactor: pulumi.String("string"),
Priority: pulumi.Int(0),
RiskLevel: pulumi.String("string"),
SessionIdle: pulumi.Int(0),
SessionLifetime: pulumi.Int(0),
SessionPersistent: pulumi.Bool(false),
Status: pulumi.String("string"),
UsersExcludeds: pulumi.StringArray{
pulumi.String("string"),
},
})
var ruleSignonResource = new RuleSignon("ruleSignonResource", RuleSignonArgs.builder()
.access("string")
.authtype("string")
.behaviors("string")
.factorSequences(RuleSignonFactorSequenceArgs.builder()
.primaryCriteriaFactorType("string")
.primaryCriteriaProvider("string")
.secondaryCriterias(RuleSignonFactorSequenceSecondaryCriteriaArgs.builder()
.factorType("string")
.provider("string")
.build())
.build())
.identityProvider("string")
.identityProviderIds("string")
.mfaLifetime(0)
.mfaPrompt("string")
.mfaRememberDevice(false)
.mfaRequired(false)
.name("string")
.networkConnection("string")
.networkExcludes("string")
.networkIncludes("string")
.policyId("string")
.primaryFactor("string")
.priority(0)
.riskLevel("string")
.sessionIdle(0)
.sessionLifetime(0)
.sessionPersistent(false)
.status("string")
.usersExcludeds("string")
.build());
rule_signon_resource = okta.policy.RuleSignon("ruleSignonResource",
access="string",
authtype="string",
behaviors=["string"],
factor_sequences=[{
"primary_criteria_factor_type": "string",
"primary_criteria_provider": "string",
"secondary_criterias": [{
"factor_type": "string",
"provider": "string",
}],
}],
identity_provider="string",
identity_provider_ids=["string"],
mfa_lifetime=0,
mfa_prompt="string",
mfa_remember_device=False,
mfa_required=False,
name="string",
network_connection="string",
network_excludes=["string"],
network_includes=["string"],
policy_id="string",
primary_factor="string",
priority=0,
risk_level="string",
session_idle=0,
session_lifetime=0,
session_persistent=False,
status="string",
users_excludeds=["string"])
const ruleSignonResource = new okta.policy.RuleSignon("ruleSignonResource", {
access: "string",
authtype: "string",
behaviors: ["string"],
factorSequences: [{
primaryCriteriaFactorType: "string",
primaryCriteriaProvider: "string",
secondaryCriterias: [{
factorType: "string",
provider: "string",
}],
}],
identityProvider: "string",
identityProviderIds: ["string"],
mfaLifetime: 0,
mfaPrompt: "string",
mfaRememberDevice: false,
mfaRequired: false,
name: "string",
networkConnection: "string",
networkExcludes: ["string"],
networkIncludes: ["string"],
policyId: "string",
primaryFactor: "string",
priority: 0,
riskLevel: "string",
sessionIdle: 0,
sessionLifetime: 0,
sessionPersistent: false,
status: "string",
usersExcludeds: ["string"],
});
type: okta:policy:RuleSignon
properties:
access: string
authtype: string
behaviors:
- string
factorSequences:
- primaryCriteriaFactorType: string
primaryCriteriaProvider: string
secondaryCriterias:
- factorType: string
provider: string
identityProvider: string
identityProviderIds:
- string
mfaLifetime: 0
mfaPrompt: string
mfaRememberDevice: false
mfaRequired: false
name: string
networkConnection: string
networkExcludes:
- string
networkIncludes:
- string
policyId: string
primaryFactor: string
priority: 0
riskLevel: string
sessionIdle: 0
sessionLifetime: 0
sessionPersistent: false
status: string
usersExcludeds:
- string
RuleSignon Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RuleSignon resource accepts the following input properties:
- Access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - Authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - Behaviors List<string>
- List of behavior IDs
- Factor
Sequences List<RuleSignon Factor Sequence> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- Identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - Identity
Provider List<string>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - Mfa
Lifetime int - Elapsed time before the next MFA challenge
- Mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - Mfa
Remember boolDevice - Remember MFA device. Default:
false - Mfa
Required bool - Require MFA. Default:
false - Name string
- Policy Rule Name
- Network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - Network
Excludes List<string> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - Network
Includes List<string> - Required if
network_connection=ZONE. Indicates the network zones to include. - Policy
Id string - Policy ID of the Rule
- Primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - Priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- Risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Session
Idle int - Max minutes a session can be idle. Default:
120 - Session
Lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - Session
Persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - Status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - Users
Excludeds List<string> - Set of User IDs to Exclude
- Access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - Authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - Behaviors []string
- List of behavior IDs
- Factor
Sequences []RuleSignon Factor Sequence Args - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- Identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - Identity
Provider []stringIds - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - Mfa
Lifetime int - Elapsed time before the next MFA challenge
- Mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - Mfa
Remember boolDevice - Remember MFA device. Default:
false - Mfa
Required bool - Require MFA. Default:
false - Name string
- Policy Rule Name
- Network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - Network
Excludes []string - Required if
network_connection=ZONE. Indicates the network zones to exclude. - Network
Includes []string - Required if
network_connection=ZONE. Indicates the network zones to include. - Policy
Id string - Policy ID of the Rule
- Primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - Priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- Risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Session
Idle int - Max minutes a session can be idle. Default:
120 - Session
Lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - Session
Persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - Status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - Users
Excludeds []string - Set of User IDs to Exclude
- access String
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype String
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors List<String>
- List of behavior IDs
- factor
Sequences List<RuleSignon Factor Sequence> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider String - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider List<String>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime Integer - Elapsed time before the next MFA challenge
- mfa
Prompt String - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember BooleanDevice - Remember MFA device. Default:
false - mfa
Required Boolean - Require MFA. Default:
false - name String
- Policy Rule Name
- network
Connection String - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes List<String> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes List<String> - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id String - Policy ID of the Rule
- primary
Factor String - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority Integer
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level String - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level String - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle Integer - Max minutes a session can be idle. Default:
120 - session
Lifetime Integer - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent Boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status String
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds List<String> - Set of User IDs to Exclude
- access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors string[]
- List of behavior IDs
- factor
Sequences RuleSignon Factor Sequence[] - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider string[]Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime number - Elapsed time before the next MFA challenge
- mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember booleanDevice - Remember MFA device. Default:
false - mfa
Required boolean - Require MFA. Default:
false - name string
- Policy Rule Name
- network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes string[] - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes string[] - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id string - Policy ID of the Rule
- primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority number
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle number - Max minutes a session can be idle. Default:
120 - session
Lifetime number - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds string[] - Set of User IDs to Exclude
- access str
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype str
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors Sequence[str]
- List of behavior IDs
- factor_
sequences Sequence[RuleSignon Factor Sequence Args] - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity_
provider str - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity_
provider_ Sequence[str]ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa_
lifetime int - Elapsed time before the next MFA challenge
- mfa_
prompt str - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa_
remember_ booldevice - Remember MFA device. Default:
false - mfa_
required bool - Require MFA. Default:
false - name str
- Policy Rule Name
- network_
connection str - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network_
excludes Sequence[str] - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network_
includes Sequence[str] - Required if
network_connection=ZONE. Indicates the network zones to include. - policy_
id str - Policy ID of the Rule
- primary_
factor str - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc_
level str - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk_
level str - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session_
idle int - Max minutes a session can be idle. Default:
120 - session_
lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - session_
persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status str
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users_
excludeds Sequence[str] - Set of User IDs to Exclude
- access String
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype String
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors List<String>
- List of behavior IDs
- factor
Sequences List<Property Map> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider String - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider List<String>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime Number - Elapsed time before the next MFA challenge
- mfa
Prompt String - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember BooleanDevice - Remember MFA device. Default:
false - mfa
Required Boolean - Require MFA. Default:
false - name String
- Policy Rule Name
- network
Connection String - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes List<String> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes List<String> - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id String - Policy ID of the Rule
- primary
Factor String - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority Number
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level String - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level String - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle Number - Max minutes a session can be idle. Default:
120 - session
Lifetime Number - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent Boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status String
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds List<String> - Set of User IDs to Exclude
Outputs
All input properties are implicitly available as output properties. Additionally, the RuleSignon resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing RuleSignon Resource
Get an existing RuleSignon resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RuleSignonState, opts?: CustomResourceOptions): RuleSignon@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access: Optional[str] = None,
authtype: Optional[str] = None,
behaviors: Optional[Sequence[str]] = None,
factor_sequences: Optional[Sequence[RuleSignonFactorSequenceArgs]] = None,
identity_provider: Optional[str] = None,
identity_provider_ids: Optional[Sequence[str]] = None,
mfa_lifetime: Optional[int] = None,
mfa_prompt: Optional[str] = None,
mfa_remember_device: Optional[bool] = None,
mfa_required: Optional[bool] = None,
name: Optional[str] = None,
network_connection: Optional[str] = None,
network_excludes: Optional[Sequence[str]] = None,
network_includes: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
primary_factor: Optional[str] = None,
priority: Optional[int] = None,
risc_level: Optional[str] = None,
risk_level: Optional[str] = None,
session_idle: Optional[int] = None,
session_lifetime: Optional[int] = None,
session_persistent: Optional[bool] = None,
status: Optional[str] = None,
users_excludeds: Optional[Sequence[str]] = None) -> RuleSignonfunc GetRuleSignon(ctx *Context, name string, id IDInput, state *RuleSignonState, opts ...ResourceOption) (*RuleSignon, error)public static RuleSignon Get(string name, Input<string> id, RuleSignonState? state, CustomResourceOptions? opts = null)public static RuleSignon get(String name, Output<String> id, RuleSignonState state, CustomResourceOptions options)resources: _: type: okta:policy:RuleSignon get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - Authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - Behaviors List<string>
- List of behavior IDs
- Factor
Sequences List<RuleSignon Factor Sequence> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- Identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - Identity
Provider List<string>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - Mfa
Lifetime int - Elapsed time before the next MFA challenge
- Mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - Mfa
Remember boolDevice - Remember MFA device. Default:
false - Mfa
Required bool - Require MFA. Default:
false - Name string
- Policy Rule Name
- Network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - Network
Excludes List<string> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - Network
Includes List<string> - Required if
network_connection=ZONE. Indicates the network zones to include. - Policy
Id string - Policy ID of the Rule
- Primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - Priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- Risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Session
Idle int - Max minutes a session can be idle. Default:
120 - Session
Lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - Session
Persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - Status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - Users
Excludeds List<string> - Set of User IDs to Exclude
- Access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - Authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - Behaviors []string
- List of behavior IDs
- Factor
Sequences []RuleSignon Factor Sequence Args - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- Identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - Identity
Provider []stringIds - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - Mfa
Lifetime int - Elapsed time before the next MFA challenge
- Mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - Mfa
Remember boolDevice - Remember MFA device. Default:
false - Mfa
Required bool - Require MFA. Default:
false - Name string
- Policy Rule Name
- Network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - Network
Excludes []string - Required if
network_connection=ZONE. Indicates the network zones to exclude. - Network
Includes []string - Required if
network_connection=ZONE. Indicates the network zones to include. - Policy
Id string - Policy ID of the Rule
- Primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - Priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- Risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - Session
Idle int - Max minutes a session can be idle. Default:
120 - Session
Lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - Session
Persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - Status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - Users
Excludeds []string - Set of User IDs to Exclude
- access String
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype String
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors List<String>
- List of behavior IDs
- factor
Sequences List<RuleSignon Factor Sequence> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider String - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider List<String>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime Integer - Elapsed time before the next MFA challenge
- mfa
Prompt String - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember BooleanDevice - Remember MFA device. Default:
false - mfa
Required Boolean - Require MFA. Default:
false - name String
- Policy Rule Name
- network
Connection String - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes List<String> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes List<String> - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id String - Policy ID of the Rule
- primary
Factor String - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority Integer
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level String - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level String - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle Integer - Max minutes a session can be idle. Default:
120 - session
Lifetime Integer - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent Boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status String
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds List<String> - Set of User IDs to Exclude
- access string
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype string
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors string[]
- List of behavior IDs
- factor
Sequences RuleSignon Factor Sequence[] - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider string - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider string[]Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime number - Elapsed time before the next MFA challenge
- mfa
Prompt string - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember booleanDevice - Remember MFA device. Default:
false - mfa
Required boolean - Require MFA. Default:
false - name string
- Policy Rule Name
- network
Connection string - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes string[] - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes string[] - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id string - Policy ID of the Rule
- primary
Factor string - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority number
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level string - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level string - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle number - Max minutes a session can be idle. Default:
120 - session
Lifetime number - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status string
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds string[] - Set of User IDs to Exclude
- access str
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype str
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors Sequence[str]
- List of behavior IDs
- factor_
sequences Sequence[RuleSignon Factor Sequence Args] - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity_
provider str - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity_
provider_ Sequence[str]ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa_
lifetime int - Elapsed time before the next MFA challenge
- mfa_
prompt str - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa_
remember_ booldevice - Remember MFA device. Default:
false - mfa_
required bool - Require MFA. Default:
false - name str
- Policy Rule Name
- network_
connection str - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network_
excludes Sequence[str] - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network_
includes Sequence[str] - Required if
network_connection=ZONE. Indicates the network zones to include. - policy_
id str - Policy ID of the Rule
- primary_
factor str - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority int
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc_
level str - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk_
level str - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session_
idle int - Max minutes a session can be idle. Default:
120 - session_
lifetime int - Max minutes a session is active: Disable = 0. Default:
120 - session_
persistent bool - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status str
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users_
excludeds Sequence[str] - Set of User IDs to Exclude
- access String
- Allow or deny access based on the rule conditions:
ALLOW,DENYorCHALLENGE. Default:ALLOW - authtype String
- Authentication entrypoint:
ANY,RADIUSorLDAP_INTERFACE. Default:ANY - behaviors List<String>
- List of behavior IDs
- factor
Sequences List<Property Map> - Auth factor sequences. Should be set if 'access = "CHALLENGE"'. - 'primary_criteria_provider' - (Required) Primary provider of the auth section. - 'primary_criteria_factor_type' - (Required) Primary factor type of the auth section. - 'secondary_criteria' - (Optional) Additional authentication steps. - 'provider' - (Required) Provider of the additional authentication step. - 'factor_type' - (Required) Factor type of the additional authentication step.
- identity
Provider String - Apply rule based on the IdP used:
ANY,OKTAorSPECIFIC_IDP. Default:ANY. > WARNING: Use ofidentity_providerrequires a feature flag to be enabled. - identity
Provider List<String>Ids - When identity_provider is
SPECIFIC_IDPthen this is the list of IdP IDs to apply the rule on - mfa
Lifetime Number - Elapsed time before the next MFA challenge
- mfa
Prompt String - Prompt for MFA based on the device used, a factor session lifetime, or every sign-on attempt:
DEVICE,SESSIONorALWAYS. - mfa
Remember BooleanDevice - Remember MFA device. Default:
false - mfa
Required Boolean - Require MFA. Default:
false - name String
- Policy Rule Name
- network
Connection String - Network selection mode:
ANYWHERE,ZONE,ON_NETWORK, orOFF_NETWORK. Default:ANYWHERE - network
Excludes List<String> - Required if
network_connection=ZONE. Indicates the network zones to exclude. - network
Includes List<String> - Required if
network_connection=ZONE. Indicates the network zones to include. - policy
Id String - Policy ID of the Rule
- primary
Factor String - Rule's primary factor. WARNING Ony works as a part of the Identity Engine. Valid values:
PASSWORD_IDP_ANY_FACTOR,PASSWORD_IDP. - priority Number
- Rule priority. This attribute can be set to a valid priority. To avoid an endless diff situation an error is thrown if an invalid property is provided. The Okta API defaults to the last (lowest) if not provided.
- risc
Level String - Risc level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - risk
Level String - Risk level: ANY, LOW, MEDIUM or HIGH. Default:
ANY - session
Idle Number - Max minutes a session can be idle. Default:
120 - session
Lifetime Number - Max minutes a session is active: Disable = 0. Default:
120 - session
Persistent Boolean - Whether session cookies will last across browser sessions. Okta Administrators can never have persistent session cookies. Default:
false - status String
- Policy Rule Status:
ACTIVEorINACTIVE. Default:ACTIVE - users
Excludeds List<String> - Set of User IDs to Exclude
Supporting Types
RuleSignonFactorSequence, RuleSignonFactorSequenceArgs
- Primary
Criteria stringFactor Type - Type of a Factor
- Primary
Criteria stringProvider - Factor provider
- Secondary
Criterias List<RuleSignon Factor Sequence Secondary Criteria>
- Primary
Criteria stringFactor Type - Type of a Factor
- Primary
Criteria stringProvider - Factor provider
- Secondary
Criterias []RuleSignon Factor Sequence Secondary Criteria
- primary
Criteria StringFactor Type - Type of a Factor
- primary
Criteria StringProvider - Factor provider
- secondary
Criterias List<RuleSignon Factor Sequence Secondary Criteria>
- primary
Criteria stringFactor Type - Type of a Factor
- primary
Criteria stringProvider - Factor provider
- secondary
Criterias RuleSignon Factor Sequence Secondary Criteria[]
- primary_
criteria_ strfactor_ type - Type of a Factor
- primary_
criteria_ strprovider - Factor provider
- secondary_
criterias Sequence[RuleSignon Factor Sequence Secondary Criteria]
- primary
Criteria StringFactor Type - Type of a Factor
- primary
Criteria StringProvider - Factor provider
- secondary
Criterias List<Property Map>
RuleSignonFactorSequenceSecondaryCriteria, RuleSignonFactorSequenceSecondaryCriteriaArgs
- Factor
Type string - Type of a Factor
- Provider string
- Factor provider
- Factor
Type string - Type of a Factor
- Provider string
- Factor provider
- factor
Type String - Type of a Factor
- provider String
- Factor provider
- factor
Type string - Type of a Factor
- provider string
- Factor provider
- factor_
type str - Type of a Factor
- provider str
- Factor provider
- factor
Type String - Type of a Factor
- provider String
- Factor provider
Import
$ pulumi import okta:policy/ruleSignon:RuleSignon example <policy_id>/<rule_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
oktaTerraform Provider.
