Okta v4.15.0, Mar 7 25

Okta v4.15.0 published on Friday, Mar 7, 2025 by Pulumi

okta.idp.Saml

Explore with Pulumi AI

Okta v4.15.0 published on Friday, Mar 7, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as okta from "@pulumi/okta";

const example = new okta.idp.Saml("example", {
    name: "testAcc_replace_with_uuid",
    acsType: "INSTANCE",
    ssoUrl: "https://idp.example.com",
    ssoDestination: "https://idp.example.com",
    ssoBinding: "HTTP-POST",
    usernameTemplate: "idpuser.email",
    kid: test.id,
    issuer: "https://idp.example.com",
    requestSignatureScope: "REQUEST",
    responseSignatureScope: "ANY",
});

import pulumi
import pulumi_okta as okta

example = okta.idp.Saml("example",
    name="testAcc_replace_with_uuid",
    acs_type="INSTANCE",
    sso_url="https://idp.example.com",
    sso_destination="https://idp.example.com",
    sso_binding="HTTP-POST",
    username_template="idpuser.email",
    kid=test["id"],
    issuer="https://idp.example.com",
    request_signature_scope="REQUEST",
    response_signature_scope="ANY")

package main

import (
	"github.com/pulumi/pulumi-okta/sdk/v4/go/okta/idp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := idp.NewSaml(ctx, "example", &idp.SamlArgs{
			Name:                   pulumi.String("testAcc_replace_with_uuid"),
			AcsType:                pulumi.String("INSTANCE"),
			SsoUrl:                 pulumi.String("https://idp.example.com"),
			SsoDestination:         pulumi.String("https://idp.example.com"),
			SsoBinding:             pulumi.String("HTTP-POST"),
			UsernameTemplate:       pulumi.String("idpuser.email"),
			Kid:                    pulumi.Any(test.Id),
			Issuer:                 pulumi.String("https://idp.example.com"),
			RequestSignatureScope:  pulumi.String("REQUEST"),
			ResponseSignatureScope: pulumi.String("ANY"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Okta = Pulumi.Okta;

return await Deployment.RunAsync(() => 
{
    var example = new Okta.Idp.Saml("example", new()
    {
        Name = "testAcc_replace_with_uuid",
        AcsType = "INSTANCE",
        SsoUrl = "https://idp.example.com",
        SsoDestination = "https://idp.example.com",
        SsoBinding = "HTTP-POST",
        UsernameTemplate = "idpuser.email",
        Kid = test.Id,
        Issuer = "https://idp.example.com",
        RequestSignatureScope = "REQUEST",
        ResponseSignatureScope = "ANY",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.okta.idp.Saml;
import com.pulumi.okta.idp.SamlArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Saml("example", SamlArgs.builder()
            .name("testAcc_replace_with_uuid")
            .acsType("INSTANCE")
            .ssoUrl("https://idp.example.com")
            .ssoDestination("https://idp.example.com")
            .ssoBinding("HTTP-POST")
            .usernameTemplate("idpuser.email")
            .kid(test.id())
            .issuer("https://idp.example.com")
            .requestSignatureScope("REQUEST")
            .responseSignatureScope("ANY")
            .build());

    }
}

resources:
  example:
    type: okta:idp:Saml
    properties:
      name: testAcc_replace_with_uuid
      acsType: INSTANCE
      ssoUrl: https://idp.example.com
      ssoDestination: https://idp.example.com
      ssoBinding: HTTP-POST
      usernameTemplate: idpuser.email
      kid: ${test.id}
      issuer: https://idp.example.com
      requestSignatureScope: REQUEST
      responseSignatureScope: ANY

Create Saml Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Saml(name: string, args: SamlArgs, opts?: CustomResourceOptions);

@overload
def Saml(resource_name: str,
         args: SamlArgs,
         opts: Optional[ResourceOptions] = None)

@overload
def Saml(resource_name: str,
         opts: Optional[ResourceOptions] = None,
         issuer: Optional[str] = None,
         sso_url: Optional[str] = None,
         kid: Optional[str] = None,
         profile_master: Optional[bool] = None,
         request_signature_algorithm: Optional[str] = None,
         groups_assignments: Optional[Sequence[str]] = None,
         groups_attribute: Optional[str] = None,
         groups_filters: Optional[Sequence[str]] = None,
         deprovisioned_action: Optional[str] = None,
         issuer_mode: Optional[str] = None,
         acs_type: Optional[str] = None,
         max_clock_skew: Optional[int] = None,
         name: Optional[str] = None,
         name_format: Optional[str] = None,
         account_link_action: Optional[str] = None,
         provisioning_action: Optional[str] = None,
         groups_action: Optional[str] = None,
         request_signature_scope: Optional[str] = None,
         response_signature_algorithm: Optional[str] = None,
         response_signature_scope: Optional[str] = None,
         sso_binding: Optional[str] = None,
         sso_destination: Optional[str] = None,
         account_link_group_includes: Optional[Sequence[str]] = None,
         status: Optional[str] = None,
         subject_filter: Optional[str] = None,
         subject_formats: Optional[Sequence[str]] = None,
         subject_match_attribute: Optional[str] = None,
         subject_match_type: Optional[str] = None,
         suspended_action: Optional[str] = None,
         username_template: Optional[str] = None)

func NewSaml(ctx *Context, name string, args SamlArgs, opts ...ResourceOption) (*Saml, error)

public Saml(string name, SamlArgs args, CustomResourceOptions? opts = null)

public Saml(String name, SamlArgs args)
public Saml(String name, SamlArgs args, CustomResourceOptions options)

type: okta:idp:Saml
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SamlArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var oktaSamlResource = new Okta.Idp.Saml("oktaSamlResource", new()
{
    Issuer = "string",
    SsoUrl = "string",
    Kid = "string",
    ProfileMaster = false,
    RequestSignatureAlgorithm = "string",
    GroupsAssignments = new[]
    {
        "string",
    },
    GroupsAttribute = "string",
    GroupsFilters = new[]
    {
        "string",
    },
    DeprovisionedAction = "string",
    IssuerMode = "string",
    AcsType = "string",
    MaxClockSkew = 0,
    Name = "string",
    NameFormat = "string",
    AccountLinkAction = "string",
    ProvisioningAction = "string",
    GroupsAction = "string",
    RequestSignatureScope = "string",
    ResponseSignatureAlgorithm = "string",
    ResponseSignatureScope = "string",
    SsoBinding = "string",
    SsoDestination = "string",
    AccountLinkGroupIncludes = new[]
    {
        "string",
    },
    Status = "string",
    SubjectFilter = "string",
    SubjectFormats = new[]
    {
        "string",
    },
    SubjectMatchAttribute = "string",
    SubjectMatchType = "string",
    SuspendedAction = "string",
    UsernameTemplate = "string",
});

example, err := idp.NewSaml(ctx, "oktaSamlResource", &idp.SamlArgs{
	Issuer:                    pulumi.String("string"),
	SsoUrl:                    pulumi.String("string"),
	Kid:                       pulumi.String("string"),
	ProfileMaster:             pulumi.Bool(false),
	RequestSignatureAlgorithm: pulumi.String("string"),
	GroupsAssignments: pulumi.StringArray{
		pulumi.String("string"),
	},
	GroupsAttribute: pulumi.String("string"),
	GroupsFilters: pulumi.StringArray{
		pulumi.String("string"),
	},
	DeprovisionedAction:        pulumi.String("string"),
	IssuerMode:                 pulumi.String("string"),
	AcsType:                    pulumi.String("string"),
	MaxClockSkew:               pulumi.Int(0),
	Name:                       pulumi.String("string"),
	NameFormat:                 pulumi.String("string"),
	AccountLinkAction:          pulumi.String("string"),
	ProvisioningAction:         pulumi.String("string"),
	GroupsAction:               pulumi.String("string"),
	RequestSignatureScope:      pulumi.String("string"),
	ResponseSignatureAlgorithm: pulumi.String("string"),
	ResponseSignatureScope:     pulumi.String("string"),
	SsoBinding:                 pulumi.String("string"),
	SsoDestination:             pulumi.String("string"),
	AccountLinkGroupIncludes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Status:        pulumi.String("string"),
	SubjectFilter: pulumi.String("string"),
	SubjectFormats: pulumi.StringArray{
		pulumi.String("string"),
	},
	SubjectMatchAttribute: pulumi.String("string"),
	SubjectMatchType:      pulumi.String("string"),
	SuspendedAction:       pulumi.String("string"),
	UsernameTemplate:      pulumi.String("string"),
})

var oktaSamlResource = new Saml("oktaSamlResource", SamlArgs.builder()
    .issuer("string")
    .ssoUrl("string")
    .kid("string")
    .profileMaster(false)
    .requestSignatureAlgorithm("string")
    .groupsAssignments("string")
    .groupsAttribute("string")
    .groupsFilters("string")
    .deprovisionedAction("string")
    .issuerMode("string")
    .acsType("string")
    .maxClockSkew(0)
    .name("string")
    .nameFormat("string")
    .accountLinkAction("string")
    .provisioningAction("string")
    .groupsAction("string")
    .requestSignatureScope("string")
    .responseSignatureAlgorithm("string")
    .responseSignatureScope("string")
    .ssoBinding("string")
    .ssoDestination("string")
    .accountLinkGroupIncludes("string")
    .status("string")
    .subjectFilter("string")
    .subjectFormats("string")
    .subjectMatchAttribute("string")
    .subjectMatchType("string")
    .suspendedAction("string")
    .usernameTemplate("string")
    .build());

okta_saml_resource = okta.idp.Saml("oktaSamlResource",
    issuer="string",
    sso_url="string",
    kid="string",
    profile_master=False,
    request_signature_algorithm="string",
    groups_assignments=["string"],
    groups_attribute="string",
    groups_filters=["string"],
    deprovisioned_action="string",
    issuer_mode="string",
    acs_type="string",
    max_clock_skew=0,
    name="string",
    name_format="string",
    account_link_action="string",
    provisioning_action="string",
    groups_action="string",
    request_signature_scope="string",
    response_signature_algorithm="string",
    response_signature_scope="string",
    sso_binding="string",
    sso_destination="string",
    account_link_group_includes=["string"],
    status="string",
    subject_filter="string",
    subject_formats=["string"],
    subject_match_attribute="string",
    subject_match_type="string",
    suspended_action="string",
    username_template="string")

const oktaSamlResource = new okta.idp.Saml("oktaSamlResource", {
    issuer: "string",
    ssoUrl: "string",
    kid: "string",
    profileMaster: false,
    requestSignatureAlgorithm: "string",
    groupsAssignments: ["string"],
    groupsAttribute: "string",
    groupsFilters: ["string"],
    deprovisionedAction: "string",
    issuerMode: "string",
    acsType: "string",
    maxClockSkew: 0,
    name: "string",
    nameFormat: "string",
    accountLinkAction: "string",
    provisioningAction: "string",
    groupsAction: "string",
    requestSignatureScope: "string",
    responseSignatureAlgorithm: "string",
    responseSignatureScope: "string",
    ssoBinding: "string",
    ssoDestination: "string",
    accountLinkGroupIncludes: ["string"],
    status: "string",
    subjectFilter: "string",
    subjectFormats: ["string"],
    subjectMatchAttribute: "string",
    subjectMatchType: "string",
    suspendedAction: "string",
    usernameTemplate: "string",
});

type: okta:idp:Saml
properties:
    accountLinkAction: string
    accountLinkGroupIncludes:
        - string
    acsType: string
    deprovisionedAction: string
    groupsAction: string
    groupsAssignments:
        - string
    groupsAttribute: string
    groupsFilters:
        - string
    issuer: string
    issuerMode: string
    kid: string
    maxClockSkew: 0
    name: string
    nameFormat: string
    profileMaster: false
    provisioningAction: string
    requestSignatureAlgorithm: string
    requestSignatureScope: string
    responseSignatureAlgorithm: string
    responseSignatureScope: string
    ssoBinding: string
    ssoDestination: string
    ssoUrl: string
    status: string
    subjectFilter: string
    subjectFormats:
        - string
    subjectMatchAttribute: string
    subjectMatchType: string
    suspendedAction: string
    usernameTemplate: string

Saml Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Saml resource accepts the following input properties:

Issuer string: URI that identifies the issuer.
Kid string: The ID of the signing key.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
NameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
SsoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
Status string: Default to ACTIVE
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats List<string>: The name format.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

Issuer string: URI that identifies the issuer.
Kid string: The ID of the signing key.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
NameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
SsoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
Status string: Default to ACTIVE
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats []string: The name format.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

issuer String: URI that identifies the issuer.
kid String: The ID of the signing key.
ssoUrl String: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
acsType String: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
maxClockSkew Integer: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
nameFormat String: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm String: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope String: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding String: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination String: URI reference indicating the address to which the AuthnRequest message is sent.
status String: Default to ACTIVE
subjectFilter String: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats List<String>: The name format.
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

issuer string: URI that identifies the issuer.
kid string: The ID of the signing key.
ssoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
accountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: Name of the IdP
nameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
status string: Default to ACTIVE
subjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats string[]: The name format.
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

issuer str: URI that identifies the issuer.
kid str: The ID of the signing key.
sso_url str: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
account_link_action str: Specifies the account linking action for an IdP user. Default: AUTO
account_link_group_includes Sequence[str]: Group memberships to determine link candidates.
acs_type str: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groups_action str: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groups_assignments Sequence[str]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters Sequence[str]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
max_clock_skew int: Maximum allowable clock-skew when processing messages from the IdP.
name str: Name of the IdP
name_format str: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
provisioning_action str: Provisioning action for an IdP user during authentication. Default: AUTO
request_signature_algorithm str: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
request_signature_scope str: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
response_signature_algorithm str: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
response_signature_scope str: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
sso_binding str: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
sso_destination str: URI reference indicating the address to which the AuthnRequest message is sent.
status str: Default to ACTIVE
subject_filter str: Optional regular expression pattern used to filter untrusted IdP usernames.
subject_formats Sequence[str]: The name format.
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspended_action str: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

issuer String: URI that identifies the issuer.
kid String: The ID of the signing key.
ssoUrl String: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
acsType String: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
maxClockSkew Number: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
nameFormat String: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm String: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope String: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding String: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination String: URI reference indicating the address to which the AuthnRequest message is sent.
status String: Default to ACTIVE
subjectFilter String: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats List<String>: The name format.
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

Outputs

All input properties are implicitly available as output properties. Additionally, the Saml resource produces the following output properties:

AcsBinding string
Audience string
Id string: The provider-assigned unique ID for this managed resource.
Type string
UserTypeId string

AcsBinding string
Audience string
Id string: The provider-assigned unique ID for this managed resource.
Type string
UserTypeId string

acsBinding String
audience String
id String: The provider-assigned unique ID for this managed resource.
type String
userTypeId String

acsBinding string
audience string
id string: The provider-assigned unique ID for this managed resource.
type string
userTypeId string

acs_binding str
audience str
id str: The provider-assigned unique ID for this managed resource.
type str
user_type_id str

acsBinding String
audience String
id String: The provider-assigned unique ID for this managed resource.
type String
userTypeId String

Look up Existing Saml Resource

Get an existing Saml resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SamlState, opts?: CustomResourceOptions): Saml

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_link_action: Optional[str] = None,
        account_link_group_includes: Optional[Sequence[str]] = None,
        acs_binding: Optional[str] = None,
        acs_type: Optional[str] = None,
        audience: Optional[str] = None,
        deprovisioned_action: Optional[str] = None,
        groups_action: Optional[str] = None,
        groups_assignments: Optional[Sequence[str]] = None,
        groups_attribute: Optional[str] = None,
        groups_filters: Optional[Sequence[str]] = None,
        issuer: Optional[str] = None,
        issuer_mode: Optional[str] = None,
        kid: Optional[str] = None,
        max_clock_skew: Optional[int] = None,
        name: Optional[str] = None,
        name_format: Optional[str] = None,
        profile_master: Optional[bool] = None,
        provisioning_action: Optional[str] = None,
        request_signature_algorithm: Optional[str] = None,
        request_signature_scope: Optional[str] = None,
        response_signature_algorithm: Optional[str] = None,
        response_signature_scope: Optional[str] = None,
        sso_binding: Optional[str] = None,
        sso_destination: Optional[str] = None,
        sso_url: Optional[str] = None,
        status: Optional[str] = None,
        subject_filter: Optional[str] = None,
        subject_formats: Optional[Sequence[str]] = None,
        subject_match_attribute: Optional[str] = None,
        subject_match_type: Optional[str] = None,
        suspended_action: Optional[str] = None,
        type: Optional[str] = None,
        user_type_id: Optional[str] = None,
        username_template: Optional[str] = None) -> Saml

func GetSaml(ctx *Context, name string, id IDInput, state *SamlState, opts ...ResourceOption) (*Saml, error)

public static Saml Get(string name, Input<string> id, SamlState? state, CustomResourceOptions? opts = null)

public static Saml get(String name, Output<String> id, SamlState state, CustomResourceOptions options)

resources:  _:    type: okta:idp:Saml    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes List<string>: Group memberships to determine link candidates.
AcsBinding string
AcsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
Audience string
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments List<string>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters List<string>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
Issuer string: URI that identifies the issuer.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
Kid string: The ID of the signing key.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
NameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
SsoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
Status string: Default to ACTIVE
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats List<string>: The name format.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
Type string
UserTypeId string
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

AccountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
AccountLinkGroupIncludes []string: Group memberships to determine link candidates.
AcsBinding string
AcsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
Audience string
DeprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
GroupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
GroupsAssignments []string: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
GroupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
GroupsFilters []string: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
Issuer string: URI that identifies the issuer.
IssuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
Kid string: The ID of the signing key.
MaxClockSkew int: Maximum allowable clock-skew when processing messages from the IdP.
Name string: Name of the IdP
NameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
ProfileMaster bool: Determines if the IdP should act as a source of truth for user profile attributes.
ProvisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
RequestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
RequestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
ResponseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
ResponseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
SsoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
SsoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
SsoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
Status string: Default to ACTIVE
SubjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
SubjectFormats []string: The name format.
SubjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
SubjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
SuspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
Type string
UserTypeId string
UsernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
acsBinding String
acsType String: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
audience String
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer String: URI that identifies the issuer.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
kid String: The ID of the signing key.
maxClockSkew Integer: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
nameFormat String: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm String: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope String: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding String: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination String: URI reference indicating the address to which the AuthnRequest message is sent.
ssoUrl String: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status String: Default to ACTIVE
subjectFilter String: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats List<String>: The name format.
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
type String
userTypeId String
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction string: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes string[]: Group memberships to determine link candidates.
acsBinding string
acsType string: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
audience string
deprovisionedAction string: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction string: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments string[]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute string: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters string[]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer string: URI that identifies the issuer.
issuerMode string: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
kid string: The ID of the signing key.
maxClockSkew number: Maximum allowable clock-skew when processing messages from the IdP.
name string: Name of the IdP
nameFormat string: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction string: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm string: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope string: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm string: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope string: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding string: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination string: URI reference indicating the address to which the AuthnRequest message is sent.
ssoUrl string: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status string: Default to ACTIVE
subjectFilter string: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats string[]: The name format.
subjectMatchAttribute string: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType string: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction string: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
type string
userTypeId string
usernameTemplate string: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

account_link_action str: Specifies the account linking action for an IdP user. Default: AUTO
account_link_group_includes Sequence[str]: Group memberships to determine link candidates.
acs_binding str
acs_type str: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
audience str
deprovisioned_action str: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groups_action str: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groups_assignments Sequence[str]: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groups_attribute str: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groups_filters Sequence[str]: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer str: URI that identifies the issuer.
issuer_mode str: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
kid str: The ID of the signing key.
max_clock_skew int: Maximum allowable clock-skew when processing messages from the IdP.
name str: Name of the IdP
name_format str: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profile_master bool: Determines if the IdP should act as a source of truth for user profile attributes.
provisioning_action str: Provisioning action for an IdP user during authentication. Default: AUTO
request_signature_algorithm str: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
request_signature_scope str: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
response_signature_algorithm str: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
response_signature_scope str: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
sso_binding str: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
sso_destination str: URI reference indicating the address to which the AuthnRequest message is sent.
sso_url str: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status str: Default to ACTIVE
subject_filter str: Optional regular expression pattern used to filter untrusted IdP usernames.
subject_formats Sequence[str]: The name format.
subject_match_attribute str: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subject_match_type str: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspended_action str: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
type str
user_type_id str
username_template str: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

accountLinkAction String: Specifies the account linking action for an IdP user. Default: AUTO
accountLinkGroupIncludes List<String>: Group memberships to determine link candidates.
acsBinding String
acsType String: The type of ACS. It can be INSTANCE or ORG. Default: INSTANCE
audience String
deprovisionedAction String: Action for a previously deprovisioned IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
groupsAction String: Provisioning action for IdP user's group memberships. It can be NONE, SYNC, APPEND, or ASSIGN. Default: NONE
groupsAssignments List<String>: List of Okta Group IDs to add an IdP user as a member with the ASSIGN groups_action.
groupsAttribute String: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
groupsFilters List<String>: Whitelist of Okta Group identifiers that are allowed for the APPEND or SYNC groups_action.
issuer String: URI that identifies the issuer.
issuerMode String: Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL
kid String: The ID of the signing key.
maxClockSkew Number: Maximum allowable clock-skew when processing messages from the IdP.
name String: Name of the IdP
nameFormat String: The name identifier format to use. By default urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
profileMaster Boolean: Determines if the IdP should act as a source of truth for user profile attributes.
provisioningAction String: Provisioning action for an IdP user during authentication. Default: AUTO
requestSignatureAlgorithm String: The XML digital Signature Algorithm used when signing an AuthnRequest message. It can be SHA-256 or SHA-1. Default: SHA-256
requestSignatureScope String: Specifies whether to digitally sign an AuthnRequest messages to the IdP. It can be REQUEST or NONE. Default: REQUEST
responseSignatureAlgorithm String: The minimum XML digital signature algorithm allowed when verifying a SAMLResponse message or Assertion element. It can be SHA-256 or SHA-1. Default: SHA-256
responseSignatureScope String: Specifies whether to verify a SAMLResponse message or Assertion element XML digital signature. It can be RESPONSE, ASSERTION, or ANY. Default: ANY
ssoBinding String: The method of making an SSO request. It can be set to HTTP-POST or HTTP-REDIRECT. Default: HTTP-POST
ssoDestination String: URI reference indicating the address to which the AuthnRequest message is sent.
ssoUrl String: URL of binding-specific endpoint to send an AuthnRequest message to IdP.
status String: Default to ACTIVE
subjectFilter String: Optional regular expression pattern used to filter untrusted IdP usernames.
subjectFormats List<String>: The name format.
subjectMatchAttribute String: Okta user profile attribute for matching transformed IdP username. Only for matchType CUSTOM_ATTRIBUTE.
subjectMatchType String: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to USERNAME. It can be set to USERNAME, EMAIL, USERNAME_OR_EMAIL or CUSTOM_ATTRIBUTE.
suspendedAction String: Action for a previously suspended IdP user during authentication. Can be NONE or REACTIVATE. Default: NONE
type String
userTypeId String
usernameTemplate String: Okta EL Expression to generate or transform a unique username for the IdP user. Default: idpuser.email

Import

$ pulumi import okta:idp/saml:Saml example <idp_id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Okta pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

Okta v4.15.0 published on Friday, Mar 7, 2025 by Pulumi

pulumi/pulumi-okta

okta.idp.Saml

On this page

On this page

Example Usage

Create Saml Resource

Constructor syntax

Parameters

Constructor example

Saml Resource Properties

Inputs

Outputs

Look up Existing Saml Resource

Import

Package Details

On this page

On this page