Fix user schema and add app entity id

User schema must take an empty master value for accounts with
provisioning settings off.

examples/okta_saml_app/custom_saml_app.tf

@@ -4,7 +4,6 @@ resource "okta_saml_app" "testAcc_replace_with_uuid" {
   recipient                = "http://here.com"
   destination              = "http://its-about-the-journey.com"
   audience                 = "http://audience.com"
-  idp_issuer               = "idhere123"
   subject_name_id_template = "$${user.userName}"
   subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
   response_signed          = true

examples/okta_saml_app/custom_saml_app_all_fields.tf

@@ -4,7 +4,6 @@ resource "okta_saml_app" "testAcc_replace_with_uuid" {
   recipient                = "http://here.com"
   destination              = "http://its-about-the-journey.com"
   audience                 = "http://audience.com"
-  idp_issuer               = "idhere123"
   subject_name_id_template = "$${source.login}"
   subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
   response_signed          = true

examples/okta_saml_app/custom_saml_app_updated.tf

@@ -4,7 +4,6 @@ resource "okta_saml_app" "testAcc_replace_with_uuid" {
   recipient                = "http://here.com"
   destination              = "http://its-about-the-journey.com"
   audience                 = "http://audience.com"
-  idp_issuer               = "idhere123"
   status                   = "INACTIVE"
   subject_name_id_template = "$${user.userName}"
   subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

go.sum

@@ -81,6 +81,7 @@ github.com/hashicorp/terraform v0.11.11/go.mod h1:uN1KUiT7Wdg61fPwsGXQwK3c8PmpIV
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
@@ -124,7 +125,9 @@ github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
@@ -189,7 +192,9 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=

okta/resource_saml_app.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/terraform/helper/validation"
 	"github.com/okta/okta-sdk-golang/okta"
 	"github.com/okta/okta-sdk-golang/okta/query"
+	"strings"
 )
 
 const (
@@ -22,7 +23,6 @@ var customSamlAppRequiredFields = []string{
 	"recipient",
 	"destination",
 	"audience",
-	"idp_issuer",
 	"subject_name_id_template",
 	"subject_name_id_format",
 	"signature_algorithm",
@@ -32,13 +32,17 @@ var customSamlAppRequiredFields = []string{
 }
 
 type (
+	entityDescriptor struct {
+	}
+
 	ssoService struct {
 		Binding  string `xml:"Binding,attr"`
 		Location string `xml:"Location,attr"`
 	}
 
 	root struct {
-		Services []*ssoService `xml:"IDPSSODescriptor>SingleSignOnService"`
+		EntityURI string        `xml:"entityID,attr"`
+		Services  []*ssoService `xml:"IDPSSODescriptor>SingleSignOnService"`
 	}
 )
 
@@ -97,6 +101,16 @@ func resourceSamlApp() *schema.Resource {
 				Computed:    true,
 				Description: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect location from the SAML metadata.",
 			},
+			"entity_key": {
+				Type:        schema.TypeString,
+				Description: "Entity ID, the ID portion of the entity_url",
+				Computed:    true,
+			},
+			"entity_url": {
+				Type:        schema.TypeString,
+				Description: "Entity URL for instance http://www.okta.com/exk1fcia6d6EMsf331d8",
+				Computed:    true,
+			},
 			"auto_submit_toolbar": {
 				Type:        schema.TypeBool,
 				Optional:    true,
@@ -147,6 +161,10 @@ func resourceSamlApp() *schema.Resource {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "SAML issuer ID",
+				DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+					// Conditional default
+					return new == "" && old == "http://www.okta.com/${org.externalKey}"
+				},
 			},
 			"sp_issuer": {
 				Type:        schema.TypeString,
@@ -401,6 +419,10 @@ func resourceSamlAppRead(d *schema.ResourceData, m interface{}) error {
 				d.Set("http_redirect_binding", service.Location)
 			}
 		}
+		uri := metadataRoot.EntityURI
+		key := getExternalID(uri, app.Settings.SignOn.IdpIssuer)
+		d.Set("entity_url", uri)
+		d.Set("entity_key", key)
 	}
 
 	appRead(d, app.Name, app.Status, app.SignOnMode, app.Label, app.Accessibility, app.Visibility)
@@ -574,6 +596,13 @@ func getCertificate(d *schema.ResourceData, m interface{}) (*okta.JsonWebKey, er
 	return key, err
 }
 
+func getExternalID(url string, pattern string) string {
+	// Default idp issuer is such that I can extract the ID. If someone enters a custom value
+	// this will result in "" most likely, which seems fine
+	pur := strings.Replace(pattern, "${org.externalKey}", "", -1)
+	return strings.Replace(url, pur, "", -1)
+}
+
 func getMetadata(d *schema.ResourceData, m interface{}, keyID string) ([]byte, error) {
 	key, _, err := getSupplementFromMetadata(m).GetSAMLMetdata(d.Id(), keyID)
 	return key, err

okta/resource_saml_app_test.go

@@ -53,7 +53,7 @@ func TestAccOktaSamlApplicationConditionalRequire(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config:      config,
-				ExpectError: regexp.MustCompile("missing conditionally required fields, reason: Custom SAML applications must contain these fields, missing fields: sso_url, recipient, destination, audience, idp_issuer, subject_name_id_template, subject_name_id_format, signature_algorithm, digest_algorithm, honor_force_authn, authn_context_class_ref"),
+				ExpectError: regexp.MustCompile("missing conditionally required fields, reason: Custom SAML applications must contain these fields*"),
 			},
 		},
 	})
@@ -103,6 +103,8 @@ func TestAccOktaSamlApplication(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "http_redirect_binding"),
 					resource.TestCheckResourceAttrSet(resourceName, "key_id"),
 					resource.TestCheckResourceAttrSet(resourceName, "metadata"),
+					resource.TestCheckResourceAttrSet(resourceName, "entity_key"),
+					resource.TestCheckResourceAttrSet(resourceName, "entity_url"),
 				),
 			},
 			{
@@ -138,7 +140,6 @@ func TestAccOktaSamlApplicationAllFields(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "recipient", "http://here.com"),
 					resource.TestCheckResourceAttr(resourceName, "destination", "http://its-about-the-journey.com"),
 					resource.TestCheckResourceAttr(resourceName, "audience", "http://audience.com"),
-					resource.TestCheckResourceAttr(resourceName, "idp_issuer", "idhere123"),
 					resource.TestCheckResourceAttr(resourceName, "subject_name_id_template", "${source.login}"),
 					resource.TestCheckResourceAttr(resourceName, "subject_name_id_format", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"),
 					resource.TestCheckResourceAttr(resourceName, "response_signed", "true"),

okta/resource_user_schema.go

@@ -105,9 +105,10 @@ func resourceUserSchema() *schema.Resource {
 				Default:      "READ_ONLY",
 			},
 			"master": &schema.Schema{
-				Type:         schema.TypeString,
-				Optional:     true,
-				ValidateFunc: validation.StringInSlice([]string{"PROFILE_MASTER", "OKTA"}, false),
+				Type:     schema.TypeString,
+				Optional: true,
+				// Accepting an empty value to allow for zero value (when provisioning is off)
+				ValidateFunc: validation.StringInSlice([]string{"PROFILE_MASTER", "OKTA", ""}, false),
 				Description:  "SubSchema profile manager, if not set it will inherit its setting.",
 			},
 		},