Update of SAML Cert Fails.

[karlsequeira]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

13

Affected Resource(s)

• okta_idp_saml

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

inbound saml should use the uploaded cert and delete the previous version.

Actual Behavior

Steps to Reproduce

1. Update the SAML Cert.
2. terraform apply

Important Factoids

2021-09-27T16:45:13.7930602Z
2021-09-27T16:45:13.7930836Z Template interpolation syntax is still used to construct strings from
2021-09-27T16:45:13.7931176Z expressions when the template includes multiple interpolation sequences or a
2021-09-27T16:45:13.7931515Z mixture of literal strings and interpolations. This deprecation applies only
2021-09-27T16:45:13.7931842Z to templates that consist entirely of a single interpolation sequence.
2021-09-27T16:45:13.7932193Z �[0m�[0m
2021-09-27T16:45:13.7932439Z �[31m
2021-09-27T16:45:13.7933150Z �[1m�[31mError: �[0m�[0m�[1mfailed to delete identity provider signing key: the API returned an error: Api validation failed: kid. Causes: errorSummary: The key is currently being used by an Identity Provider.�[0m
2021-09-27T16:45:13.7933559Z
2021-09-27T16:45:13.7934029Z �[0m�[0m�[0m

References

• #0000

[bogdanprodan-okta]

Hi @karlsequeira! Thanks for submitting this issue! I'll try to reproduce the bug and get back to you asap. Cheers!

[bogdanprodan-okta]

Hi, @karlsequeira! I think I'll make this resource updatable to fulfill your request. The logic will be something like this:

• create a new identity provider key
• list all identity providers that are using an old key
• assign a new key to these identity providers
• remove old identity provider key

However, I'm not sure whether this will work properly, since several identity providers outside the terraform may use this key, and removing it might be unexpected behavior.

Meanwhile, you can just create a new resource for the identity provider key and set that key to the identity provider in question. After that remove an old resource.

1. Config example:

resource "okta_idp_saml_key" "old" {
  x5c = "old_key"
}

resource "okta_idp_saml" "test" {
  name                     = "testAcc_replace_with_uuid"
  acs_type                 = "INSTANCE"
  sso_url                  = "https://idp.example.com"
  sso_destination          = "https://idp.example.com"
  sso_binding              = "HTTP-POST"
  username_template        = "idpuser.email"
  kid                      = okta_idp_saml_key.old.id
  issuer                   = "https://idp.example.com"
  request_signature_scope  = "REQUEST"
  response_signature_scope = "ANY"
}

2. Add a new key to the terraform, use that key in your IdP and apply the changes:

resource "okta_idp_saml_key" "old" {
  x5c = "old_key"
}

resource "okta_idp_saml_key" "new" { // <-- this is new key
  x5c = "new_key"
}

resource "okta_idp_saml" "test" {
  name                     = "testAcc_replace_with_uuid"
  acs_type                 = "INSTANCE"
  sso_url                  = "https://idp.example.com"
  sso_destination          = "https://idp.example.com"
  sso_binding              = "HTTP-POST"
  username_template        = "idpuser.email"
  kid                      = okta_idp_saml_key.new.id // <-- set the new key without removing the old one
  issuer                   = "https://idp.example.com"
  request_signature_scope  = "REQUEST"
  response_signature_scope = "ANY"
}

3. Remove the old key and apply changes:

// resource "okta_idp_saml_key" "old" { // <- remove the old key
//   x5c = "old_key"
// }

resource "okta_idp_saml_key" "new" {
  x5c = "new_key"
}

resource "okta_idp_saml" "test" {
  name                     = "testAcc_replace_with_uuid"
  acs_type                 = "INSTANCE"
  sso_url                  = "https://idp.example.com"
  sso_destination          = "https://idp.example.com"
  sso_binding              = "HTTP-POST"
  username_template        = "idpuser.email"
  kid                      = okta_idp_saml_key.new.id
  issuer                   = "https://idp.example.com"
  request_signature_scope  = "REQUEST"
  response_signature_scope = "ANY"
}

[karlsequeira]

Thanks for your response. I will use this as a workaround for now. Will wait for the resource to be updateable.