Setting applications' custom attributes via Terraform

ojensen · March 20, 2025, 7:28pm

I am using Terraform to configure my applications in my organization. I have found the easiest way to accomplish this is to create the application connector in the UI (making use of the App Catalog), and then importing them into Terraform. For example:

resource "okta_app_saml" "splunk" {
    preconfigured_app = "splunkcloud"
    label = "Splunk"
    app_settings_json = jsonencode({
      <some configuration>
    })
    user_name_template = "$${source.email}"
}

However, these applications often have some kind of bespoke custom attribute. For example, the Splunk application has a field called “role”, in which you can write an expression based on the groups you’re in:

I cannot find this configuration anywhere in the Terraform state. It is, as best as I can tell, equivalent to an attribute statement of this form:

    attribute_statements {
      type         = "GROUP"
      name         = "role"
      filter_type  = "REGEX"
      filter_value = "^(EU access|Engineering|Splunk admin)$"
    }

However, trying to set this results in an error, seemingly because that’s exactly how it’s defined under the hood and this would result in an attribute name collision:

Error: failed to update SAML application: the API returned an error: Operation on application settings failed.. Causes: errorSummary: customSamlGroupAttributes[0].name: Invalid SAML attribute name ‘role’: duplicate name, errorSummary: customSamlGroupAttributes[0].name: Invalid attribute name: The SAML attribute ‘role’ matches an existing attribute name within this integration. View the SAML 2.0 setup instructions for a list of predefined SAML attributes. Choose a different name for the SAML attribute to prevent name collision.

Not being able to set this values such as these is particularly irksome because part of the reason to even Terraform applications to begin with is that you can more easily manage links like this (e.g. if I rename one of these groups, I can have the change percolate automatically, not need to worry about typos, etc).

I note @colinlantern posted about the identical problem a couple years ago:

but it has no responses and was closed last year.

Has anyone found a workaround to this problem?

andrea · March 24, 2025, 11:15pm

Far as I can tell, there is no public API for configuring these SAML attribute values, which is why the Terraform Provider lacks support for configuring them.

I weirdly don’t see a request for this functionality on our Okta Ideas portal (where customers can upvote various feature requests), so you may want to file an Idea there so other admins can vote on it for consideration by our Product team

system · April 23, 2025, 11:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
SAML Apps and Preconfigured Attributes (API) API	1	2727	February 12, 2024
Programmatically refreshing available SAML Roles for AWS Apps SAML	1	4188	February 12, 2024
Terraform : Set approver group for custom saml app API terraform	1	30	August 24, 2024
Configure SCIM Provisioning for SAML app using terraform SAML	2	2124	February 16, 2024
Programmatically get provisioning data from /settings/user-mgmt or any other API SCIM	3	2795	July 2, 2023

Setting applications' custom attributes via Terraform

Related topics