I’m one of the knuckleheads trying to automate the Azure AD > Okta > AWS federation bit. It’s been a slog the whole way. I’m okay with Terraform but don’t know a thing about Azure.
One thing I can’t seem to find is where the value comes from for:
user_impersonation
oauth2_permission_scopes > id
It’s the same value and I have no idea where it comes from or what I need to do to generate it.
These blocks represent a manual configuration of AAD ↔ Okta that functions as expected. That configuration was then imported from Azure into Terraform to produce the terraform definitions below; one-each for an:
- Enterprise Application and
- Service Principal
# azuread_application.works:
resource "azuread_application" "test" {
app_role_ids = {}
application_id = "xdbdf394-da73-48c2-8ae0-r55027ecea7x"
device_only_auth_enabled = false
disabled_by_microsoft = "<nil>"
display_name = "Okta"
fallback_public_client_enabled = false
group_membership_claims = []
id = "x1e47d16-9dfb-4392-9873-ea852d62927x"
identifier_uris = [
"https://www.okta.com/saml2/service-provider/sprgruhawcsuxibxhufb",
]
oauth2_permission_scope_ids = {
"user_impersonation" = "yo673dfd-0104-4945-b487-5adbceda821g"
}
oauth2_post_response_required = false
object_id = "x1e47d16-9dfb-4392-9873-ea852d62927x"
owners = []
prevent_duplicate_names = false
publisher_domain = "todddsmhotmail.onmicrosoft.com"
sign_in_audience = "AzureADMyOrg"
tags = []
template_id = "8adf8e6e-67b2-6cf2-b333-e3dc5476c720"
api {
known_client_applications = []
mapped_claims_enabled = false
requested_access_token_version = 1
oauth2_permission_scope {
admin_consent_description = "Allow the application to access Okta on behalf of the signed-in user."
admin_consent_display_name = "Access Okta"
enabled = true
id = "yo673dfd-0104-4945-b487-5adbceda821g"
type = "User"
user_consent_description = "Allow the application to access Okta on your behalf."
user_consent_display_name = "Access Okta"
value = "user_impersonation"
}
}
app_role {
allowed_member_types = [
"User",
]
description = "User"
display_name = "User"
enabled = true
id = "foo14569-c3bd-439b-9a66-3a2aee01dbar"
}
app_role {
allowed_member_types = [
"User",
]
description = "msiam_access"
display_name = "msiam_access"
enabled = true
id = "blah2174-c057-4xce-951b-be3adc52blah"
}
feature_tags {
custom_single_sign_on = false
enterprise = false
gallery = false
hide = false
}
public_client {
redirect_uris = []
}
single_page_application {
redirect_uris = []
}
timeouts {}
web {
homepage_url = "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z"
redirect_uris = [
"https://trial-7287862.okta.com/sso/saml2/01a4n4ir01u3bWrEL601",
]
implicit_grant {
access_token_issuance_enabled = false
id_token_issuance_enabled = true
}
}
}
# azuread_service_principal.works:
resource "azuread_service_principal" "test" {
account_enabled = true
alternative_names = []
app_role_assignment_required = true
app_role_ids = {}
app_roles = [
{
allowed_member_types = [
"User",
]
description = "User"
display_name = "User"
enabled = true
id = "foo14569-c3bd-439b-9a66-3a2aee01dbar"
value = ""
},
{
allowed_member_types = [
"User",
]
description = "msiam_access"
display_name = "msiam_access"
enabled = true
id = "blah2174-c057-4xce-951b-be3adc52blah"
value = ""
},
]
application_id = "xdbdf394-da73-48c2-8ae0-r55027ecea7x"
application_tenant_id = "86e87001-aede-4084-09s8-12534c4e3691"
display_name = "Okta"
homepage_url = "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z"
id = "64a67f2f-5bca-4d10-9163-b590fb3e123j"
notification_email_addresses = [
"todd_dsm@hotmail.com",
]
oauth2_permission_scope_ids = {
"user_impersonation" = "yo673dfd-0104-4945-b487-5adbceda821g"
}
oauth2_permission_scopes = [
{
admin_consent_description = "Allow the application to access Okta on behalf of the signed-in user."
admin_consent_display_name = "Access Okta"
enabled = true
id = "yo673dfd-0104-4945-b487-5adbceda821g"
type = "User"
user_consent_description = "Allow the application to access Okta on your behalf."
user_consent_display_name = "Access Okta"
value = "user_impersonation"
},
]
object_id = "64a67f2f-5bca-4d10-9163-b590fb3e123j"
owners = []
preferred_single_sign_on_mode = "saml"
redirect_uris = [
"https://trial-7287862.okta.com/sso/saml2/01a4n4ir01u3bWrEL601",
]
service_principal_names = [
"https://www.okta.com/saml2/service-provider/sprgruhawcsuxibxhufb",
]
sign_in_audience = "AzureADMyOrg"
tags = [
"WindowsAzureActiveDirectoryCustomSingleSignOnApplication",
"WindowsAzureActiveDirectoryIntegratedApp",
]
type = "Application"
feature_tags {
custom_single_sign_on = true
enterprise = true
gallery = false
hide = false
}
saml_single_sign_on {}
timeouts {}
}