pingone_sign_on_policy_action when using Social IdP gets a Invalid Value Error

[cmachler]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

PingOne Terraform provider Version

v1.4.0

Terraform Version

v1.10.5

Affected Resource(s)

• pingone_sign_on_policy_action

Terraform Configuration Files

resource "pingone_identity_provider" "azure_ad" {
  environment_id = lookup(local.environment_map[var.environment], "environment_id", null)

  name    = "Microsoft Azure AD"
  enabled = true

  registration_population_id = pingone_population.employees.id

  microsoft = {
    client_id     = module.azure_ad_idp.azuread_application_client_id
    client_secret = module.azure_ad_idp.azuread_application_password
  }
}

resource "pingone_sign_on_policy_action" "employee_direct_sso" {  
  environment_id = lookup(local.environment_map[var.environment], "environment_id", null)

  sign_on_policy_id = pingone_sign_on_policy.employee_direct_sso.id
  priority = 1
  conditions {
    last_sign_on_older_than_seconds = 14400
  }

  identity_provider {
    identity_provider_id = pingone_identity_provider.azure_ad.id
  }
}

Debug Output

│ Error: Error when calling `UpdateSignOnPolicyAction`: The request could not be completed. One or more validation errors were in the request.
│ 
│   with pingone_sign_on_policy_action.employee_direct_sso,
│   on policies.tf line 9, in resource "pingone_sign_on_policy_action" "employee_direct_sso":
│    9: resource "pingone_sign_on_policy_action" "employee_direct_sso" {  
│ 
│ PingOne Error Details:
│ ID:           676769f4-f2d2-43a7-8bc9-81f0a1cbec3c
│ Code:         INVALID_DATA
│ Message:      The request could not be completed. One or more validation errors were in the request.
│ Details:
│   - Code:     INVALID_VALUE
│     Message:  Only SAML or OIDC type IDP can be configured with 'passUserContext' property.
│     Target:   passUserContext

Panic Output

N/A

Expected Behavior

Do not include passUserContext property when the IdP is a Social provicer IdP, instead of generic OIDC or SAML.

Actual Behavior

Above error. If I setup a generic SAML IdP instead of Social, that applies successfully.

Steps to Reproduce

1. terraform apply

[patrickcping]

Hi @cmachler ! Thanks for raising. You're correct, the passUserContext shouldn't be passed in the request payload in this case. The API has changed since the resource was implemented, looking at the console experience it looks like we also need to add the ability to set entraIdEnabled in this policy action as well.

I've raised the request to have the API documentation updated and will plan the updates in.