<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Terraform Error When Creating an External IDP Authenticator in Okta

Okta Identity Engine
SDKs & Libraries

Overview

When attempting to create a okta_authenticator resource with key = "external_idp" using the Okta Terraform Provider, the apply fails with an API validation error stating that the provider.configuration.idpId field cannot be left blank, even though the Identity Provider (IdP) ID is correctly referenced in the configuration.

 

provider.configuration.idpId: The field cannot be left blank.

 

This occurs because the Okta IDP created via Terraform defaults to SSO Only usage, which disqualifies it from being used as an authenticator factor, causing the ID reference to fail to resolve at apply time.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Terraform Provider > (6.6.x)
  • Identity Provider (IdP)

Cause

When creating the external IdP using Terraform, the IdP usage in the Okta Admin Console defaults to SSO only. Setting the IdP as an authenticator requires configuring the IdP as a Factor only.

Since Terraform does not manage this attribute, the IdP does not qualify for use as an authenticator, and the idpId reference fails to resolve during the apply phase, which generates the error provider.configuration.idpId: The field cannot be left blank.

Solution

Create the external IdP resource without the authenticator, manually update the usage setting in the Okta Admin Console, and reapply the configuration.

  1. Apply the Terraform configuration to create the external IdP resource (e.g. okta_idp_saml) without the okta_authenticator resource.
  2. Ensure Okta successfully creates the IdP before proceeding.
  3. Sign in to the Okta Admin Console and navigate to Security > Identity Providers.
  4. Locate the Terraform-generated IdP and select Edit.
  5. Change the IdP Usage from SSO Only to Factor Only.
  6. Save the change.
  7. Add the okta_authenticator resource back to the Terraform configuration and run terraform apply again.

If the error persists after completing the above steps, check the Okta Terraform provider version. If the version is older than 6.6.0, upgrade to the latest provider version and re-run terraform apply.

The bug fix in provider version 6.6.0 is relevant only when the manual Admin Console change alone does not resolve the error.

 

Related References

Loading
Okta Support - Terraform Error When Creating an External IDP Authenticator in Okta