@pulumi/okta 4.6.2 → 4.6.3

package/idp/getSaml.d.ts

@@ -1,6 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
- * Get a SAML IdP from Okta.
+ * Use this data source to retrieve a SAML IdP from Okta.
  *
  * ## Example Usage
  *
@@ -19,11 +19,11 @@ export declare function getSaml(args?: GetSamlArgs, opts?: pulumi.InvokeOptions)
  */
 export interface GetSamlArgs {
     /**
-     * Id of idp.
+     * The id of the idp to retrieve, conflicts with `name`.
      */
     id?: string;
     /**
-     * Name of the idp.
+     * The name of the idp to retrieve, conflicts with `id`.
      */
     name?: string;
 }
@@ -31,9 +31,6 @@ export interface GetSamlArgs {
  * A collection of values returned by getSaml.
  */
 export interface GetSamlResult {
-    /**
-     * ACS binding
-     */
     readonly acsBinding: string;
     /**
      * Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata.
@@ -44,7 +41,7 @@ export interface GetSamlResult {
      */
     readonly audience: string;
     /**
-     * Id of idp.
+     * id of idp.
      */
     readonly id?: string;
     /**
@@ -52,7 +49,7 @@ export interface GetSamlResult {
      */
     readonly issuer: string;
     /**
-     * Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL in the request to the IdP.
+     * indicates whether Okta uses the original Okta org domain URL, or a custom domain URL in the request to the IdP.
      */
     readonly issuerMode: string;
     /**
@@ -60,11 +57,11 @@ export interface GetSamlResult {
      */
     readonly kid: string;
     /**
-     * Name of the idp.
+     * name of the idp.
      */
     readonly name?: string;
     /**
-     * Single sign-on binding.
+     * single sign-on binding.
      */
     readonly ssoBinding: string;
     /**
@@ -72,11 +69,11 @@ export interface GetSamlResult {
      */
     readonly ssoDestination: string;
     /**
-     * Single sign-on url.
+     * single sign-on url.
      */
     readonly ssoUrl: string;
     /**
-     * Regular expression pattern used to filter untrusted IdP usernames.
+     * regular expression pattern used to filter untrusted IdP usernames.
      */
     readonly subjectFilter: string;
     /**
@@ -84,12 +81,12 @@ export interface GetSamlResult {
      */
     readonly subjectFormats: string[];
     /**
-     * Type of idp.
+     * type of idp.
      */
     readonly type: string;
 }
 /**
- * Get a SAML IdP from Okta.
+ * Use this data source to retrieve a SAML IdP from Okta.
  *
  * ## Example Usage
  *
@@ -108,11 +105,11 @@ export declare function getSamlOutput(args?: GetSamlOutputArgs, opts?: pulumi.In
  */
 export interface GetSamlOutputArgs {
     /**
-     * Id of idp.
+     * The id of the idp to retrieve, conflicts with `name`.
      */
     id?: pulumi.Input<string>;
     /**
-     * Name of the idp.
+     * The name of the idp to retrieve, conflicts with `id`.
      */
     name?: pulumi.Input<string>;
 }

package/idp/getSaml.js

@@ -6,7 +6,7 @@ exports.getSamlOutput = exports.getSaml = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 /**
- * Get a SAML IdP from Okta.
+ * Use this data source to retrieve a SAML IdP from Okta.
  *
  * ## Example Usage
  *
@@ -29,7 +29,7 @@ function getSaml(args, opts) {
 }
 exports.getSaml = getSaml;
 /**
- * Get a SAML IdP from Okta.
+ * Use this data source to retrieve a SAML IdP from Okta.
  *
  * ## Example Usage
  *

package/idp/getSaml.js.map

@@ -1 +1 @@
-{"version":3,"file":"getSaml.js","sourceRoot":"","sources":["../../idp/getSaml.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;GAaG;AACH,SAAgB,OAAO,CAAC,IAAkB,EAAE,IAA2B;IACnE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAElB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,0BAA0B,EAAE;QACrD,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,0BAQC;AA6ED;;;;;;;;;;;;;GAaG;AACH,SAAgB,aAAa,CAAC,IAAwB,EAAE,IAA2B;IAC/E,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;AAClE,CAAC;AAFD,sCAEC"}
+{"version":3,"file":"getSaml.js","sourceRoot":"","sources":["../../idp/getSaml.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;GAaG;AACH,SAAgB,OAAO,CAAC,IAAkB,EAAE,IAA2B;IACnE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAElB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,0BAA0B,EAAE;QACrD,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,0BAQC;AA0ED;;;;;;;;;;;;;GAaG;AACH,SAAgB,aAAa,CAAC,IAAwB,EAAE,IAA2B;IAC/E,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;AAClE,CAAC;AAFD,sCAEC"}

package/idp/getSocial.d.ts

@@ -1,6 +1,6 @@
 import * as pulumi from "@pulumi/pulumi";
 /**
- * Get a social IdP from Okta.
+ * Use this data source to retrieve a social IdP from Okta, namely `APPLE`, `FACEBOOK`, `LINKEDIN`, `MICROSOFT`, or  `GOOGLE`.
  *
  * ## Example Usage
  *
@@ -75,9 +75,6 @@ export interface GetSocialResult {
      * Whitelist of Okta Group identifiers.
      */
     readonly groupsFilters: string[];
-    /**
-     * The id of the social idp to retrieve, conflicts with `name`.
-     */
     readonly id?: string;
     /**
      * Indicates whether Okta uses the original Okta org domain URL, or a custom domain URL.
@@ -87,9 +84,6 @@ export interface GetSocialResult {
      * Maximum allowable clock-skew when processing messages from the IdP.
      */
     readonly maxClockSkew: number;
-    /**
-     * The name of the social idp to retrieve, conflicts with `id`.
-     */
     readonly name?: string;
     /**
      * Determines if the IdP should act as a source of truth for user profile attributes.
@@ -141,7 +135,7 @@ export interface GetSocialResult {
     readonly usernameTemplate: string;
 }
 /**
- * Get a social IdP from Okta.
+ * Use this data source to retrieve a social IdP from Okta, namely `APPLE`, `FACEBOOK`, `LINKEDIN`, `MICROSOFT`, or  `GOOGLE`.
  *
  * ## Example Usage
  *

package/idp/getSocial.js

@@ -6,7 +6,7 @@ exports.getSocialOutput = exports.getSocial = void 0;
 const pulumi = require("@pulumi/pulumi");
 const utilities = require("../utilities");
 /**
- * Get a social IdP from Okta.
+ * Use this data source to retrieve a social IdP from Okta, namely `APPLE`, `FACEBOOK`, `LINKEDIN`, `MICROSOFT`, or  `GOOGLE`.
  *
  * ## Example Usage
  *
@@ -29,7 +29,7 @@ function getSocial(args, opts) {
 }
 exports.getSocial = getSocial;
 /**
- * Get a social IdP from Okta.
+ * Use this data source to retrieve a social IdP from Okta, namely `APPLE`, `FACEBOOK`, `LINKEDIN`, `MICROSOFT`, or  `GOOGLE`.
  *
  * ## Example Usage
  *

package/idp/getSocial.js.map

@@ -1 +1 @@
-{"version":3,"file":"getSocial.js","sourceRoot":"","sources":["../../idp/getSocial.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;GAaG;AACH,SAAgB,SAAS,CAAC,IAAoB,EAAE,IAA2B;IACvE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAElB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,8BAA8B,EAAE;QACzD,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,8BAQC;AAiID;;;;;;;;;;;;;GAaG;AACH,SAAgB,eAAe,CAAC,IAA0B,EAAE,IAA2B;IACnF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;AACpE,CAAC;AAFD,0CAEC"}
+{"version":3,"file":"getSocial.js","sourceRoot":"","sources":["../../idp/getSocial.ts"],"names":[],"mappings":";AAAA,wFAAwF;AACxF,iFAAiF;;;AAEjF,yCAAyC;AACzC,0CAA0C;AAE1C;;;;;;;;;;;;;GAaG;AACH,SAAgB,SAAS,CAAC,IAAoB,EAAE,IAA2B;IACvE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAElB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,8BAA8B,EAAE;QACzD,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,8BAQC;AA2HD;;;;;;;;;;;;;GAaG;AACH,SAAgB,eAAe,CAAC,IAA0B,EAAE,IAA2B;IACnF,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;AACpE,CAAC;AAFD,0CAEC"}

package/idp/oidc.d.ts

@@ -1,4 +1,40 @@
 import * as pulumi from "@pulumi/pulumi";
+/**
+ * Creates an OIDC Identity Provider.
+ *
+ * This resource allows you to create and configure an OIDC Identity Provider.
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as okta from "@pulumi/okta";
+ *
+ * const example = new okta.idp.Oidc("example", {
+ *     authorizationBinding: "HTTP-REDIRECT",
+ *     authorizationUrl: "https://idp.example.com/authorize",
+ *     clientId: "efg456",
+ *     clientSecret: "efg456",
+ *     issuerUrl: "https://id.example.com",
+ *     jwksBinding: "HTTP-REDIRECT",
+ *     jwksUrl: "https://idp.example.com/keys",
+ *     scopes: ["openid"],
+ *     tokenBinding: "HTTP-POST",
+ *     tokenUrl: "https://idp.example.com/token",
+ *     userInfoBinding: "HTTP-REDIRECT",
+ *     userInfoUrl: "https://idp.example.com/userinfo",
+ *     usernameTemplate: "idpuser.email",
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * An OIDC IdP can be imported via the Okta ID.
+ *
+ * ```sh
+ *  $ pulumi import okta:idp/oidc:Oidc example <idp id>
+ * ```
+ */
 export declare class Oidc extends pulumi.CustomResource {
     /**
      * Get an existing Oidc resource's state with the given name, ID, and optional extra
@@ -15,54 +51,138 @@ export declare class Oidc extends pulumi.CustomResource {
      * when multiple copies of the Pulumi SDK have been loaded into the same process.
      */
     static isInstance(obj: any): obj is Oidc;
+    /**
+     * Specifies the account linking action for an IdP user.
+     */
     readonly accountLinkAction: pulumi.Output<string | undefined>;
+    /**
+     * Group memberships to determine link candidates.
+     */
     readonly accountLinkGroupIncludes: pulumi.Output<string[] | undefined>;
+    /**
+     * The method of making an authorization request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     readonly authorizationBinding: pulumi.Output<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
+     */
     readonly authorizationUrl: pulumi.Output<string>;
+    /**
+     * Unique identifier issued by AS for the Okta IdP instance.
+     */
     readonly clientId: pulumi.Output<string>;
+    /**
+     * Client secret issued by AS for the Okta IdP instance.
+     */
     readonly clientSecret: pulumi.Output<string>;
+    /**
+     * Action for a previously deprovisioned IdP user during authentication. Can be `"NONE"` or `"REACTIVATE"`.
+     */
     readonly deprovisionedAction: pulumi.Output<string | undefined>;
+    /**
+     * Provisioning action for IdP user's group memberships. It can be `"NONE"`, `"SYNC"`, `"APPEND"`, or `"ASSIGN"`.
+     */
     readonly groupsAction: pulumi.Output<string | undefined>;
+    /**
+     * List of Okta Group IDs to add an IdP user as a member with the `"ASSIGN"` `groupsAction`.
+     */
     readonly groupsAssignments: pulumi.Output<string[] | undefined>;
+    /**
+     * IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
+     */
     readonly groupsAttribute: pulumi.Output<string | undefined>;
+    /**
+     * Whitelist of Okta Group identifiers that are allowed for the `"APPEND"` or `"SYNC"` `groupsAction`.
+     */
     readonly groupsFilters: pulumi.Output<string[] | undefined>;
     /**
-     * Indicates whether Okta uses the original Okta org domain URL, custom domain URL, or dynamic. See Identity Provider attributes - issuerMode - https://developer.okta.com/docs/reference/api/idps/#identity-provider-attributes
+     * Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be `"ORG_URL"`, `"CUSTOM_URL"`, or `"DYNAMIC"`.
      */
     readonly issuerMode: pulumi.Output<string | undefined>;
+    /**
+     * URI that identifies the issuer.
+     */
     readonly issuerUrl: pulumi.Output<string>;
+    /**
+     * The method of making a request for the OIDC JWKS. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     readonly jwksBinding: pulumi.Output<string>;
+    /**
+     * Endpoint where the keys signer publishes its keys in a JWK Set.
+     */
     readonly jwksUrl: pulumi.Output<string>;
+    /**
+     * Maximum allowable clock-skew when processing messages from the IdP.
+     */
     readonly maxClockSkew: pulumi.Output<number | undefined>;
     /**
-     * Name of the IdP
+     * The Application's display name.
      */
     readonly name: pulumi.Output<string>;
+    /**
+     * Determines if the IdP should act as a source of truth for user profile attributes.
+     */
     readonly profileMaster: pulumi.Output<boolean | undefined>;
+    /**
+     * The type of protocol to use. It can be `"OIDC"` or `"OAUTH2"`.
+     */
     readonly protocolType: pulumi.Output<string | undefined>;
+    /**
+     * Provisioning action for an IdP user during authentication.
+     */
     readonly provisioningAction: pulumi.Output<string | undefined>;
     /**
-     * The HMAC Signature Algorithm used when signing an authorization request
+     * The HMAC Signature Algorithm used when signing an authorization request. Defaults to `"HS256"`. It can be `"HS256"`, `"HS384"`, `"HS512"`, `"SHA-256"`. `"RS256"`, `"RS384"`, or `"RS512"`. NOTE: `"SHA-256"` an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
      */
     readonly requestSignatureAlgorithm: pulumi.Output<string | undefined>;
     /**
-     * Specifies whether to digitally sign an authorization request to the IdP
+     * Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to `"REQUEST"`. It can be `"REQUEST"` or `"NONE"`.
      */
     readonly requestSignatureScope: pulumi.Output<string | undefined>;
+    /**
+     * The scopes of the IdP.
+     */
     readonly scopes: pulumi.Output<string[]>;
+    /**
+     * Status of the IdP.
+     */
     readonly status: pulumi.Output<string | undefined>;
+    /**
+     * Okta user profile attribute for matching transformed IdP username. Only for matchType `"CUSTOM_ATTRIBUTE"`.
+     */
     readonly subjectMatchAttribute: pulumi.Output<string | undefined>;
+    /**
+     * Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to `"USERNAME"`. It can be set to `"USERNAME"`, `"EMAIL"`, `"USERNAME_OR_EMAIL"` or `"CUSTOM_ATTRIBUTE"`.
+     */
     readonly subjectMatchType: pulumi.Output<string | undefined>;
+    /**
+     * Action for a previously suspended IdP user during authentication. Can be set to `"NONE"` or `"UNSUSPEND"`
+     */
     readonly suspendedAction: pulumi.Output<string | undefined>;
+    /**
+     * The method of making a token request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     readonly tokenBinding: pulumi.Output<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
+     */
     readonly tokenUrl: pulumi.Output<string>;
     /**
      * Type of OIDC IdP.
      */
     readonly type: pulumi.Output<string>;
     readonly userInfoBinding: pulumi.Output<string | undefined>;
+    /**
+     * Protected resource endpoint that returns claims about the authenticated user.
+     */
     readonly userInfoUrl: pulumi.Output<string | undefined>;
+    /**
+     * User type ID. Can be used as `targetId` in the `okta.profile.Mapping` resource.
+     */
     readonly userTypeId: pulumi.Output<string>;
+    /**
+     * Okta EL Expression to generate or transform a unique username for the IdP user.
+     */
     readonly usernameTemplate: pulumi.Output<string | undefined>;
     /**
      * Create a Oidc resource with the given unique name, arguments, and options.
@@ -77,102 +197,267 @@ export declare class Oidc extends pulumi.CustomResource {
  * Input properties used for looking up and filtering Oidc resources.
  */
 export interface OidcState {
+    /**
+     * Specifies the account linking action for an IdP user.
+     */
     accountLinkAction?: pulumi.Input<string>;
+    /**
+     * Group memberships to determine link candidates.
+     */
     accountLinkGroupIncludes?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The method of making an authorization request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     authorizationBinding?: pulumi.Input<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
+     */
     authorizationUrl?: pulumi.Input<string>;
+    /**
+     * Unique identifier issued by AS for the Okta IdP instance.
+     */
     clientId?: pulumi.Input<string>;
+    /**
+     * Client secret issued by AS for the Okta IdP instance.
+     */
     clientSecret?: pulumi.Input<string>;
+    /**
+     * Action for a previously deprovisioned IdP user during authentication. Can be `"NONE"` or `"REACTIVATE"`.
+     */
     deprovisionedAction?: pulumi.Input<string>;
+    /**
+     * Provisioning action for IdP user's group memberships. It can be `"NONE"`, `"SYNC"`, `"APPEND"`, or `"ASSIGN"`.
+     */
     groupsAction?: pulumi.Input<string>;
+    /**
+     * List of Okta Group IDs to add an IdP user as a member with the `"ASSIGN"` `groupsAction`.
+     */
     groupsAssignments?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
+     */
     groupsAttribute?: pulumi.Input<string>;
+    /**
+     * Whitelist of Okta Group identifiers that are allowed for the `"APPEND"` or `"SYNC"` `groupsAction`.
+     */
     groupsFilters?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * Indicates whether Okta uses the original Okta org domain URL, custom domain URL, or dynamic. See Identity Provider attributes - issuerMode - https://developer.okta.com/docs/reference/api/idps/#identity-provider-attributes
+     * Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be `"ORG_URL"`, `"CUSTOM_URL"`, or `"DYNAMIC"`.
      */
     issuerMode?: pulumi.Input<string>;
+    /**
+     * URI that identifies the issuer.
+     */
     issuerUrl?: pulumi.Input<string>;
+    /**
+     * The method of making a request for the OIDC JWKS. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     jwksBinding?: pulumi.Input<string>;
+    /**
+     * Endpoint where the keys signer publishes its keys in a JWK Set.
+     */
     jwksUrl?: pulumi.Input<string>;
+    /**
+     * Maximum allowable clock-skew when processing messages from the IdP.
+     */
     maxClockSkew?: pulumi.Input<number>;
     /**
-     * Name of the IdP
+     * The Application's display name.
      */
     name?: pulumi.Input<string>;
+    /**
+     * Determines if the IdP should act as a source of truth for user profile attributes.
+     */
     profileMaster?: pulumi.Input<boolean>;
+    /**
+     * The type of protocol to use. It can be `"OIDC"` or `"OAUTH2"`.
+     */
     protocolType?: pulumi.Input<string>;
+    /**
+     * Provisioning action for an IdP user during authentication.
+     */
     provisioningAction?: pulumi.Input<string>;
     /**
-     * The HMAC Signature Algorithm used when signing an authorization request
+     * The HMAC Signature Algorithm used when signing an authorization request. Defaults to `"HS256"`. It can be `"HS256"`, `"HS384"`, `"HS512"`, `"SHA-256"`. `"RS256"`, `"RS384"`, or `"RS512"`. NOTE: `"SHA-256"` an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
      */
     requestSignatureAlgorithm?: pulumi.Input<string>;
     /**
-     * Specifies whether to digitally sign an authorization request to the IdP
+     * Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to `"REQUEST"`. It can be `"REQUEST"` or `"NONE"`.
      */
     requestSignatureScope?: pulumi.Input<string>;
+    /**
+     * The scopes of the IdP.
+     */
     scopes?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Status of the IdP.
+     */
     status?: pulumi.Input<string>;
+    /**
+     * Okta user profile attribute for matching transformed IdP username. Only for matchType `"CUSTOM_ATTRIBUTE"`.
+     */
     subjectMatchAttribute?: pulumi.Input<string>;
+    /**
+     * Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to `"USERNAME"`. It can be set to `"USERNAME"`, `"EMAIL"`, `"USERNAME_OR_EMAIL"` or `"CUSTOM_ATTRIBUTE"`.
+     */
     subjectMatchType?: pulumi.Input<string>;
+    /**
+     * Action for a previously suspended IdP user during authentication. Can be set to `"NONE"` or `"UNSUSPEND"`
+     */
     suspendedAction?: pulumi.Input<string>;
+    /**
+     * The method of making a token request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     tokenBinding?: pulumi.Input<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
+     */
     tokenUrl?: pulumi.Input<string>;
     /**
      * Type of OIDC IdP.
      */
     type?: pulumi.Input<string>;
     userInfoBinding?: pulumi.Input<string>;
+    /**
+     * Protected resource endpoint that returns claims about the authenticated user.
+     */
     userInfoUrl?: pulumi.Input<string>;
+    /**
+     * User type ID. Can be used as `targetId` in the `okta.profile.Mapping` resource.
+     */
     userTypeId?: pulumi.Input<string>;
+    /**
+     * Okta EL Expression to generate or transform a unique username for the IdP user.
+     */
     usernameTemplate?: pulumi.Input<string>;
 }
 /**
  * The set of arguments for constructing a Oidc resource.
  */
 export interface OidcArgs {
+    /**
+     * Specifies the account linking action for an IdP user.
+     */
     accountLinkAction?: pulumi.Input<string>;
+    /**
+     * Group memberships to determine link candidates.
+     */
     accountLinkGroupIncludes?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The method of making an authorization request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     authorizationBinding: pulumi.Input<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to request consent from the user and obtain an authorization code grant.
+     */
     authorizationUrl: pulumi.Input<string>;
+    /**
+     * Unique identifier issued by AS for the Okta IdP instance.
+     */
     clientId: pulumi.Input<string>;
+    /**
+     * Client secret issued by AS for the Okta IdP instance.
+     */
     clientSecret: pulumi.Input<string>;
+    /**
+     * Action for a previously deprovisioned IdP user during authentication. Can be `"NONE"` or `"REACTIVATE"`.
+     */
     deprovisionedAction?: pulumi.Input<string>;
+    /**
+     * Provisioning action for IdP user's group memberships. It can be `"NONE"`, `"SYNC"`, `"APPEND"`, or `"ASSIGN"`.
+     */
     groupsAction?: pulumi.Input<string>;
+    /**
+     * List of Okta Group IDs to add an IdP user as a member with the `"ASSIGN"` `groupsAction`.
+     */
     groupsAssignments?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * IdP user profile attribute name (case-insensitive) for an array value that contains group memberships.
+     */
     groupsAttribute?: pulumi.Input<string>;
+    /**
+     * Whitelist of Okta Group identifiers that are allowed for the `"APPEND"` or `"SYNC"` `groupsAction`.
+     */
     groupsFilters?: pulumi.Input<pulumi.Input<string>[]>;
     /**
-     * Indicates whether Okta uses the original Okta org domain URL, custom domain URL, or dynamic. See Identity Provider attributes - issuerMode - https://developer.okta.com/docs/reference/api/idps/#identity-provider-attributes
+     * Indicates whether Okta uses the original Okta org domain URL, a custom domain URL, or dynamic. It can be `"ORG_URL"`, `"CUSTOM_URL"`, or `"DYNAMIC"`.
      */
     issuerMode?: pulumi.Input<string>;
+    /**
+     * URI that identifies the issuer.
+     */
     issuerUrl: pulumi.Input<string>;
+    /**
+     * The method of making a request for the OIDC JWKS. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     jwksBinding: pulumi.Input<string>;
+    /**
+     * Endpoint where the keys signer publishes its keys in a JWK Set.
+     */
     jwksUrl: pulumi.Input<string>;
+    /**
+     * Maximum allowable clock-skew when processing messages from the IdP.
+     */
     maxClockSkew?: pulumi.Input<number>;
     /**
-     * Name of the IdP
+     * The Application's display name.
      */
     name?: pulumi.Input<string>;
+    /**
+     * Determines if the IdP should act as a source of truth for user profile attributes.
+     */
     profileMaster?: pulumi.Input<boolean>;
+    /**
+     * The type of protocol to use. It can be `"OIDC"` or `"OAUTH2"`.
+     */
     protocolType?: pulumi.Input<string>;
+    /**
+     * Provisioning action for an IdP user during authentication.
+     */
     provisioningAction?: pulumi.Input<string>;
     /**
-     * The HMAC Signature Algorithm used when signing an authorization request
+     * The HMAC Signature Algorithm used when signing an authorization request. Defaults to `"HS256"`. It can be `"HS256"`, `"HS384"`, `"HS512"`, `"SHA-256"`. `"RS256"`, `"RS384"`, or `"RS512"`. NOTE: `"SHA-256"` an undocumented legacy value and not continue to be valid. See API docs https://developer.okta.com/docs/reference/api/idps/#oidc-request-signature-algorithm-object
      */
     requestSignatureAlgorithm?: pulumi.Input<string>;
     /**
-     * Specifies whether to digitally sign an authorization request to the IdP
+     * Specifies whether to digitally sign an AuthnRequest messages to the IdP. Defaults to `"REQUEST"`. It can be `"REQUEST"` or `"NONE"`.
      */
     requestSignatureScope?: pulumi.Input<string>;
+    /**
+     * The scopes of the IdP.
+     */
     scopes: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * Status of the IdP.
+     */
     status?: pulumi.Input<string>;
+    /**
+     * Okta user profile attribute for matching transformed IdP username. Only for matchType `"CUSTOM_ATTRIBUTE"`.
+     */
     subjectMatchAttribute?: pulumi.Input<string>;
+    /**
+     * Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username. By default, it is set to `"USERNAME"`. It can be set to `"USERNAME"`, `"EMAIL"`, `"USERNAME_OR_EMAIL"` or `"CUSTOM_ATTRIBUTE"`.
+     */
     subjectMatchType?: pulumi.Input<string>;
+    /**
+     * Action for a previously suspended IdP user during authentication. Can be set to `"NONE"` or `"UNSUSPEND"`
+     */
     suspendedAction?: pulumi.Input<string>;
+    /**
+     * The method of making a token request. It can be set to `"HTTP-POST"` or `"HTTP-REDIRECT"`.
+     */
     tokenBinding: pulumi.Input<string>;
+    /**
+     * IdP Authorization Server (AS) endpoint to exchange the authorization code grant for an access token.
+     */
     tokenUrl: pulumi.Input<string>;
     userInfoBinding?: pulumi.Input<string>;
+    /**
+     * Protected resource endpoint that returns claims about the authenticated user.
+     */
     userInfoUrl?: pulumi.Input<string>;
+    /**
+     * Okta EL Expression to generate or transform a unique username for the IdP user.
+     */
     usernameTemplate?: pulumi.Input<string>;
 }