Feature Request: Policy - keepMeSignedIn support

[delize]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

---

Description

Support the keepMeSignedIn (API Policy Documentation) for use with authentication policies. This feature appears to be in EA / Preview.

"keepMeSignedIn": {
                    "postAuth": "NOT_ALLOWED"
                }

The full API Feature is below:

Field	Type	Description	Values
keepMeSignedIn	object (KeepMeSignedIn)	Controls how often the post-authentication prompt is presented to users
postAuth	string	Whether the post-authentication Keep Me Signed In (KMSI) flow is allowed	"ALLOWED", "NOT_ALLOWED"
postAuthPromptFrequency	string (TimeDuration)	A time duration specified as an ISO-8601 duration.	Pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)...

Subsequently, also support any potential branding option as outlined in the customize Post-Sign In Experience Prompts.

New or Affected Resource(s)

• okta_app_signon_policy_rule - Post-Authentication KMSI
• okta_policy_rule_signon - Pre-Authentication KMSI

Potential Terraform Configuration

This should be compatible with any future changes present in #2080

Post-authentication KMSI Possibility:

resource "okta_app_signon_policy_rule" "example" {
  name      = "testAcc_replace_with_uuid"
  policy_id = data.okta_app_signon_policy.test.id
  access    = "ALLOW"

  custom_expression    = "user.status == \"ACTIVE\""
  device_is_managed    = false
  device_is_registered = true
  factor_mode          = "2FA"

  groups_excluded = [
    okta_group.this[2].id,
    okta_group.this[3].id,
    okta_group.this[4].id
  ]

  groups_included = [
    okta_group.this[0].id,
    okta_group.this[1].id
  ]

  device_assurances_included = [
    okta_policy_device_assurance_android.test.id
  ]

  network_connection = "ZONE"
  network_includes = [
    okta_network_zone.test.id
  ]

  platform_include {
    os_type = "ANDROID"
    type    = "MOBILE"
  }
  platform_include {
    os_type = "IOS"
    type    = "MOBILE"
  }
  platform_include {
    os_type = "MACOS"
    type    = "DESKTOP"
  }
  platform_include {
    os_type = "WINDOWS"
    type    = "DESKTOP"
  }
  platform_include {
    os_type = "OTHER"
    type    = "MOBILE"
  }

  priority                    = 98
  re_authentication_frequency = "PT43800H" # Once per session
  type                        = "ASSURANCE"

  user_types_excluded = [
    okta_user_type.test.id
  ]
  user_types_included = [
    data.okta_user_type.default.id
  ]

  users_excluded = [
    okta_user.test[2].id,
    okta_user.test[3].id,
    okta_user.test[4].id
  ]
  users_included = [
    okta_user.test[0].id,
    okta_user.test[1].id
  ]

  constraints = [
    jsonencode({
      "keepMeSignedIn" : {
        "postAuth"                : "ALLOWED",
        "postAuthPromptFrequency" : "PT168H" # 7 days
      }
    }),
    jsonencode({
      "knowledge" : {
        "reauthenticateIn" : "PT2H",
        "types"            : ["password"]
      },
      "possession" : {
        "deviceBound" : "REQUIRED"
      }
    })
  ]
}

More specifically:

  constraints = [
    jsonencode({
      "keepMeSignedIn" : {
        "postAuth"                : "ALLOWED",
        "postAuthPromptFrequency" : "PT168H" # 7 days
      }
    }),

References

References to official documentation have been outlined throughout this FR.

EDIT: Updated to the actual intended link policy_rule and not just policy.

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-852341