Skip to content

fix: remove required constraints from SamlApplicationSettingsSignOn schema#542

Merged
BinoyOza-okta merged 1 commit into
masterfrom
OKTA-1172501
May 12, 2026
Merged

fix: remove required constraints from SamlApplicationSettingsSignOn schema#542
BinoyOza-okta merged 1 commit into
masterfrom
OKTA-1172501

Conversation

@BinoyOza-okta
Copy link
Copy Markdown
Contributor

@BinoyOza-okta BinoyOza-okta commented May 12, 2026

Remove required constraints from SamlApplicationSettingsSignOn schema

Problem

The SamlApplicationSettingsSignOn schema in the Okta Admin Management API spec (/api/v1/apps) marks 16 fields as required. However, the GET /api/v1/apps endpoint returns SAML application objects where many of these fields are absent — specifically for partially configured SAML apps, which the API itself allows to be created.

SDK that enforces strict schema validation fails to deserialize the entire paginated response when even one partially configured SAML app is present on the page. This is currently blocking customers on the Python SDK.

Customer reference: okta-sdk-python#536

Changes

Removed the following 10 fields from the required array in the SamlApplicationSettingsSignOn schema:

Field removed from required
audience
authnContextClassRef
destination
digestAlgorithm
idpIssuer
recipient
signatureAlgorithm
ssoAcsUrl
subjectNameIdFormat
subjectNameIdTemplate

The following 5 boolean fields are retained as required since the API consistently returns them:

  • allowMultipleAcsEndpoints
  • assertionSigned
  • honorForceAuthn
  • requestCompressed
  • responseSigned

How to reproduce the original issue

  1. Create a SAML app via the Okta Admin console or API with minimal configuration (e.g., only provide ssoAcsUrl).
  2. Call GET /api/v1/apps?limit=200.
  3. Observe that the returned SAML app JSON is missing fields like audience, destination, recipient, idpIssuer, etc.
  4. Any strict-validating SDK fails to deserialize the response.

Testing

  • Verified that the schema change is valid YAML and does not break the existing spec structure.

Closes #536
Closes OKTA-1172501

@BinoyOza-okta
fix: remove required constraints from SamlApplicationSettingsSignOn s…
e476eb6 
…chema

Remove 10 fields from the `required` array in the SamlApplicationSettingsSignOn schema that are not guaranteed to be present in API responses for partially configured SAML applications.

Fields removed from required:
- audience
- authnContextClassRef
- destination
- digestAlgorithm
- idpIssuer
- recipient
- signatureAlgorithm
- ssoAcsUrl
- subjectNameIdFormat
- subjectNameIdTemplate

These fields are absent from the response payload when a SAML app is created with minimal configuration (e.g., only ssoAcsUrl provided). SDKs that enforce strict validation against the spec fail to deserialize the entire paginated List Applications response when any
partially configured SAML app is included.
@BinoyOza-okta BinoyOza-okta self-assigned this May 12, 2026
@BinoyOza-okta BinoyOza-okta merged commit 4c5e79d into master May 12, 2026
15 checks passed
@BinoyOza-okta BinoyOza-okta deleted the OKTA-1172501 branch May 12, 2026 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manmohan-shaw-okta manmohan-shaw-okta manmohan-shaw-okta approved these changes

Assignees

@BinoyOza-okta BinoyOza-okta

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

list_applications fails to deserialize responses when any SAML app omits required signOn fields

2 participants

@BinoyOza-okta @manmohan-shaw-okta