• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Cloud and Enterprise

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Drift Detection
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Terraform Enterprise Admin

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

Note: Single sign-on is a paid feature, available as part of the Business upgrade package. Learn more about Terraform Cloud pricing here.

»Single Sign-on: Microsoft Azure AD

The Microsoft Azure AD SSO integration currently supports the following SAML features:

  • Service Provider (SP) initiated SSO
  • Identity Provider (IdP) initiated SSO
  • Just-in-Time Provisioning

For more information on the listed features, visit the Microsoft Azure AD SAML Protocol Documentation.

»Configuration (Microsoft Azure AD)

  1. Sign in to the Azure portal.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Terraform Cloud in the search box.
  6. Select Terraform Cloud from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
  7. On the Terraform Cloud application integration page, find the Manage section and select single sign-on.
  8. On the Select a single sign-on method page, select SAML.
  9. In the SAML Signing Certificate section (you may need to refresh the page) copy the App Federation Metadata Url.

»Configuration (Terraform Cloud)

  1. Visit your organization settings page and click "SSO".

  2. Click "Setup SSO".

    sso-setup

  3. Select "Azure" and click "Next".

    sso-wizard-choose-provider-azure

  4. Provide your App Federation Metadata URL.

    sso-wizard-configure-settings-azure

  5. Save, and you should see a completed Terraform Cloud SAML configuration.

  6. Copy Entity ID and Reply URL.

»Configuration (Microsoft Azure AD)

  1. In the Azure portal, on the Terraform Cloud application integration page, find the Manage section and select single sign-on.
  2. On the Select a single sign-on method page, select SAML.
  3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
    1. In the Identifier text box, paste the Entity ID.
    2. In the Reply URL text box, paste the Reply URL.
    3. In the Sign-on URL text box, type the URL: https://app.terraform.io/session
    4. Select Save.
  4. On the Single sign-on page, download the Certificate (Base64) file from under SAML Signing Certificate.
  5. In the app's overview page, find the Manage section and select Users and groups.
  6. Select Add user, then select Users and groups in the Add Assignment dialog.
  7. In the Users and groups dialog, select your user from the Users list, then click the Select button at the bottom of the screen.
  8. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
  9. In the Add Assignment dialog, click the Assign button.

»Configuration (Terraform Cloud)

To edit your Azure SSO configuration settings:

  1. Go to Public Certificate.

  2. Paste the contents of the SAML Signing Certificate you downloaded from Microsoft Azure AD.

  3. Save Settings.

  4. Verify your settings and click "Enable".

  5. Your Azure SSO configuration is complete and ready to use.

    sso-settings

»Team and Username Attributes

To configure team management in your Microsoft Azure AD application:

  1. Navigate to the single sign-on page.
  2. Edit step 2, "User Attributes & Claims." We recommend naming it "MemberOf", leaving the namespace blank, and potentially sourcing user.assignedroles as an easy starting point.

Note: When Azure AD is configured to use Group Claims, it provides Group UUIDs instead of human readable names in its SAML assertions. We recommend configuring SSO Team IDs for your Terraform Cloud teams to match these Azure Group UUIDs.

If you plan to make use of SAML to set usernames in your Microsoft Azure AD application:

  1. Navigate to the single sign-on page.
  2. Edit step 2, "User Attributes & Claims." We recommend naming the claim "Username", leaving the namespace blank, and sourcing something like user.displayname or user.mailnickname.

If you namespaced any of your claims, note that the attribute name passed by Microsoft Azure AD will follow the form <claim_namespace/claim_name>. Consider this when setting Team and Username attribute names.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager