»Single Sign-on: Microsoft Azure AD

The Microsoft Azure AD SSO integration currently supports the following SAML features:

• Service Provider (SP) initiated SSO
• Identity Provider (IdP) initiated SSO
• Just-in-Time Provisioning

For more information on the listed features, visit the Microsoft Azure AD SAML Protocol Documentation.

»Configuration (Microsoft Azure AD)

1. Sign in to the Azure portal.
2. On the left navigation pane, select the Azure Active Directory service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add new application, select New application.
5. In the Add from the gallery section, type Terraform Cloud in the search box.
6. Select Terraform Cloud from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
7. On the Terraform Cloud application integration page, find the Manage section and select single sign-on.
8. On the Select a single sign-on method page, select SAML.
9. In the SAML Signing Certificate section (you may need to refresh the page) copy the App Federation Metadata Url.

»Configuration (Terraform Cloud)

1. Visit your organization settings page and click "SSO".

2. Click "Setup SSO".

   

3. Select "Azure" and click "Next".

   

4. Provide your App Federation Metadata URL.

   

5. Save, and you should see a completed Terraform Cloud SAML configuration.

6. Copy Entity ID and Reply URL.

»Configuration (Microsoft Azure AD)

1. In the Azure portal, on the Terraform Cloud application integration page, find the Manage section and select single sign-on.
2. On the Select a single sign-on method page, select SAML.
3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
   1. In the Identifier text box, paste the Entity ID.
   2. In the Reply URL text box, paste the Reply URL.
   3. For Service Provider initiated SSO, type https://app.terraform.io/session in the Sign-On URL text box. Otherwise, leave the box blank.
   4. Select Save.
4. On the Single sign-on page, download the Certificate (Base64) file from under SAML Signing Certificate.
5. In the app's overview page, find the Manage section and select Users and groups.
6. Select Add user, then select Users and groups in the Add Assignment dialog.
7. In the Users and groups dialog, select your user from the Users list, then click the Select button at the bottom of the screen.
8. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
9. In the Add Assignment dialog, click the Assign button.

»Configuration (Terraform Cloud)

To edit your Azure SSO configuration settings:

1. Go to Public Certificate.

2. Paste the contents of the SAML Signing Certificate you downloaded from Microsoft Azure AD.

3. Save Settings.

4. Verify your settings and click "Enable".

5. Your Azure SSO configuration is complete and ready to use.

   

»Team and Username Attributes

To configure team management in your Microsoft Azure AD application:

1. Navigate to the single sign-on page.
2. Edit step 2, "User Attributes & Claims." We recommend naming it "MemberOf", leaving the namespace blank, and potentially sourcing user.groups as an easy starting point.

If you plan to make use of SAML to set usernames in your Microsoft Azure AD application:

1. Navigate to the single sign-on page.
2. Edit step 2, "User Attributes & Claims." We recommend naming the claim "Username", leaving the namespace blank, and sourcing something like user.displayname or user.mailnickname.

If you namespaced any of your claims, note that the attribute name passed by Microsoft Azure AD will follow the form <claim_namespace/claim_name>. Consider this when setting Team and Username attribute names.