Note: Single sign-on is a paid feature, available as part of the Business upgrade package. Learn more about Terraform Cloud pricing here.
»Single Sign-on: Okta
The Okta SSO integration currently supports the following SAML features:
- Service Provider (SP)-initiated SSO
- Identity Provider (IdP)-initiated SSO
- Just-in-Time Provisioning
For more information on the listed features, visit the Okta Glossary.
- From your Okta Admin Dashboard, click the "Add Applications" shortcut.
- Search for "Terraform Cloud" and select it.
- Click "Add" on the application's page.
- Choose a label for your application or keep the default, "Terraform Cloud".
- Click "Done".
- Visit the "Sign On" tab in the application.
- Copy the "Identity Provider Metadata" URL.
For information on configuring automated team mapping using Okta group membership, please see the Team Mapping Configuration (Okta) section below.
»Configuration (Terraform Cloud)
Be sure to copy the metadata URL (from the final step of configuring Okta) before proceeding with the following steps.
Visit your organization settings page and click "SSO".
Click "Setup SSO".
Select "Okta" and click "Next".
Provide your Okta metadata URL and click the "Save settings" button.
Verify your settings and click "Enable".
Your Okta SSO configuration is complete and ready to use.
»Team Mapping Configuration (Okta)
Terraform Cloud can automatically add users to teams based on their SAML assertion, so you can manage team membership in your directory service. To do this, you must specify the
MemberOf SAML attribute, and make sure the AttributeStatement in the SAML Response contains a list of AttributeValue items in the correct format (i.e., comma-separated list of team names). For additional details on this and other SSO concepts within the context of Terraform Cloud, please refer to this overview page.
If you haven't yet completed all steps outlined in the Configuration (Okta) section above, please do so before proceeding.
To enable this automated team mapping functionality, edit your Terraform Cloud Okta Application and complete the following steps:
Expand the "Attributes" section of the Application configuration (under the "Sign On" tab):
Set the "Group Attribute Statements" to the following:
- Name format:
- Filter value:
Once these configuration steps have been completed, all Okta groups to which a given user belongs will be passed in the SAML assertion upon login to Terraform Cloud, which means that user will get added automatically to any teams within Terraform Cloud for which there’s an exact name match. Importantly, please note that those users will also be removed from any teams that aren't included in their assertion. This overrides any manually set team memberships, so whenever a user logs in via SSO, their team membership is adjusted to match their SAML assertion.
Using the above SAML assertion as an example, the user in question would get added to the
test teams in Terraform Cloud if those teams exist in the target Organization, but those values will simply be ignored if no matching team name is found.