SAML requires the configuration of two parties:
- The Identity Provider (IdP).
- The Service Provider (SP), which is also sometimes referred to as Relying Party (RP).
Terraform Enterprise is configured as the Service Provider.
For instructions for specific IdPs, see Identity Provider Configuration
» Terraform Enterprise (Service Provider)
https://<TFE HOSTNAME>/admin/settings/saml and set the following:
- Single Sign On URL: specifies the HTTP(S) endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration.
- Single Log Out URL: specifies the HTTP(s) endpoint on your IdP for single logout requests. This value is provided by your IdP configuration. Single Logout is not yet supported.
- Identity Provider Certificate: Specifies the PEM encoded X.509 Certificate as provided by the IdP configuration.
- Team Attribute Name: (default:
MemberOf) Specifies the name of the SAML attribute that determines team membership. The value of this attribute in the SAML assertion must be a string containing a comma-separated list of team names.
- Site Admin Role: (default:
site-admins) Specifies the role for site admin access, provided in the list of roles sent in the Team Attribute Name attribute.
» Identity Provider
Configure the following values in the SAML Identity Provider (IdP):
- ACS (Consumer) URL:
The SAML Metadata document is available at: