SAML requires the configuration of two parties:
- The Identity Provider (IdP).
- The Service Provider (SP), which is also sometimes referred to as Relying Party (RP).
Terraform Enterprise is configured as the Service Provider.
» Terraform Enterprise (Service Provider)
https://<YOUR_TERRAFORM_ENTERPRISE_DOMAIN>/admin/settings/saml and set the following:
- Single Sign On URL: specifies the HTTP(S) endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration.
- Single Log Out URL: specifies the HTTP(s) endpoint on your IdP for single logout requests. This value is provided by your IdP configuration. Single Logout is not yet supported.
- Identity Provider Certificate: Specifies the PEM encoded X.509 Certificate as provided by the IdP configuration.
- User email address: (default:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) Specifies the attribute to be used to identify the email address of the user. The username is generated using the email address by using the local-part (username) of the email (before the
@). The username must be alphanumeric,
_characters, all invalid characters will be converted to
- Team Attribute Name: (default:
MemberOf) Specifies the name of the SAML attribute that determines team membership. The value of this attribute in the SAML assertion must be a string containing a comma-separated list of team names.
» Identity Provider
Configure the following values in the SAML Identity Provider (IdP):
- ACS (Consumer) URL:
The SAML Metadata document is available at: