» Login with SAML

Once SAML is configured users can visit https://<TFE HOSTNAME>/session to login: Screenshot: SSO Login

They can follow the link to complete the SAML login process with the identity provider. If the user is logging in for the first time, an account will be created for them in Terraform Enterprise. Their username will be autogenerated from their email address using the text before the @. The username will only contain alphanumeric characters, -, or _. All invalid characters will be converted to _.

» API Token Expiration

When SAML is initially enabled, or when a user's SAML-authenticated web session expires, existing user API tokens are also temporarily disabled until they reauthenticate at https://<TFE HOSTNAME>/session. This is because Terraform Enterprise relies on your identity provider for team membership mapping, and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.

The API token session timeout is a site-wide setting that is configurable in the admin settings at https://<TFE HOSTNAME>/app/admin/saml.