» Login with SAML

Once SAML is configured users can visit https://<YOUR_TERRAFORM_ENTERPRISE_DOMAIN>/session to login.

They can follow the link to complete the SAML login process with the identity provider. If the user is logging in for the first time, an account will be created from them in Terraform Enterprise. Their username will be autogenerated from their email address using the text before the @. The username will only contain alphanumeric characters, -, or _. All invalid characters will be converted to _.

» API token expiration

When a user's SAML-authenticated web session expires, their API tokens are also temporarily disabled until they reauthenticate at https://<YOUR_TERRAFORM_ENTERPRISE_DOMAIN>/session. This is because Terraform Enterprise relies on your identity provider for team membership mapping, and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.

The API token session timeout is a site-wide setting that is configurable in the admin settings.