Search Terraform documentation » The following SAML attributes correspond to properties of a Terraform Enterprise user account. When a new or existing user logs in, their account info will be updated with data from these attributes.
» If Username is specified, TFE will assign that username to the user instead of using an automatic name based on their email address . When the username is already taken or is invalid, login will still complete, and the existing or default value will be used instead.
< saml: AttributeStatement> < saml: AttributeName = " Username" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " Username" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> » If the SiteAdmin attribute is present, the system will grant or revoke site admin access for the user. Site admin access can be also be granted or revoked in the MemberOf attribute ; however the SiteAdmin attribute is the recommended method of managing access and will override the other value.
< saml: AttributeStatement> < saml: AttributeName = " SiteAdmin" > < saml: AttributeValuexsi: type= " xs:boolean" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " SiteAdmin" > < saml: AttributeValuexsi: type= " xs:boolean" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> » Team membership is specified in the MemberOf attribute. (If desired, you can configure a different name for the team membership attribute.)
Teams can be specified in separate AttributeValue items:
< saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> or in one AttributeValue as a comma-separated list:
< saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> There is a special-case role site-admins that will add a user as a site admin to your Terraform Enterprise instance.
< saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " MemberOf" NameFormat = " urn:oasis:names:tc:SAML:2.0:attrname-format:basic" > < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> < saml: AttributeValuexmlns: xsi= " http://www.w3.org/2001/XMLSchema-instance" xsi: type= " xs:string" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> » If the IsServiceAccount (case-sensitive) attribute is present and true (case-insensitive), the system will mark the user as a service account.
This will ensure API tokens created for this user will not expire as normal user account tokens expire when reaching the API token session timeout.
< saml: AttributeStatement> < saml: AttributeName = " IsServiceAccount" > < saml: AttributeValuexsi: type= " xs:boolean" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement> < saml: AttributeStatement> < saml: AttributeName = " IsServiceAccount" > < saml: AttributeValuexsi: type= " xs:boolean" > </ saml: AttributeValue> </ saml: Attribute> </ saml: AttributeStatement>