• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHub
Download
Try Terraform Cloud
    • v202208-2 (latest)
    • v202208-1
    • v202207-2
    • v202207-1
    • v202206-1

    Terraform Enterprise

  • Overview
    • API Docs template
    • Overview
    • Account
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Assessment Results
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
    • Changelog
    • Stability Policy
    • Credentials
    • Hardware
      • Supported OS
      • RedHat Linux
      • CentOS Linux
      • Operational Mode
      • PostgreSQL
      • Minio Setup Guide
      • External Vault
    • Network
    • Docker Engine
  • Operational Modes
    • Overview
    • AWS Reference Architecture
    • Azure Reference Architecture
    • GCP Reference Architecture
    • VMware Reference Architecture
    • Pre-Install Checklist
      • 1. Run Installer
      • 2. Configure in Browser
      • Automated Installation
      • Active/Active
      • Initial User Automation
      • Encryption Password
    • Uninstall
    • Overview
      • Automated Recovery
      • Upgrades
      • Log Forwarding
      • Monitoring
      • Backups and Restores
      • Admin CLI Commands
      • Terraform Cloud Agents on TFE
      • Demo to Mounted Disk Migration
    • Terraform Cloud Agents on TFE
      • Accessing the Admin Interface
      • General Settings
      • Customization
      • Integration Settings
      • Managing Accounts & Resources
      • Module Sharing
      • Admin API
      • Updating Terraform Enterprise License
    • Terraform Enterprise Logs
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
    • Configuration
    • Team Membership
    • Attributes
    • Login
      • Sample Auth Request
      • ADFS
      • Azure Active Directory
      • Okta
      • OneLogin
    • Troubleshooting
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Overview
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Enterprise
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Run Tasks Integration
    • Overview
    • Architecture Summary
    • Reliability & Availability
    • Capacity & Performance
    • Security Model
    • Data Security
    • Overview
      • Overview
      • v202208-2
      • v202208-1
      • v202207-2
      • v202207-1
      • v202206-1
      • v202205-1
      • v202204-2
      • v202204-1
      • v202203-1
      • v202202-1
      • v202201-2
      • v202201-1
      • Overview
      • v202112-2
      • v202112-1
      • v202111-1
      • v202110-1
      • v202109-2
      • v202109-1
      • v202108-1
      • v202107-1
      • v202106-1
      • v202105-1
      • v202104-1
      • v202103-3
      • v202103-2
      • v202103-1
      • v202102-2
      • v202102-1
      • v202101-1
      • Overview
      • Overview
      • Overview
  • Support

  • Terraform Cloud Agents

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»AAD Configuration

Follow these steps to configure Azure Active Directory (AAD) as the identity provider (IdP) for Terraform Enterprise.

Note: This guide assumes you have an appropriate licensing agreement for Azure Active Directory that supports non-gallery application single sign-on.

»Configure a New AAD Non-Gallery Application

  1. In the Azure portal, navigate to "Azure Active Directory" > "Enterprise Applications" and select "Add an Application". Screenshot: AAD's "Add Application" page
  2. Select "Non-gallery application". Provide a name for the application and click "Add". Screenshot: AAD's dialog for beginning a new application
  3. AAD will automatically redirect to your new application settings. Navigate to "Single sign-on" and select "SAML". Screenshot: the first page of AAD's new app configuration workflow, called "General Settings"
  4. Select the pencil within "Basic SAML Configuration" and configure these settings:
    • Identifier (Entity ID): https://<TFE HOSTNAME>/users/saml/metadata (listed as "Metadata (audience) URL" in TFE's SAML settings).
    • Reply URL (Assertion Consumer Service URL): https://<TFE HOSTNAME>/users/saml/auth (listed as "ACS consumer (recipient) URL" in TFE's SAML settings).
    • Sign on URL: https://<TFE HOSTNAME>/Screenshot: The "Configure SAML" page of ADD's new app workflow, with the specified settings entered.
  5. In the "User Attributes & Claims" section, select the pencil and configure the following items:
    • Name Identifier value: user.mailScreenshot: Modifying the name identifier value.
  6. Still in the "User Attributes & Claims" page, under "Manage user claims", configure a user claim to map the team a user belongs to:
    • Name: MemberOf. This is the default name for TFE's group attribute; the name of this attribute can be changed in TFE's SAML settings if necessary.
    • Source attribute: (drop-down): user.assignedroles. Custom roles will be created in Azure Active Directory that will be used to map users and groups to TFE teams. Screenshot: Add MemberOf claim
  7. Under the "SAML Signing Certificate" header, download the signing certificate in base64 format. Screenshot: Download the SAML signing certificate
  8. Under the "Set up <ABD App Name>" header, copy the following urls that we will enter in our TFE configuration to link TFE to AAD:
    • Login URL:
    • Logout URL:Screenshot: Azure Login/Logout URLs
  9. Navigate to https://<TFE_HOSTNAME>/app/admin/saml and configure the following:
    • Enable SAML single sign-on (check box): enabled.
    • Single Sign-On URL: Enter the login url from step 8.
    • Single Log-out URL: Enter the logout url from step 8.
    • IDP Certificate: Enter the contents of the PEM (Base64) encoded X.509 certificate captured in step 7. Screenshot: Terraform Enterprise SAML Settings

»Configure Custom Roles for Team Membership Mapping

  1. Create teams in TFE as outlined in TFE Team Membership.

  2. Return to the Azure Portal, navigate to the "App registrations" page, and search for the application you created for TFE in the "Enterprise applications" page. Select your app and in the left sidebar select "Manifest". Screenshot: AAD App Registration

  3. In the manifest editor, locate the "appRoles" block. This is where you will add additional roles that map users and groups to teams in TFE. Screenshot: Manifest Editor

  4. The "appRoles" block may contain roles automatically generated by AAD. Leave the automatically generated role GUIDs with their default values. New roles should be added after the system roles and must contain a unique GUID value for the ID value of the new role. You can use a tool such as GUID Generator to create the GUIDs for these new roles. Click "Save" to add the roles.

    Note: You can add as many roles as your organization needs, such as the site-admins role. Azure AD will send the value of these roles as the claim value in the SAML response.

    Example role configuration that creates a new role named "Dev":

    {
    "allowedMemberTypes": [
        "User"
    ],
    "displayName": "Dev",
    "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
    "isEnabled": true,
    "description": "Dev Team",
    "value": "Dev"
    }
    
    {
    "allowedMemberTypes": [
        "User"
    ],
    "displayName": "Dev",
    "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
    "isEnabled": true,
    "description": "Dev Team",
    "value": "Dev"
    }
    

    Screenshot: New role in Manifest Editor

  5. Go back to "Enterprise applications", and select the app you created for TFE. In the left sidebar, under the "Manage" heading, select "Users and Groups". This is where you will enable access to TFE by adding either users or groups to your application. During the process of adding users or groups you will select a role to be assigned to the user or group. Select the role that matches the user or groups TFE team. Screenshot: Role Assignment

Once users have been added, the initial configuration is complete, and they can begin logging into TFE with their AAD username and password.

  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager