HashiCorp Cloud Platform
Single sign-on (SSO) overview
This topic provides an overview for single sign-on (SSO) with your preferred identity provider when users in your organization sign in to the HashiCorp Cloud Platform (HCP). To use HCP's SSO features, sign in to the HCP Portal.
Introduction
HashiCorp Cloud Platform (HCP) allows organizations to configure both SAML 2.0 SSO and OpenID Connect (OIDC) SSO as an alternative to traditional user management with GitHub and email-based options. This security measures can help mitigate Account Take Over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IdP), and help you better manage user access to your organization.
SAML and OIDC
Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between parties.
OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 framework that enables sign-in flows through a RESTful API and JSON payloads.
HCP supports both SAML and OIDC for SSO.
Supported identity providers
HCP supports SSO integrations with the following identity providers.
SAML attributes
When you set up your identity provider, these are the SAML attributes you use:
Instructions | SAML Attribute | Map to your identity provider |
---|---|---|
Required | NameID | User’s email |
Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | User's first name |
Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | User's last name |
Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name , or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | Internal identity for the user that never changes. Do not use the user's email address for this ID. |
Workflow
The process to enable SSO for an HCP organization consists of the following steps.
- If necessary, verify your domain with HCP.
- Initiate SSO creation on HCP.
- Continue configuration with your preferred identity provider.
- Add information from your identity provider to HCP.
- Assign a default role to users.
After you enable SSO, you can manage, update, and delete your SSO from HCP. For more information, refer to manage SSO for your organization.
SSO integration with HCP Terraform
If you signed up for HCP Terraform with an existing HCP account, you may encounter an error when you attempt to use SSO to sign in to HCP Terraform.
HCP Terraform’s SSO requires a login with both an email and password in order to map to an SSO identity. As a result, users who sign up for HCP Terraform using an existing HCP account cannot set up a proper identity for SSO.
Guidance
The following HashiCorp resources are available to help you use HCP’s single sign-on features.