• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Home

Terraform Enterprise

Skip to main content
  • Terraform Enterprise
  • Operational Modes
    • Configuration
    • Team Membership
    • Attributes
    • Login
    • Troubleshooting
  • Migrating to Terraform Enterprise
  • Support

  • Terraform Cloud Agents

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Terraform Enterprise
  4. SAML SSO
  5. Attributes
  • Terraform Enterprise
  • v202301-1
  • v202212-2
  • v202212-1
  • v202211-1
  • v202210-1
  • v202209-2
  • v202209-1
  • v202208-3
  • v202208-2
  • v202208-1
  • v202207-2
  • v202207-1
  • v202206-1

»Attributes

The following SAML attributes correspond to properties of a Terraform Enterprise user account. When a new or existing user logs in, their account info will be updated with data from these attributes.

Username

If Username is specified, TFE will assign that username to the user instead of using an automatic name based on their email address. When the username is already taken or is invalid, login will still complete, and the existing or default value will be used instead.

<saml:AttributeStatement>
  <saml:Attribute Name="Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">new-username</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

SiteAdmin

If the SiteAdmin attribute is present, the system will grant or revoke site admin access for the user. Site admin access can be also be granted or revoked in the MemberOf attribute; however the SiteAdmin attribute is the recommended method of managing access and will override the other value.

<saml:AttributeStatement>
  <saml:Attribute Name="SiteAdmin">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

MemberOf

Team membership is specified in the MemberOf attribute. (If desired, you can configure a different name for the team membership attribute.)

Teams can be specified in separate AttributeValue items:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

or in one AttributeValue as a comma-separated list:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">list,of,roles</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

There is a special-case role site-admins that will add a user as a site admin to your Terraform Enterprise instance.

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">site-admins</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

IsServiceAccount

If the IsServiceAccount (case-sensitive) attribute is present and true (case-insensitive), the system will mark the user as a service account. This will ensure API tokens created for this user will not expire as normal user account tokens expire when reaching the API token session timeout.

<saml:AttributeStatement>
  <saml:Attribute Name="IsServiceAccount">
    <saml:AttributeValue xsi:type="xs:boolean">true</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
Edit this page on GitHub

On this page

  1. Attributes
  2. Username
  3. SiteAdmin
  4. MemberOf
  5. IsServiceAccount
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)