HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

SAML User Attributes Reference

The following SAML attributes correspond to properties of a Terraform Enterprise user account. When a new or existing user logs in, Terraform Enterprise can update the account with data from these attributes. When SCIM is enabled, Terraform Enterprise ignores SAML attributes for SCIM-managed user identity, team membership, and site administrator provisioning.

Username

If Username is specified, Terraform Enterprise will assign that username to the user instead of using an automatic name based on their email address when SCIM is not enabled. When the username is already taken or is invalid, login will still complete, and the existing or default value will be used instead. Terraform Enterprise ignores this attribute for SCIM-managed users when SCIM is enabled.

<saml:AttributeStatement>
  <saml:Attribute Name="Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">new-username</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

SiteAdmin

If the SiteAdmin attribute is present, the system will grant or revoke site admin access for the user when SCIM is not enabled. Site admin access can be also be granted or revoked in the MemberOf attribute; however the SiteAdmin attribute is the recommended method of managing access and will override the other value. Terraform Enterprise ignores this attribute when SCIM is enabled.

<saml:AttributeStatement>
  <saml:Attribute Name="SiteAdmin">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

MemberOf

Team membership is specified in the MemberOf attribute when SCIM is not enabled. (If desired, you can configure a different name for the team membership attribute.) Terraform Enterprise ignores this attribute when SCIM is enabled.

Teams can be specified in separate AttributeValue items:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

or in one AttributeValue as a comma-separated list:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">list,of,roles</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

There is a special-case role site-admins that will add a user as a site admin to your Terraform Enterprise instance when SCIM is not enabled.

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">site-admins</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

IsServiceAccount

If the IsServiceAccount (case-sensitive) attribute is present and true (case-insensitive), the system will mark the user as a service account. This will ensure API tokens created for this user will not expire as normal user account tokens expire when reaching the API token session timeout.

<saml:AttributeStatement>
  <saml:Attribute Name="IsServiceAccount">
    <saml:AttributeValue xsi:type="xs:boolean">true</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>
Edit this page on GitHub