Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Terraform
Terraform Home

SAML User Attributes Reference

The following SAML attributes correspond to properties of a Terraform Enterprise user account. When a new or existing user logs in, their account info will be updated with data from these attributes.

Username

If Username is specified, Terraform Enterprise will assign that username to the user instead of using an automatic name based on their email address. When the username is already taken or is invalid, login will still complete, and the existing or default value will be used instead.

<saml:AttributeStatement>
  <saml:Attribute Name="Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">new-username</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

SiteAdmin

If the SiteAdmin attribute is present, the system will grant or revoke site admin access for the user. Site admin access can be also be granted or revoked in the MemberOf attribute; however the SiteAdmin attribute is the recommended method of managing access and will override the other value.

<saml:AttributeStatement>
  <saml:Attribute Name="SiteAdmin">
    <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

MemberOf

Team membership is specified in the MemberOf attribute. (If desired, you can configure a different name for the team membership attribute.)

Teams can be specified in separate AttributeValue items:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

or in one AttributeValue as a comma-separated list:

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">list,of,roles</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

There is a special-case role site-admins that will add a user as a site admin to your Terraform Enterprise instance.

<saml:AttributeStatement>
  <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">site-admins</saml:AttributeValue>
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

IsServiceAccount

If the IsServiceAccount (case-sensitive) attribute is present and true (case-insensitive), the system will mark the user as a service account. This will ensure API tokens created for this user will not expire as normal user account tokens expire when reaching the API token session timeout.

<saml:AttributeStatement>
  <saml:Attribute Name="IsServiceAccount">
    <saml:AttributeValue xsi:type="xs:boolean">true</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>