HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

Log into Terraform Enterprise with SAML

Once you configure SAML, Terraform users can visit https://<TFE HOSTNAME>/session to login.

Users can follow the link to complete the SAML login process with the identity provider. If SCIM is not enabled and they log in for the first time, Terraform Enterprise creates an account for them. Their username auto-generates from their email address using the text before the @. The username only contains alphanumeric characters, -, or _. All invalid characters convert to _. When SCIM is enabled, users must already be provisioned through SCIM before they can authenticate with SAML.

API Token Expiration

When you initially enable SAML or when a user's SAML-authenticated web session expires, existing user API tokens also temporarily disable until they reauthenticate at https://<TFE HOSTNAME>/session. This restriction only affects user tokens, not team or organization tokens. When SCIM is not enabled, this behavior ensures Terraform Enterprise can refresh SAML-managed team membership from the user's latest assertion.

The API token session timeout is a site-wide setting that is configurable in the admin settings at https://<TFE HOSTNAME>/app/admin/saml.

Edit this page on GitHub