• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Terraform
  • Install
  • Tutorials
    • About the Docs
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • CDK for Terraform
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
  • Registry(opens in new tab)
  • Try Cloud(opens in new tab)
  • Sign up
Terraform Home

Terraform Enterprise

Skip to main content
  • Terraform Enterprise
  • Operational Modes
    • Configuration
    • Team Membership
    • Attributes
    • Login
    • Troubleshooting
  • Migrating to Terraform Enterprise
  • Support

  • Terraform Cloud Agents

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  • Terraform Registry
    (opens in new tab)
  1. Developer
  2. Terraform
  3. Terraform Enterprise
  4. SAML SSO
  5. Login
  • Terraform Enterprise
  • v202301-1
  • v202212-2
  • v202212-1
  • v202211-1
  • v202210-1
  • v202209-2
  • v202209-1
  • v202208-3
  • v202208-2
  • v202208-1
  • v202207-2
  • v202207-1
  • v202206-1

ยปLogin with SAML

Once you configure SAML, Terraform users can visit https://<TFE HOSTNAME>/session to login.

Users can follow the link to complete the SAML login process with the identity provider. If they log in for the first time, Terraform Enterprise creates an account for them. Their username auto-generates from their email address using the text before the @. The username only contains alphanumeric characters, -, or _. All invalid characters convert to _.

API Token Expiration

When you initially enable SAML or when a user's SAML-authenticated web session expires, existing user API tokens also temporarily disable until they reauthenticate at https://<TFE HOSTNAME>/session. This arrangement is because Terraform Enterprise relies on your identity provider for team membership mapping and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.

The API token session timeout is a site-wide setting that is configurable in the admin settings at https://<TFE HOSTNAME>/app/admin/saml.

Edit this page on GitHub

On this page

  1. Login with SAML
  2. API Token Expiration
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)