Login with SAML
Once you configure SAML, Terraform users can visit https://<TFE HOSTNAME>/session
to login.
Users can follow the link to complete the SAML login process with the identity provider. If they log in for the first time, Terraform Enterprise creates an account for them. Their username auto-generates from their email address using the text before the @
. The username only contains alphanumeric characters, -
, or _
. All invalid characters convert to _
.
API Token Expiration
When you initially enable SAML or when a user's SAML-authenticated web session expires, existing user API tokens also temporarily disable until they reauthenticate at https://<TFE HOSTNAME>/session
. This arrangement is because Terraform Enterprise relies on your identity provider for team membership mapping and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.
The API token session timeout is a site-wide setting that is configurable in the admin settings at https://<TFE HOSTNAME>/app/admin/saml
.