HashiCorp Developer AI Private beta now available Sign up today
Terraform
Terraform Home

You are viewing documentation for version v202303-1. View latest version.

Login with SAML

Once you configure SAML, Terraform users can visit https://<TFE HOSTNAME>/session to login.

Users can follow the link to complete the SAML login process with the identity provider. If they log in for the first time, Terraform Enterprise creates an account for them. Their username auto-generates from their email address using the text before the @. The username only contains alphanumeric characters, -, or _. All invalid characters convert to _.

API Token Expiration

When you initially enable SAML or when a user's SAML-authenticated web session expires, existing user API tokens also temporarily disable until they reauthenticate at https://<TFE HOSTNAME>/session. This arrangement is because Terraform Enterprise relies on your identity provider for team membership mapping and a user might have been added to or removed from some teams since their session expired. This restriction only affects user tokens, not team or organization tokens.

The API token session timeout is a site-wide setting that is configurable in the admin settings at https://<TFE HOSTNAME>/app/admin/saml.