This topic describes how to configure Terraform Enterprise as the SAML service provider (SP). SAML is an XML-based standard for authentication and authorization. Terraform Enterprise can act as a service provider (SP), also called a relying party, with your internal SAML identity provider (IdP).
Complete the following steps to configure Terraform Enterprise to authenticating and authorizing users with SAML.
Refer to the Admin Settings API documentation for instructions on how to configure SAML using the API.
Only Terraform Enterprise users with the site-admin permission can modify SAML settings. For more information about site admins, refer to Site Administration Permissions.
Prior to activating SAML, we recommend that you create a non-SSO admin account for recovery to ensure that you are able to log in as an admin in case of error.
Terraform Enterprise supports the SAML 2.0 standard.
https://<TFE HOSTNAME>/app/admin/saml.Configure the following values in the SAML Identity Provider (IdP):
https://<TFE HOSTNAME>/users/saml/metadatahttps://<TFE HOSTNAME>/users/saml/authhttps://<TFE HOSTNAME>/users/saml/authThe SAML metadata document is available at https://<TFE HOSTNAME>/users/saml/metadata.xml
You can configure the following settings to configure Terraform Enterprise as the SP when integrating with a SAML identity provider.
SAML SettingsNote: When reconfiguring the IdP certificate, Terraform Enterprise will retain the old IdP certificate to allow for a rotation period. When you are sure that the new certificate is functioning correctly, you must explicitly remove the old IdP certificate. A button labeled "Revoke old IDP certificate" will appear below the IdP Certificate field if you are in a rotation period. You can also remove the old certificate via an API endpoint.
AttributesUsername) The name of the SAML attribute that determines the Terraform Enterprise username for a user logging in via SSO.SiteAdmin) The name of the SAML attribute that determines whether a user has site-admin permissions. The value of this attribute in the SAML assertion must be a boolean. Site admins can manage settings and resources for the entire Terraform Enterprise instance; see [Administering Terraform Enterprise][admin] for details.MemberOf) The name of the SAML attribute that determines team membership. The value of this attribute in the SAML assertion must be either a string containing a comma-separated list of team names or separate AttributeValue items. Team membership mapping is case-sensitive.Site Admin Role: (default: site-admins; make blank to disable) An alternate way of managing site-admin permissions; if a role with this name is present in the value of the Team Attribute Name attribute, the user is an admin.
We recommend using the "site admin attribute name" setting instead. If you are using the site admin attribute, you can disable "site admin role" by deleting its value.
1209600 seconds, or 14 days) The duration of time (in seconds) for which Terraform Enterprise will accept a user's API token before requiring the user to log in again. For more details about this behavior, see API Token Expiration.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4