Problem
In an organization with SAML/SSO enabled, Terraform Cloud (“TFC”) or Terraform Enterprise users are automatically removed from their assigned teams.
Cause
This can occur when teams have been created in Terraform Cloud prior to enabling SAML and the expectation is that Terraform Cloud will continue with the same team membership mapping after SAML is enabled.
Once SAML/SSO is enabled in TFC, the default option is to have SAML manage team membership mapping. This means that TFC will now rely on the SAML assertion provided by the identity provider (“IdP”) during login as the source of truth for user creation and team membership mapping. In practice, this means that users logging in via SAML are automatically added to the teams included in their assertion, and conversely automatically removed from any teams that aren’t included in their assertion. This overrides any team memberships manually set in the UI; whenever the user logs in, their team membership is adjusted to match their SAML assertion.
Any team names that don’t match existing teams in TFC are ignored; Terraform Cloud will not automatically create new teams.
In Terraform Enterprise it is possible to identify if SAML is removing users from teams by checking the ptfe_atlas audit logs for remove_member actions where the actor is SAML.
[Audit Log] {"resource":"team","action":"remove_member","resource_id":"team-otyig8fsWXNUSCZP","organization":"TEST-TFE","actor":"SAML","timestamp":"2021-01-21T15:19:34Z","user":"admin","actor_ip":null}To access the ptfe_atlas log, connect to the Terraform Enterprise instance via SSH and run sudo docker logs ptfe_atlas.
Another option for testing that works in Terraform Cloud as well as Terraform Enterprise would be to manually add a user to a team that is known to not be included in the user’s settings on the IdP side. When the user logs in again, they should be removed from this “test” team.
Solution
The solution is based on the how the organization owner (Terraform Cloud) or site administrator (Terraform Enterprise) wants to manage team membership mapping.
Terraform Enterprise
If you want Terraform Enterprise to manage team membership while SSO/SAML is enabled then uncheck the Use SAML to manage team memberships checkbox in the SAML settings. Terraform Enterprise won’t automatically manage team membership on login, and you can manually add users to teams via the organization’s Teams page.
Terraform Cloud
If you’d prefer to manually manage team membership mapping in Terraform Cloud, navigate to the organization’s SSO settings. In order to modify the SSO configuration, the SSO integration must be temporarily disabled. After disabling SSO, click Edit settings and slide the Enable team management to customize your team attribute setting to the off position. Once complete, save the settings and re-enable the SSO integration.
If you want the identity provider to manage team membership while SSO/SAML is enabled then users & team membership will need to be handled by the identity provider and sent through the SAML assertion.