Problem
When creating a Terraform Cloud account using a Single Sign-On (SSO) linked workflow, some users may encounter a 500 error after submitting account details. This issue commonly arises when Microsoft Azure AD is used as the Identity Provider (IdP), and the user's assertion contains an invalid value for Terraform Cloud usernames.
Prerequisites
- Users who are utilizing Microsoft Azure AD for their IdP during the Terraform Cloud account creation workflow.
Cause
The error occurs when the user's Azure AD attribute http://schemas.microsoft.com/identity/claims/displayname contains a space between the first and last names. This value is then used as the Username in Terraform Cloud, triggering the error. You can validate the contents of the value that Terraform Cloud is receiving by Capturing a SAML Assertion.
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>FirstName LastName</AttributeValue>
<Attribute Name="Username">
<AttributeValue>FirstName LastName</AttributeValue>
Solution
To resolve this issue, have your IdP admin follow these steps:
- Access the Azure AD User Attributes & Claims attributes settings.
- Find the attribute
http://schemas.microsoft.com/identity/claims/displaynamein the attribute list. - Replace the attribute value
user.displaynamewithuser.mailnickname. - Save the changes.
- Restart the account creation process using your IdP provided App link for Terraform Cloud.
If a new SAML Assertion is captured, you should now see the Username value without a space between names.
<Attribute Name="Username">
<AttributeValue>FirstNameLastName</AttributeValue>
You can find detailed instructions in the Terraform Cloud documentation here.
Outcome
After making the necessary attribute changes, try creating a Terraform Cloud account again using the IdP provided app link for Terraform Cloud. The 500 error should no longer occur upon submission.