Fixing 500 Error in Terraform Cloud When Linking Azure AD for User Creation

Avatar
Johnny Gossette
  • Updated

Introduction

This article provides a solution for a 500 error that can occur during HCP Terraform account creation when using Single Sign-On (SSO) with Microsoft Azure Active Directory (Azure AD).

Problem

When creating an HCP Terraform account using an SSO-linked workflow, some users may encounter a 500 error after submitting account details. This issue commonly arises when Microsoft Azure AD is the Identity Provider (IdP), and the user's SAML assertion contains an invalid value for the HCP Terraform username.

Prerequisites

  • An HCP Terraform organization configured to use Microsoft Azure AD as the IdP for SSO.

Cause

The error occurs when the user's Azure AD attribute http://schemas.microsoft.com/identity/claims/displayname contains a space, between the first and last name. HCP Terraform uses this value for the username, and the space triggers the error.

You can validate the contents of the value that HCP Terraform is receiving by Capturing a SAML Assertion. The problematic assertion may look like this.

<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
  <AttributeValue>FirstName LastName</AttributeValue>
</Attribute>
<Attribute Name="Username">
  <AttributeValue>FirstName LastName</AttributeValue>
</Attribute>

Solution

To resolve this issue, your IdP administrator must update the attribute mapping in Azure AD.

  1. Access the Azure AD User Attributes & Claims settings for the HCP Terraform application.
  2. Find the claim associated with the attribute http://schemas.microsoft.com/identity/claims/displayname.
  3. Change the source attribute value from user.displayname to user.mailnickname. This attribute typically does not contain spaces.
  4. Save the changes in Azure AD.
  5. Restart the account creation process using the IdP-provided application link for HCP Terraform.

After this change, a new SAML assertion should show the Username value without a space.

<Attribute Name="Username">
  <AttributeValue>FirstNameLastName</AttributeValue>
</Attribute>

You can find detailed instructions in the Azure AD SSO configuration documentation.

Outcome

After your administrator updates the attribute mapping, you should be able to create an HCP Terraform account using the IdP-provided application link without encountering the 500 error.

Articles in this section

See more

Related articles