Problem
When using SAML/SSO for team membership management in HCP Terraform or Terraform Enterprise, site administrators may unexpectedly lose their admin permissions after logging in.
Cause
This issue occurs when the Site Admin role is not correctly configured in the HCP Terraform or Terraform Enterprise admin settings, or if the role name does not exactly match the corresponding attribute value sent by the Identity Provider (IdP) . This field is case-sensitive.
Solution
To resolve this issue, you must ensure that the Site Admin Role is correctly defined in the application's admin UI and that the value matches the role attribute configured in your IdP.
- Navigate to the SAML settings in your HCP Terraform or Terraform Enterprise instance.
- Locate the Site Admin Role field.
- Enter the exact, case-sensitive name of the role that your IdP will send to designate site administrators.
- Save the configuration.
After saving, affected users should log out and log back in through SSO to verify that their site admin permissions are restored.
Additional Information
If you need to verify the information being sent from your IdP, you can capture a SAML assertion for review.