SSO JIT or team provisioning allows SSO users to automatically be placed on different HCP Terraform teams based on the MemberOf claim that corresponds with the SSO user's groups. The SSO group names need to match the same name as the HCP Terraform team name in a human-readable format within the SAML assertion that's passed when logging in.
However, some SSO providers like MS Entra ID do not provide human-readable group names in the assertion, displaying the group ID or object ID. An extra step of taking the group object ID and placing it in the SSO TEAM ID field in the settings of the corresponding Terraform team. This can be quite cumbersome if you have many teams/groups you are working with.
However, Microsoft Entra ID (formerly called Active Directory) has a few settings that can be configured which pass human-readable group names in the SAML assertion, avoiding the need to enter the ID for each corresponding team.
Prerequisites:
Procedure:
When configuring the 'MemberOf' claim as per our documentation you need to do a few things differently:
- Navigate to Microsoft Entra ID > Manage > Enterprise Applications > Select existing SSO application configured for HCP Terraform
- Navigate to Manage > Single-Sign-On > Attributes & Claims > Edit
- Select 'Add New Group Claim' or edit the existing one for: MemberOf
- Select 'Groups assigned to this application' and select 'Cloud-only group display names'
- Mark 'Customize the name of the group claim' and enter into Name: 'MemberOf'
- Click 'Save' button
The claim shows the name 'MemberOf' with a value of 'user.groups'. The configuration can now be tested.
Troubleshooting:
The settings can be confirmed by reviewing the values passed in the MemberOf claim of a SAML assertion from a login attempt. Please review our guide on how you can gather and decode the assertion here: