Introduction
HCP Terraform requires an existing and working e-mail address when signing up. This sometimes poses a problem, as a customer might have an entire employee directory, configured with a domain that was abandoned, expired, or without an actual Mail Server.
When SSO is set up, CyberArk will pass UserPrincipalName(UPN) by default, even if the invite is sent to a valid address. When user creates an account, and logs in, he will discover UPN value was used instead of an address he received the invite on.
Expected Outcome
Usually only a few members of DevOps team need access to HCP Terraform, and therefore need a working e-mail. Changing the address in UPN for a small subset of employees might break other applications, already configured to work with the IdP. This is why administrators might be reluctant to do so.
Customers expect suggestions to achieve working configuration, without making breaking changes.
Solution
Configuration of CyberArk IdP allows sending a value of a field different than UPN. If there is no field with a valid e-mail already existing, customer can add it for only employees that actually need it.
Later this field can be used in the configurationĀ of Terraform Cloud application, allowing a valid address to be used, when UPN for all employees stays unchanged. This prevents proper migration from having to be done, and allows account creation to work properly with HCP Terraform.
Support can remove accounts that don't have a valid address and have been created with default settingsĀ in CyberArk.
Here is the actual configuration page where the field name can be provided:
And the help page from CyberArk, talking about available options:
https://docs.cyberark.com/wpm/latest/en/content/applications/appsovw/mapuseracts.htm