Terraform Enterprise: SAML/SSO login is broken and giving error OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key) – HashiCorp Help Center

Problem

After upgrading to Terraform Enterprise v202410-1, SAML/SSO login fails. The atlas container logs in the support bundle show the following error:

OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key)

Prerequisites

Terraform Enterprise v202410-1.
SAML/SSO is enabled.

Cause

The error OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key) indicates a certificate misconfiguration. In this case, a private key was previously configured in the Private Key field on the SAML Settings UI page. Although the field may appear empty in the UI, the key is still present in the configuration database.

Terraform Enterprise SAML Settings UI showing a hidden private key

Solution

To resolve this issue, you must identify and remove the hidden private key from the SAML/SSO settings using the Terraform Enterprise Rails console.

Clear the Hidden Private Key via Rails Console

Log in to the container running Terraform Enterprise.

Note: Adjust the following command based on your specific installation environment.
```
$ kubectl exec -n terraform-enterprise -it <pod_name> -- bash
```
Execute the command to access the Rails console.
```
$ tfectl support console
```
Run a query to view all SAML settings and check for an encrypted private key.
```
AdminSettings::Saml.all
```
Review the output. If a key is present, the private_key_encrypted attribute will have a value similar to the following.
```
private_key_encrypted:"vault:v1:CFrA4RVauQeD6W0jd19l445pe5AprDifQ1nkYe6Pkr9B07CSvL...o/uDl652da3",
```
Navigate to the SAML Settings page in the Terraform Enterprise UI at https://<TFE_HOSTNAME>/app/admin/saml.
In the Private key field, enter a single space and save the configuration. This action clears the hidden key from the database.
Return to the Rails console and run the query again to confirm the private key has been removed.
```
AdminSettings::Saml.all
```
Verify that the private_key_encrypted attribute is now empty.
```
private_key_encrypted: "",
```
Restart Terraform Enterprise for the new configuration to take effect.

Outcome

After restarting Terraform Enterprise, the SAML/SSO login will function correctly, provided the rest of the SAML configuration is valid.

Additional Information

For more details, refer to the official documentation to configure SAML for Terraform Enterprise.