Restoring Site Admin Access When No Accounts Have Access

Avatar
Justin Retzolk
  • Updated

This article provides a procedure to restore site administrator access to Terraform Enterprise when all administrative accounts are locked out due to a SAML configuration issue.

Problem

When SAML is enabled in Terraform Enterprise, a misconfiguration of site administrator privileges can lock all users out of the site admin portal. This prevents users from being able to perform administrative functions and makes it difficult to troubleshoot SAML configuration or deactivate SAML to resolve the issue.

Cause

The initial user account for a Terraform Enterprise installation is the first site administrator. Site administrators can grant admin permissions to other users. For details, refer to the documentation on Promoting a User to Administrator.

When SAML is active, any SAML user who requires site administrator permissions must have one of two attributes in their SAML assertion:

If the Identity Provider (IdP) is not configured to provide one of these attributes and no non-SSO admin account has been created, no user will be able to log in to Terraform Enterprise as an administrator.

Solution

If you are locked out and cannot correct the configuration within your IdP, you can restore site administrator access through the application’s Rails console. For background information and security considerations, refer to the guide on How To Access the Terraform Enterprise Rails Console.

Procedure

  1. Before connecting to the console, have the target user log in to Terraform Enterprise to establish an active session.
  2. Connect to the Rails console.

  3. Run the following commands, replacing user@example.com with the email address of the target user. These commands find the user by email and update their account to grant administrative privileges.

    user = User.find_by(email: "user@example.com")
user.update(is_admin: true)

Outcome

After running the commands, refresh the user's browser session to verify that the user is now a site administrator. Without logging the user out, you can now access the site admin area to make the necessary SAML configuration changes, such as disabling SAML or updating SAML settings.

Additional Information

To prevent this issue, always create a non-SSO admin account for recovery before you enable SAML. You must create this account while SAML is inactive, as user creation outside of SAML is not permitted when SAML is active.

Articles in this section

See more

Related articles