Resolving Issues with Terraform Enterprise Reaching an Old SSO URL

Avatar
Fawaz Akhtar
  • Updated

Introduction

This article provides a step-by-step guide to resolve the issue of Terraform Enterprise (TFE) reaching an old SSO URL after a Single Sign-On (SSO) configuration update.

Expected Outcome

Once completed, TFE will use the new SSO URL for authentication, and the system will function correctly with the updated identity provider (IdP) configuration.

 

Prerequisites

- Access to TFE with admin privileges.
- A non-SSO admin account for recovery purposes.
- The updated SSO URL and IdP certificate details from your identity provider.

 

Use Case

This procedure applies when you have recently updated your SSO configuration in TFE but notice it still attempts to use the old SSO URL, leading to authentication issues.

 

Procedure

Step 1: Disable SAML Single Sign-On

1. Navigate to the SAML settings page:

https://<TFE HOSTNAME>/app/admin/saml

2. Uncheck the **Enable SAML Single Sign-On** checkbox.
3. Confirm that disabling SSO will log you out from TFE.
4. Log back into TFE using a non-SSO admin account.

 

Step 2: Verify Non-SSO Admin Account

1. If a non-SSO admin account does not exist, create one:
- Go to:

https://<TFE HOSTNAME>/signup/account

- Provide an email address not associated with your identity provider (e.g., SAML).
- Assign admin access to this account.

2. Test logging in with this account to ensure recovery access is available.

 

Step 3: Reconfigure SSO Settings

1. Navigate to the SAML settings page again:

https://<TFE HOSTNAME>/app/admin/saml

2. Update the Single Sign-On URL with the new value provided by your IdP.
3. Update the IdP Certificate:
- Upload the new PEM-encoded X.509 Certificate provided by your IdP.
- Ensure the "Revoke old IDP certificate" option appears below the IdP Certificate field if a rotation period is active.
4. Save the settings.

 

Step 4: Test SSO Configuration

1. Log out of TFE and attempt to log in using the SSO option.
2. Verify that the login redirects to the new SSO URL.
3. If successful, confirm that all users can access TFE using the updated SSO configuration.

---

Additional Information
- https://developer.hashicorp.com/terraform/enterprise/saml/configuration

Articles in this section

See more

Related articles