Problem
In Terraform Enterprise or HCP Terraform, users authenticating via Single Sign-On (SSO) may be unable to see workspaces they should have access to. This occurs even when their Active Directory (AD) group memberships are correctly mapped to the appropriate SSO teams.
For example, a user, user1, is a member of the Active Directory group AD_Group1. This group corresponds to the SSO team ID for team1, which has access to workspace1. However, when user1 logs in, workspace1 is not visible.
Prerequisites
- SAML is enabled in your Terraform Enterprise or HCP Terraform organization.
- You are using an Identity Provider (IdP) like Active Directory Federation Services (ADFS) or Microsoft Entra ID.
Cause
This issue is often caused by a limitation in Microsoft Entra ID (formerly Azure AD), which restricts the number of group claims in a SAML token to 150. If a user is a member of more than 150 AD groups, the SAML token sent to Terraform will not contain any group information. As a result, Terraform cannot synchronize the user's team memberships, and access to workspaces is denied.
Solution
To resolve this issue, you must configure a group filter in your IdP to limit the number of groups included in the SAML assertion. This filter should ensure that only the groups relevant to Terraform access are sent in the token, keeping the total count below the 150-group limit.
For detailed instructions, refer to the Microsoft documentation on how to Configure group claims for applications by using Microsoft Entra ID.
Additional Information
- For further diagnostic steps, please see the guide on Troubleshooting the SAML Assertion.