Problem
Users with a high number of group memberships may be unable to log in to Terraform Enterprise or HCP Terraform, receiving a 500 error after a failed SAML authentication attempt. This issue is often caused by an oversized SAML assertion that exceeds the default size limit.
When a user attempts to log in via Single Sign-On (SSO), you may find relevant error details in the nginx.log and atlas.log files on the Terraform Enterprise instance.
An nginx.log entry may show the 500 error response.
## nginx.log 00.000.00.000 - - "POST /users/saml/auth HTTP/1.1" 500 0 "https://id.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) *****/20000000 Firefox/123.0"
An atlas.log entry may show the specific validation error.
## atlas.log [ERROR] [***************] [dd.service=atlas dd.trace_id=************* dd.span_id=0 ddsource=ruby] exception=OneLogin::RubySaml::ValidationError message=Encoded SAML Message exceeds 250000 bytes
Prerequisites
This guide applies to Terraform Enterprise and HCP Terraform organizations that have SSO and SSO team management enabled. The issue affects Terraform Enterprise versions earlier than v202406-1. This limit is configurable starting from version v202406-1.
Cause
This issue occurs when a user belongs to many groups, causing the SAML assertion sent by the Identity Provider (IdP) to exceed Terraform Enterprise's default 250,000-byte limit. You can confirm this by inspecting the SAML assertion during a login attempt using a browser extension like SAML-Tracer.
The MemberOf attribute in the assertion contains a long list of groups, increasing the overall size.
<saml:AttributeStatement>
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs1</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers1</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs2</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers2</saml:AttributeValue>
## ... and so on
</saml:Attribute>
</saml:AttributeStatement>Solutions
Resolving this issue requires collaboration with an Identity Provider (IdP) administrator, as the SAML assertion is configured on the IdP side. You can provide your administrator with a captured SAML assertion to explain what needs to be adjusted. The following workarounds can help resolve the issue.
Solution 1: Consolidate IdP Groups
Work with your IdP administrator to consolidate the user's group memberships by removing them from inactive or unused groups. Reducing the number of groups in the MemberOf attribute will decrease the size of the SAML assertion.
Solution 2: Use a Comma-Separated Group List
Modify the SAML attribute in your IdP (e.g., Okta) to send the group list in a comma-separated format instead of multiple AttributeValue elements. This significantly reduces the size of the assertion.
The MemberOf attribute should be updated to look like the following example.
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs,reviewers,devs1,reviewers1,devs2,reviewers2,devs3,reviewers3,devs4,reviewers4,devs5,reviewers5</saml:AttributeValue> </saml:Attribute>
Additional Information
- For more details on the
MemberOfattribute, see the SAML Attribute reference in Terraform. - For an example of how to configure this in Okta, refer to this Okta Reference guide.