Introduction
Users with a high number of group memberships may be unable to log in to Terraform Enterprise (TFE) due to oversized SAML assertions. When a user attempts to log in and encounters failed SAML authentication along with a 500 error response, it’s often caused by the excessive number of group membership attributes included in the SAML assertion.
Below are some suggested workarounds to help address this issue.
Prerequisites
This KB is applicable to Terraform Enterprise/TFC organizations that have Single Sign-On (SSO) and SSO team management enabled. The issue affects TFE versions earlier than v202406-1 and has been resolved starting from version v202406-1 by making this limit configurable.
Scenario
When a user attempts to log in to TFE/TFC via SSO (e.g., Okta, OneLogin, ADFS, AzureAD) and encounters a 500 response error, relevant details may be logged in the nginx.log and atlas.log files. These logs can be accessed by logging into the TFE instance.
Below are some example log entries for reference.
nginx.log
00.000.00.000 - - [13/Mar/2024:06:52:16 +0000] "POST /users/saml/auth HTTP/1.1" 500 0 "https://id.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) *****/20000000 Firefox/123.0"atlas.log
2024-03-13 06:52:16 [ERROR] [***************] [dd.service=atlas dd.trace_id=************* dd.span_id=0 ddsource=ruby] exception=OneLogin::RubySaml::ValidationError message=Encoded SAML Message exceeds 250000 bytesCause
This issue may occur when a user belongs to multiple group memberships, causing the SAML assertion to exceed the default 250,000 byte limit. You can confirm this by inspecting the SAML assertion during the login attempt using a browser extension like SAML-Tracer.
For example, if a user is associated with a large number of group memberships, it may appear as shown below:
<saml:AttributeStatement>
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs1</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers1</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs2</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers2</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs3</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers3</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs4</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers4</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs5</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers5</saml:AttributeValue>
.........................
.........................
.........................
</saml:Attribute>
</saml:AttributeStatement>
Solutions
To resolve SAML assertion errors, please work with an IDP administrator, as the configuration of the SAML assertion sits on the IDP side of this integration.This document, as well as our sample SAML assertion and response can be provided to the administrator along with a captured SAML assertion to explain what needs to be adjusted.
Outlined below are several workarounds that can be implemented to help address and resolve this issue.
Option 1: Consolidate groups
You can try consolidating the user's group memberships by removing them from inactive or unused groups.
Option 2: Use comma-separated list of groups
Modify the SAML attribute in Okta by updating the list of groups into a comma-separated format. The specific attribute that needs to be updated is MemberOf.
<saml:AttributeName="MemberOf"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">devs,reviewers,devs1,reviewers1,devs2,reviewers2,devs3,reviewers3,devs4,reviewers4,devs5,reviewers5</saml:AttributeValue></saml:Attribute>