Problem
When a user attempts to log into a Terraform Enterprise (TFE) instance using SAML authentication, they are redirected to an error page with the following message.
An error occurred. Please contact your TFE Administrator for further information. ERROR: Validation failed: Username has already been taken
Prerequisites
- A Terraform Enterprise instance configured with SAML single sign-on (SSO).
- Administrative access to the TFE application server to use the Rails console.
Cause
This error typically occurs when a user's email domain changes in the identity provider (IdP) but is not updated in their TFE user profile. For example, if a user's email is user@example.com in TFE, but the IdP now sends SAML assertions for user@example.net, TFE attempts to create a new user, which fails because the username is already taken by the original account.
Solutions
To resolve this issue, you must manually update the user's email address in the TFE database via the Rails console. You may also need to remove a duplicate user record if one was partially created during a failed login attempt.
Solution 1: Update the User's Email Address
This procedure updates the email address for the existing user account to match the new email address provided by the IdP.
- Access the Rails console on your TFE instance by following the guide on Connecting To The Rails Console.
-
Find the user by their username, update their email address, and save the changes. Replace
<user_name>and<new_email>with the correct values.user = User.find_by(username: "<user_name>") user.email = '<new_email>' user.save!
-
Verify the change was successful by finding the user again and checking their email attribute.
user = User.find_by(username: "<user_name>") user.email
If the user.save! command in step 2 fails with a message that the email has already been taken, proceed to Solution 2.
Solution 2: Remove Duplicate User Record
If the primary solution fails, it indicates that a failed login attempt created a duplicate, partial user record with the new email address but no username. You must remove this duplicate record before you can update the original account.
-
Within the Rails console, find the duplicate user record by searching for the new email address.
user = User.find_by(email: "<new_email>")
- Confirm that this is the duplicate record. It should have the new email address but a
nilor empty username. -
Destroy the duplicate record.
user.destroy!
- After destroying the duplicate, return to Solution 1 and repeat the steps to update the original user's email address.
Outcome
After successfully updating the user's email address in TFE to match the IdP, the user should be able to log in via SAML without encountering the "Username has already been taken" error.