Introduction
You have configured your Terraform Enterprise for SAML SSO logins.
When a user tries to login they see the following error:
An error occurred. Please contact your TFE Administrator for further information. ERROR: Validation failed: Username has already been taken
In your IDP, everything seems correct and the user has a unique email address.
Scenario
You have a user login in with SAML SSO into your TFE with the email address: john.doe@email.com.
The user gets an error at login: Username has already been taken.
There already is another user with the same name, but a different email address: john.doe@example.com.
By default Terraform Enterprise parses the email address of a user login and creates a username from this, the domain is cut off, and the . is replaced by an _.
In both users this results in the username: john_doe. However, a username in Terraform Enterprise must be unique.
Recommendation
Configure the Username attribute in your IDP to map to a field that is unique for every user.
Caveats
1. The constraints for a username in TFE:
- It must be unique
- Can only contain alphanumeric characters,
-, or_ - Can't contain spaces
2. If the Username attribute does contain spaces, Terraform Enterprise will not error, but the username will be set to everything before the first space. Example, if the Username maps to the value of John Doe, the username in Terraform Enterprise will be John.
3. If Terraform Enterprise fails at parsing the Username it will fallback to parsing the email address.
4. Before changing usernames, please keep the following in mind:
Changing your username can cause important operations to fail. This is because it is used in URL paths to various resources. If external systems make requests to these resources, you'll need to update them prior to making a change.