SAML is used to map team membership within Terraform Enterprise such that the SAML assertion received from the IDP (identity provider) on a login attempt is the source of truth until the user's SAML-authenticated web session expires.
This team membership mapping is not dynamically updated as there is no constant communication between the IDP and Terraform Enterprise.
For a user to be added or removed from teams on Terraform Enterprise there needs to be a new login attempt made through the identity provider so that Terraform Enterprise receives an updated mapping of team membership.
Once a new login attempt has been made, users logging in via SAML are then automatically added to the teams included in the new assertion and automatically removed from any teams that aren't included in the new assertion.
Updating membership mapping:
- Log out of Terraform Enterprise.
- Log out of the identity provider i.e. Okta.
- Log in to the identity provider which should now have updated membership mapping.
- Log in to Terraform Enterprise.
Please contact HashiCorp Support for additional questions.