Adding a SAML User to a Team Does Not Take Effect Immediately

Avatar
Susie Solis
  • Updated

 

Issue

After adding a SAML-authenticated user to a team in Terraform Enterprise (TFE) or HCP Terraform, the user does not immediately receive the expected permissions. The user may still be unable to access workspaces or perform actions associated with the team.

Symptoms

  • User added to a team, but access does not change

  • Workspace permissions remain unchanged

  • User receives authorization or access denied errors

  • UI reflects team membership, but permissions are not applied

  • Issue resolves after the user logs out and logs back in

Environment

  • Terraform Enterprise or HCP Terraform

  • SAML Single Sign-On (SSO) enabled

  • User authenticated via SAML (IdP-managed identity)

Cause

When SAML is enabled, team membership and permissions are evaluated at login time.
If a user is already logged in when they are added to a team, their existing session does not automatically refresh to reflect the updated team membership.

Terraform does not proactively reissue SAML assertions for active sessions.

Resolution

The user must refresh their SAML session for the new team membership to take effect.

Option 1: User Logs Out and Logs Back In (Recommended)

  1. Have the affected user log out of Terraform Enterprise / HCP Terraform.

  2. User logs back in using SAML authentication.

  3. Confirm the user now has the expected access.

Option 2: User Waits for Session Expiration

  • If logout is not immediately possible, access will update automatically once the SAML session expires and the user re-authenticates.

  • Session duration is controlled by the Identity Provider (IdP).

Verification

After re-authentication:

  • User permissions align with the team’s access level

  • Workspace access and actions behave as expected

  • No authorization errors persist

Additional Notes

  • This behavior is expected and not a bug.

  • Changes to teams, roles, or permissions for SAML users always require session refresh.

  • This does not affect users authenticated via local accounts or non-SSO methods.

Best Practices

  • Inform users in advance that they must re-login after permission changes

  • Apply team changes during low-impact windows when possible

  • Align IdP session timeout values with organizational access policies

Articles in this section

See more

Related articles