Introduction
Terraform Enterprise and Cloud teams can be managed either directly through Terraform or through single sign-on (SSO). When managing teams through single sign on, Terraform will add or remove users from teams based on the information in the SAML memberOf attribute.
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue>
</saml:Attribute>
Problem
If the SAML assertion only contains a single Terraform team, and a user is removed from that team in the Identity Provider (IDP), they may remain in the team in Terraform.
Cause
In order to manage teams through SAML, Terraform expects the SAML assertion to contain the memberOf attribute, even if it is empty. When a user is only part of one team and then that team is removed, the IDP may be configured to stop sending memberOf as part of the assertion.
Solution
The solution is to send an empty memberOf attribute instead of no memberOf attribute at all. This will have to be configured on the IDP.
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
</saml:Attribute>
Additional Information
To confirm whether the attribute is being sent or not, the SAML assertion can be captured and examined.
https://support.hashicorp.com/hc/en-us/articles/1500005371682-Capturing-a-SAML-Assertion