Problem
When managing teams in Terraform Enterprise or HCP Terraform through a single sign-on (SSO) provider, users who are removed from a team in the Identity Provider (IdP) may not be automatically removed from the corresponding team in Terraform.
Terraform relies on the memberOf attribute in the SAML assertion to add or remove users from teams. An example assertion for a user in two teams appears below.
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">devs</saml:AttributeValue> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">reviewers</saml:AttributeValue> </saml:Attribute>
This issue typically occurs when a user is a member of only one team, and their access to that team is revoked in the IdP.
Cause
To manage team memberships correctly, Terraform expects the SAML assertion to always contain the memberOf attribute, even if it is empty. When a user is removed from their last remaining team, some IdPs may be configured to stop sending the memberOf attribute entirely, rather than sending an empty one. Without this attribute, Terraform does not receive a signal to update the user's team membership, and the user remains in the team.
Solution
To resolve this issue, you must configure your IdP to always send the memberOf attribute in the SAML assertion. When a user is not a member of any teams, the IdP should send an empty memberOf attribute, as shown in the following example.
<saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> </saml:Attribute>
This configuration ensures that Terraform receives the necessary information to remove the user from all SSO-managed teams.
Additional Information
To confirm whether the memberOf attribute is being sent correctly, you can capture and examine the SAML assertion from your IdP. For instructions, refer to the guide on Capturing a SAML Assertion.