Problem
In an organization with SAML/SSO enabled, Terraform Enterprise users are automatically removed from the owners team.
Cause
Once SAML/SSO is enabled in Terraform Enterprise, the application will rely on the SAML assertion provided by the identity provider (“IdP”) during login as the source of truth for user creation and team membership mapping. This means that users logging in via SAML are automatically added to the teams included in their assertion, and conversely automatically removed from any teams that aren’t included in their assertion. This overrides any team memberships manually set in the UI; whenever the user logs in, their team membership is adjusted to match their SAML assertion.
However, unlike other teams, when SAML is enabled, Terraform Enterprise defaults to NOT managing the owners membership via SAML unless it is specifically enabled through a SAML Role ID on the owners team.
If a SAML Role ID has been set on the owners team then Terraform Enterprise will manage access to the owners team through the SAML assertion so if users are added manually in Terraform Enterprise and this does not match the IDP assertion then they will be removed from the owners team.
Solution:
If the goal is to have the organization administrator for Terraform Enterprise manage the owners team manually then the SAML Role ID needs to be removed from the owners team. This can be accomplished by:
- Navigating to the organization settings page.
- Click "Teams" and then click the owners team.
- Delete the content from the SAML Role ID and save the settings.