Terraform Enterprise Users Are Automatically Removed From Owners Team

Avatar
Susie Solis
  • Updated

Problem

In an organization with SAML/SSO enabled, Terraform Enterprise users are automatically removed from the owners team.

Cause

When SAML/SSO is enabled in Terraform Enterprise, the application relies on the SAML assertion from the identity provider (IdP) as the source of truth for team membership. Users who log in via SAML are automatically added to teams included in their assertion and removed from any teams not included in the assertion. This process overrides manual team memberships set in the UI.

By default, Terraform Enterprise does not manage the owners team membership via SAML unless you explicitly enable it by setting a SAML Role ID on the team. If a SAML Role ID is set on the owners team, Terraform Enterprise will manage its membership through the SAML assertion. Consequently, any users added manually in the UI will be removed upon their next login if they are not part of the corresponding group in the IdP's assertion.

Solutions

The appropriate solution depends on whether you want to manage the owners team manually within Terraform Enterprise or automatically through your IdP.

Solution 1: Manage the Owners Team Manually in Terraform Enterprise

If you intend to manage the owners team membership manually within the Terraform Enterprise UI, you must remove the SAML Role ID from the team.

To remove the SAML Role ID:

  1. Navigate to your organization's settings page.
  2. Select Teams and then select the owners team.
  3. Clear the contents from the SAML Role ID field.
  4. Save the settings.

This change prevents SAML assertions from overriding manual membership changes for the owners team.

Solution 2: Manage the Owners Team via the Identity Provider (IdP)

If you intend to manage the owners team membership through your IdP, you must configure the membership on the IdP side and ensure it is passed correctly in the SAML assertion. Any manual changes made in the Terraform Enterprise UI will be overridden at the next user login.

Additional Information

Articles in this section

See more

Related articles