Problem
When a user attempts to log into Terraform Enterprise (TFE) or an HCP Terraform organization using SAML authentication, they are redirected to an error page with the following message.
An error occurred. Please contact your TFE Administrator for further information. ERROR: Validation failed: Email is not a valid email address
Prerequisites
- This issue occurs in Terraform Enterprise instances or HCP Terraform organizations with SAML Single Sign-On (SSO) enabled.
Cause
The root cause of this error is that the SAML response from the Identity Provider (IdP) does not meet Terraform's requirements. Specifically, the <saml:NameID> attribute in the response is not in the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format, or the email address provided in the attribute is invalid.
You can obtain a copy of the SAML response from your browser to verify its contents by following the instructions in the Capturing a SAML Assertion guide.
Solution
To resolve this issue, you must configure your SAML Identity Provider to send the <saml:NameID> attribute with the format set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and ensure it contains the user's valid email address.
Additional Information
- An example of a correctly formatted SAML response can be found in the Terraform Enterprise SAML documentation.
- For more details on this requirement, please refer to the
NameIDFormat Documentation.