When a users try to log into TFE using SAML authentication, they are redirected to an error page stating:
An error occurred. Please contact your TFE Administrator for further information.
ERROR: Validation failed: Email is not a valid email address
This error will only occur in an SSO-enabled Terraform instances, this includes Terraform Cloud for Business organizations.
The root cause of the issue is that the SAML response's
<saml:NameID> is not in the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format, or that the email is invalid. A copy of the SAML response can be obtained by following the instructions in the guide Capturing a SAML Assertion.
This issue is resolved by configuring the SAML Identity Provider to send the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and with the appropriate email address for the user.
An example of a SAML response can be found here: https://www.terraform.io/enterprise/saml/idp-configuration#example-samlresponse
Documentation on the
NameID format: https://www.terraform.io/cloud-docs/users-teams-organizations/single-sign-on#nameid-format
If the steps above to do not resolve this issue, please open a support ticket with HashiCorp Support.