Problem
When users try to log into Terraform Enterprise (TFE) using SAML authentication, they are redirected to an error page stating:
An error occurred. Please contact your TFE Administrator for further information.
ERROR: Validation failed: Email is not a valid email address
Prerequisites
This error will only occur in an SSO-enabled Terraform instances, this includes HCP Terraform organizations.
Cause
The root cause of the issue is that the SAML response's <saml:NameID> is not in the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format, or that the email is invalid. A copy of the SAML response can be obtained by following the instructions in the guide Capturing a SAML Assertion.
Solution
This issue is resolved by configuring the SAML Identity Provider to send the NameID as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and with the appropriate email address for the user.
Additional Information
An example of a SAML response can be found here: https://www.terraform.io/enterprise/saml/idp-configuration#example-samlresponse
Documentation on the NameID format: https://www.terraform.io/cloud-docs/users-teams-organizations/single-sign-on#nameid-format
If the steps above to do not resolve this issue, please open a support ticket with HashiCorp Support.