Single Sign-on: Microsoft Azure AD
The Microsoft Azure AD SSO integration currently supports the following SAML features:
- Service Provider (SP) initiated SSO
- Identity Provider (IdP) initiated SSO
- Just-in-Time Provisioning
For more information on the listed features, visit the Microsoft Azure AD SAML Protocol Documentation.
Configuration (Microsoft Azure AD)
- Sign in to the Azure portal.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add new application, select New application.
- In the Add from the gallery section, type Terraform Cloud in the search box.
- Select Terraform Cloud from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- On the Terraform Cloud application integration page, find the Manage section and select single sign-on.
- On the Select a single sign-on method page, select SAML.
- In the SAML Signing Certificate section (you may need to refresh the page) copy the App Federation Metadata Url.
Configuration (HCP Terraform)
Visit your organization settings page and click "SSO".
Click "Setup SSO".
Select "Azure" and click "Next".
Provide your App Federation Metadata URL.
Save, and you should see a completed Terraform Cloud SAML configuration.
Copy Entity ID and Reply URL.
Configuration (Microsoft Azure AD)
- In the Azure portal, on the Terraform Cloud application integration page, find the Manage section and select single sign-on.
- On the Select a single sign-on method page, select SAML.
- On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.
- In the Identifier text box, paste the Entity ID.
- In the Reply URL text box, paste the Reply URL.
- For Service Provider initiated SSO, type
https://app.terraform.io/session
in the Sign-On URL text box. Otherwise, leave the box blank. - Select Save.
- On the Single sign-on page, download the
Certificate (Base64)
file from under SAML Signing Certificate. - In the app's overview page, find the Manage section and select Users and groups.
- Select Add user, then select Users and groups in the Add Assignment dialog.
- In the Users and groups dialog, select your user from the Users list, then click the Select button at the bottom of the screen.
- If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
- In the Add Assignment dialog, click the Assign button.
Configuration (HCP Terraform)
To edit your Azure SSO configuration settings:
Go to Public Certificate.
Paste the contents of the SAML Signing Certificate you downloaded from Microsoft Azure AD.
Save Settings.
Verify your settings and click "Enable".
Your Azure SSO configuration is complete and ready to use.
Team and Username Attributes
To configure team management in your Microsoft Azure AD application:
- Navigate to the single sign-on page.
- Edit step 2, "User Attributes & Claims."
We recommend naming it "MemberOf", leaving the namespace blank, and potentially sourcing
user.groups
as an easy starting point.
Note: When Azure AD is configured to use Group Claims, it provides Group UUIDs instead of human readable names in its SAML assertions. We recommend configuring SSO Team IDs for your HCP Terraform teams to match these Azure Group UUIDs.
If you plan to make use of SAML to set usernames in your Microsoft Azure AD application:
- Navigate to the single sign-on page.
- Edit step 2, "User Attributes & Claims."
We recommend naming the claim "username", leaving the namespace blank, and sourcing
user.displayname
oruser.mailnickname
as a starting point. Note that HCP Terraform usernames only allow lowercase letters, numbers, and dashes.
If you namespaced any of your claims, note that the attribute name passed by Microsoft Azure AD will follow the form <claim_namespace/claim_name>
. Consider this when setting Team and Username attribute names.