HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Terraform
Terraform Home

Configure IBM Verify

Follow these steps to configure IBM Verify as the identity provider (IdP) for Terraform Enterprise.

Configure a New IBM Verify Application

  1. In IBM Verify's web interface, go to the Applications tab and click add application.
    image

  2. Select Terraform Cloud as the sign on method, and then click Next.
    image

  3. In the General page, enter Terraform Enterprise and optionally add an Application Owner.
    image

  4. Go to the Sign-on tab.

  5. In the Sign-on section, configure the following settings with the specified values:

    IBM Verify FieldTerraform Enterprise SAML FieldValue
    Provider IDMetadata (Audience) URLhttps://<TFE HOSTNAME>/users/saml/metadata
    Assertion consumer service URL (HTTP-POST)ACS Consumer (Recipient) URLhttps://<TFE HOSTNAME>/users/saml/auth
    Name identifierEmail

    image

  1. In the Attribute mappings section, configure the MemberOf to map groupIds to Terraform Enterprise teams.
    image

  2. Optionally configure a site admin permissions attribute statement. This statement determines which users can administer the entire Terraform Enterprise instance. Refer to Administering Terraform Enterprise for more information about site admin permissions. Under the Directory - Attributes (Optional), configure an attribute as follows:

    Attribute nameValueDescription
    NameSiteAdminThis is the default name for Terraform Enterprise's site admin attribute. You can change the name of this attribute in Terraform Enterprise's SAML settings if necessary.
    AvailabilitySingle sign-on SSOUse with Single sign-on SSO
    Attribute identifiersiteadminIdentifier for the site admin attribute
    Data typeBooleanSiteAdmin true or false

image

  1. Optionally add the Username attribute. Refer to Username details for more information.

    Attribute nameAttribute name formatAttribute source
    MemberOfurn:oasis:names:tc:SAML:2.0:attrname-format:unspecifiedgroupIds
    SiteAdmin (optional)urn:oasis:names:tc:SAML:2.0:attrname-format:basicSiteAdmin
    Username (optional)urn:oasis:names:tc:SAML:2.0:attrname-format:basicUsername

  2. You can find the values needed for Terraform Enterprise SAML settings on the right side of the screen. Save these settings in Terraform Enterprise SAML settings.

    Terraform Enterprise SAML FieldIBM VerifyValue example
    Single Sign-On URLSingle Sign-On URLhttps://<id>.verify.ibm.com/saml/sps/saml20ip/saml20/login
    Single Log-Out URLSingle Sign-Out URLhttps://<id>.verify.ibm.com/idaas/mtfim/sps/idaas/logout
    IDP Certificateurn:oasis:names:tc:SAML:2.0:attrname-format:basicX.509 Certificate

  1. On the Entitlements tab, add the users that are allowed access.
    image

  2. Save all the settings.

Example SAMLResponse

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="Assertion-uuid55fd4636-0198-1a77-bd0e-85102bc84797" IssueInstant="2025-07-29T11:41:58Z" Version="2.0"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://example.verify.ibm.com/saml/sps/saml20ip/saml20</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@ibm.com</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="_18b23dcd-a903-4438-b079-32eecd31925a" NotOnOrAfter="2025-07-29T11:46:58Z" Recipient="https://tfe.aws.example.com/users/saml/auth"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2025-07-29T11:36:58Z" NotOnOrAfter="2025-07-29T11:46:58Z">
        <saml:AudienceRestriction>
            <saml:Audience>https://tfe.aws.example.com/users/saml/metadata</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2025-07-29T11:41:58Z" SessionIndex="06bd7f3a-3b87-4aec-83d2-8d8f120add4a_uuide789ed32-2480-456e-857a-26e00bd57865" SessionNotOnOrAfter="2025-07-29T12:41:58Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="MemberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xsi:type="xs:string">dev</saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">SiteAdmin</saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">site-admins</saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">allUsers</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="SiteAdmin" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">true</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="Username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">user1</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>