How to Configure SSO Team Provisioning on MS Entra ID without needing an SSO Team ID

Steps

Introduction

SSO Just-In-Time (JIT) or team provisioning allows SSO users to be automatically assigned to HCP Terraform teams based on the MemberOf claim, which corresponds with the user's SSO groups. For this to work seamlessly, the SSO group names must match the HCP Terraform team names in a human-readable format within the SAML assertion.

However, some SSO providers like Microsoft Entra ID may send a group's object ID instead of its human-readable name. This typically requires manually mapping each object ID to the corresponding team in HCP Terraform's settings, which can be inefficient when managing many teams.

This guide details how to configure Microsoft Entra ID to pass human-readable group names in the SAML assertion, eliminating the need for manual ID mapping.

Prerequisites

• An existing HCP Terraform organization.
• SSO configured with Microsoft Entra ID.

Procedure

When configuring the MemberOf claim in Microsoft Entra ID, adjust the following settings.

1. Navigate to Microsoft Entra ID > Manage > Enterprise Applications and select the existing SSO application configured for HCP Terraform.
2. Navigate to Manage > Single-Sign-On > Attributes & Claims and select Edit.
3. Select Add a group claim or edit the existing one for MemberOf.
4. For the source attribute, select Groups assigned to the application.
5. For the name, select Cloud-only group display names from the dropdown menu.
6. Under Advanced options, mark the checkbox for Customize the name of the group claim.
7. In the Name field, enter MemberOf.
8. Select Save.

The claim should now show the name MemberOf with a value of user.groups. The configuration is ready to be tested.

Troubleshooting

You can confirm the settings by reviewing the values passed in the MemberOf claim of a SAML assertion from a login attempt. For guidance on how to gather and decode the assertion, refer to the Capturing a SAML Assertion guide.