IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Single Sign-on with Terraform using IBM Verify

By Nilesh Atal posted Wed August 06, 2025 01:54 AM

  

IBM Verify provides single sign-on capability with Terraform Cloud and Enterprise applications.

Follow these steps to configure IBM Verify as the identity provider (IdP) for Terraform Enterprise.

Create custom attribute to manage Terraform admin access

Terraform provides admin capability to user based on special attribute called "SiteAdmin". This attribute determines which users can administer the entire Terraform Enterprise instance. Refer to Administering Terraform Enterprise for more information about site admin permissions. In order to provide this information to Terraform, need to create a custom attribute in Verify which will holds this value.

  • Login to Verify as admin
  • Navigate to Directory > Attributes 
  • Click Add attribute and create a boolean type attribute enable for SSO with details as below:
    Attribute name Value Description
    Name

    SiteAdmin

    		 This is the default name for Terraform Enterprise's site admin attribute. You can change the name of this attribute in Terraform Enterprise's SAML settings if necessary.
    Availability Single sign-on SSO Use with Single sign-on SSO
    Attribute identifier siteadmin Identifier for the site admin attribute
    Data type Boolean SiteAdmin true or false

Configure a Terraform Application in IBM Verify

  • Login to Verify as admin
  • Navigate to Applications tab and click add application
  • Search for Terraform Cloud and then click Add application
  • In the General page, update Application name and optionally add an Application Owner
  • Navigate to Sign-on tab and configure the following settings with the specified values:
    IBM Verify Field Terraform Enterprise SAML Field Value
    Provider ID Metadata (Audience) URL https://<TFE HOSTNAME>/users/saml/metadata
    Assertion consumer service URL (HTTP-POST) ACS Consumer (Recipient) URL https://<TFE HOSTNAME>/users/saml/auth
    Name identifier Email

  • Optionally add the Username attribute. Refer to Username details for more information.
    Attribute name Attribute name format Attribute source
    MemberOf urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified groupIds
    SiteAdmin (optional) urn:oasis:names:tc:SAML:2.0:attrname-format:basic SiteAdmin
    Username (optional) urn:oasis:names:tc:SAML:2.0:attrname-format:basic Username
  • Grab the values for various attributes needed to configure Terraform application from the right pane. Save these settings in Terraform Enterprise SAML settings.
    Terraform Enterprise SAML Field IBM Verify Value example
    Single Sign-On URL Single Sign-On URL https://<verify_tenant>/saml/sps/saml20ip/saml20/login
    Single Log-Out URL Single Sign-Out URL https://<verify_tenant>/idaas/mtfim/sps/idaas/logout
    IDP Certificate urn:oasis:names:tc:SAML:2.0:attrname-format:basic X.509 Certificate

  • On the Entitlements tab, add the users that are allowed access
  • Save the application

Validate the SSO for Terraform Application

  • Access the Terraform application URL
  • Validate that it gets redirected to IBM Verify and user need to provide the Verify credentials
  • On successful authentication, user should get redirected to Terraform console
0 comments
11 views

Permalink

https://community.ibm.com/community/user/blogs/nilesh-atal1/2025/08/05/single-sign-on-with-terraform-using-ibm-verify