andrea-janna opened a new issue, #13273: URL: https://github.com/apache/cloudstack/issues/13273
### problem When a user tries to log in via single sign-on the following error is displayed in the browser. ` <loginresponse> <errorcode>531</errorcode> <errortext>Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator</errortext> </loginresponse> ` The user is SAML enabled and its email address is "[email protected]". ` (localcloud) 🐱 > list users listall=true username=dpss.2 { "count": 1, "user": [ { "account": "DPSS", "accountid": "a2f99970-cb7d-482b-abb8-ef7874cc188f", "accounttype": 2, "apikeyaccess": "INHERIT", "created": "2026-05-28T09:59:14+0200", "domain": "DPSS", "domainid": "3a5204fc-7280-4318-b13a-8923357462b3", "email": "[email protected]", "firstname": "a", "id": "c98062d8-b89d-4eb4-8aa3-a7a64c25aad1", "is2faenabled": false, "is2famandated": false, "iscallerchilddomain": true, "isdefault": false, "lastname": "b", "roleid": "2edc712b-dd39-11f0-80ce-405b7f9c291c", "rolename": "Domain Admin", "roletype": "DomainAdmin", "state": "enabled", "timezone": "Europe/Rome", "username": "dpss.2", "usersource": "saml2" } ] } ` Cloudstack configuration option saml2.user.attribute is set to "email". In the cloudstack-management debug log I can see that Cloudstack actually get from the identity provider the same email address "[email protected]" that is associated to the Cloudstack user. ` 2026-05-28 10:10:19,260 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp2115628016-394:[ctx-2c45ff41]) (logid:dc99daf6) Received SAMLResponse in response to id=hmo5som7u6io8t9fopojem1iplsu9c67 2026-05-28 10:10:19,265 DEBUG [o.a.c.s.SAMLUtils] (qtp2115628016-394:[ctx-2c45ff41]) (logid:dc99daf6) SAML attribute name: urn:oid:1.2.840.113549.1.9.1 friendly-name:email value:[email protected] 2026-05-28 10:10:19,267 DEBUG [c.c.a.ApiServlet] (qtp2115628016-394:[ctx-2c45ff41]) (logid:dc99daf6) Authentication failure: <?xml version="1.0" encoding="UTF-8"?><loginresponse><errorcode>531</errorcode><errortext>Your authenticated user is not authorized for SAML Single Sign-On, please contact your administrator</errortext></loginresponse> ` ### versions CloudStack 4.22.1.0 on Rocky Linux 10. ### The steps to reproduce the bug 1. select "single sign-on" in the login page and press the login button 2. 3. ... ### What to do about it? _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
