SSO Troubleshooting: User Cannot Be Saved
Learn how to troubleshoot this error.
Error
During SSO, a user sees an error message saying "User Cannot Be Saved".
The organization has Just-In-Time User Provisioning enabled.
Explanation
This error message can happen for a number of reasons. At the root of all these errors is that in the course of SSO, Foundry is either attempting to add a new user, or update an existing user, and that attempt failed. Hence the message that the user cannot be saved.
User Cannot be Saved when attempting to Add a New User
This error can happen if the user attempting to SSO does not already exist in Foundry. If the IDP config in Foundry has “allow registration via SAML” checked, then Foundry will add a new user with the values provided in the defaults set in the IDP config plus any mapped attributes. If the combination of values is invalid or incomplete, then the attempt to insert a new user will fail and this error message will be displayed. Common problems might be:
- A required field like first name, last name or email address is not in a mapped Attribute
- The email address, which must be unique, duplicates the email address of another user
- A mapped attribute for user type, role or location is invalid
User Cannot be Saved during Update of User
Foundry might attempt to update an existing user if the user signing in already exists in Foundry, and can be identified via the SAML Response’s NameID or mapped email attribute. Foundry may attempt to update the user if there are mapped attributes. Errors for this scenario are unusual but may happen when:
- There is a mapped attribute for email address, and the value provided in the Attribute is an email address that already belongs to another user. Since email addresses cannot be duplicated, the attempt to save the user will fail and you will get this error.
- There is a mapped attribute for a location or role where the Attribute value is invalid
Resolution
Review the user data and resolve the data issues.