SSO Troubleshooting: user is not assigned to a role for the application
Learn how to resolve an application access error returned by your identity provider
What This Error Means
During single sign‑on, a user successfully authenticates with their identity provider but is shown an error on the identity provider’s page (not in Foundry).
The error message may vary by identity provider and can include messages such as:
- user is not assigned to a role for the application (Microsoft Azure)
- account isn’t linked to <<organization>></organization>
- 403 app_not_enabled_for_user “Service is not enabled for this user.” (Google)
These messages all indicate the same underlying issue: the user is not authorized to access the Foundry application in the identity provider.
Why This Happens
Most identity providers require users or user groups to be explicitly assigned to each service provider application.
This error occurs when:
- The user is not assigned directly to the Foundry application, or
- The user is not a member of a group that is assigned to the Foundry application
Although authentication succeeds, the identity provider blocks access because the user does not have the required permissions.
How to Resolve the Issue
- Open your identity provider’s application configuration for Foundry
- Review which users or security groups are assigned to the application
- Confirm the affected user:
- Is assigned directly to the application, or
- Belongs to a group that is assigned to the application
Once the user is properly assigned, retry the SSO login.