Administrator group permissions removed after the SAML email attribute mapping is changed in Symantec App Center

book

Article ID: 158062

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

When SAML authentication is configured in Symantec App Center as the IDP and the "Email Attribute" mapping is changed to a value other than "EMailAddress", any account who is a member of the Administrators group will have their Administrator permissions removed\revoked.

 

The end result will be that a user in the Administrators group will now have access to the End-User Portal only (i.e., the user will be unable to access the Symantec App Center Admin Console).

 

 

 

No error message(s) will appear.  Users that are members of the Administrators Group will have now access to the End User portal only and will be unable to access the Symantec App Center Admin Console.

 

 

Cause

The user's email address is used to identify users with the SAML IDP.  If the email attribute is changed, then at the next log-in, the user is seen as a new user, and any previous roles/permissions granted are lost.   

 

Resolution

For more information, see SAML external identity provider (IDP) - Enterprise support solutions


Always ensure that you have a local admin login so you can update the IDP settings.