Administrator group permissions removed after the SAML email attribute mapping is changed in Symantec App Center


Article ID: 158062


Updated On:


Symantec Products


When SAML authentication is configured in Symantec App Center as the IDP and the "Email Attribute" mapping is changed to a value other than "EMailAddress", any account who is a member of the Administrators group will have their Administrator permissions removed\revoked.


The end result will be that a user in the Administrators group will now have access to the End-User Portal only (i.e., the user will be unable to access the Symantec App Center Admin Console).




No error message(s) will appear.  Users that are members of the Administrators Group will have now access to the End User portal only and will be unable to access the Symantec App Center Admin Console.




The user's email address is used to identify users with the SAML IDP.  If the email attribute is changed, then at the next log-in, the user is seen as a new user, and any previous roles/permissions granted are lost.   



For more information, see SAML external identity provider (IDP) - Enterprise support solutions

Always ensure that you have a local admin login so you can update the IDP settings.