You can verify if the user is part of a Classic Organization by checking if the user appears under Setup -> Admin -> Organizations -> Select Org -> Users:



The cause will differ slightly if you're using the Setup -> Admin -> Azure AD option or have alternatively configured a SAML app in Azure AD (Entra ID) via - https://knowledge.broadcom.com/external/article/283891/cloudhealth-sso-azure-ad-saml-registrati.html

Setup -> Admin -> Azure AD option

In the case of the Setup -> Admin -> Azure AD option - show below please verify the below:



This will indicate that the user isn't passing in a "roles" attribute currently that aligns with the IDP Name of a role under - https://apps.cloudhealthtech.com/roles.

For example if the user was needing to be mapped to the CloudHealth Administrator role,  the group in Azure AD (renamed to Entra ID in 2023) would need to be -

"cloudhealth-administrator" exactly as this maps to the IDP Name of the CloudHealth Administrator role see:


If the group is prefixed, suffixed, or includes capitalization so that it doesn't match 1:1 with "cloudhealth-administrator" the error "Your user has not been assigned a Role" will be returned.

If suffixes or prefixes are a requirement for groups within your Organization please instead consider using the Azure AD SAML app path - https://knowledge.broadcom.com/external/article/283891/cloudhealth-sso-azure-ad-saml-registrati.html as this maps a group to a value in the "roles" claim - 

e.g. the Scoped Groups section allows you to select your "example group" and then map it so the "roles" claim and subsequent attribute in the assertion passes "cloudhealth-administrator" instead of "example group" which will map successfully to the CloudHealth Administrator role as the value matches the IDP Name.

Setup -> Admin -> Single Sign On -> SAML option - 

In the case of the Setup -> Admin -> SAML option can be verified by confirming that the Sign In Endpoint displayed shows "https://login.microsoftonline.com" - show below, please verify the below:

The error message - "Your user has not been assigned a Role" being returned would indicate that the user doesn't belong to one of the groups configured under the "roles" claim mentioned in Classic Organizations Step 3.3 of - https://knowledge.broadcom.com/external/article/283891/cloudhealth-sso-azure-ad-saml-registrati.html 

This can be verified by first determining which groups are part of the entries under by selecting the "scoped groups" option:

On the far right of the group selection list the currently select groups for the claim condition will be displayed. Collect a list of these for each of the entries listed. 

Then open Azure Portal -> Users -> Locate the user and drill in -> Groups and verify that one of the groups collected above is displayed e.g. for the above example I can see that the user isn't part of the cloudhealth-power group - which is associated with the role I want to assign them to within the platfor:



To resolve the sign in issue I would need to add them to the cloudhealth-power group as that is associated with the role value in the claim condition I want to map the user to:

Following this the SSO assertion passed for this user will include attribute "roles" and value "cloudhealth-power" which will map my user to the Power User role in CloudHealth.