You can verify if the user is part of a Classic Organization by checking if the user appears under Setup -> Admin -> Organizations -> Select Org -> Users e.g. - 



The cause will differ slightly if you're using the Setup -> Admin -> Azure AD option or have alternatively configured a SAML app in Azure AD (Entra ID) via - https://support.cloudhealthtech.com/hc/en-us/articles/360053181471-Is-there-a-step-by-step-process-for-SSO-Azure-AD-SAML-Registration.

Setup -> Admin -> Azure AD option

In the case of the Setup -> Admin -> Azure AD option - show below please verify the below - 



This will indicate that the user isn't passing in a "roles" attribute currently that aligns with the IDP Name of a role under - https://apps.cloudhealthtech.com/roles.

For example if the user was needing to be mapped to the CloudHealth Administrator role,  the group in Azure AD (renamed to Entra ID in 2023) would need to be -

"cloudhealth-administrator" exactly as this maps to the IDP Name of the CloudHealth Administrator role see - 


If the group is prefixed, suffixed, or includes capitalization so that it doesn't match 1:1 with "cloudhealth-administrator" the error "Your user has not been assigned a Role" will be returned.

If suffixes or prefixes are a requirement for groups within your Organization please instead consider using the Azure AD SAML app path - https://support.cloudhealthtech.com/hc/en-us/articles/360053181471-Is-there-a-step-by-step-process-for-SSO-Azure-AD-SAML-Registration as this maps a group to a value in the "roles" claim - 

e.g. the Scoped Groups section allows you to select your "example group" and then map it so the "roles" claim and subsequent attribute in the assertion passes "cloudhealth-administrator" instead of "example group" which will map successfully to the CloudHealth Administrator role as the value matches the IDP Name.

Setup -> Admin -> Single Sign On -> SAML option - 

In the case of the Setup -> Admin -> SAML option can be verified by confirming that the Sign In Endpoint displayed shows "https://login.microsoftonline.com" - show below please verify the below - 

The error message - "Your user has not been assigned a Role" being returned would indicate that the user doesn't belong to one of the groups configured under the "roles" claim mentioned in Classic Organizations Step 3.3 of - https://support.cloudhealthtech.com/hc/en-us/articles/360053181471-Is-there-a-step-by-step-process-for-SSO-Azure-AD-SAML-Registration 

This can be verified by first determining which groups are part of the entries under by selecting the "scoped groups" option e.g. 

On the far right of the group selection list the currently select groups for the claim condition will be displayed. Collect a list of these for each of the entries listed. 

Then open Azure Portal -> Users -> Locate the user and drill in -> Groups and verify that one of the groups collected above is displayed e.g. for the above example I can see that the user isn't part of the cloudhealth-power group - which is associated with the role I want to assign them to within the platform -



To resolve the sign in issue I would need to add them to the cloudhealth-power group as that is associated with the role value in the claim condition I want to map the user to -

Following this the SSO assertion passed for this user will include attribute "roles" and value "cloudhealth-power" which will map my user to the Power User role in CloudHealth.