Title: Unable to login to SAML account when 2fa is enabled · Issue #12583 · apache/cloudstack · GitHub
Open Graph Title: Unable to login to SAML account when 2fa is enabled · Issue #12583 · apache/cloudstack
X Title: Unable to login to SAML account when 2fa is enabled · Issue #12583 · apache/cloudstack
Description: problem Unable to login to SAML account when 2fa is enabled versions ACS 4.20.x and 4.22 The steps to reproduce the bug As a admin create a SAML account Enable 2fa on the SAML account https://docs.cloudstack.apache.org/en/4.22.0.0/adming...
Open Graph Description: problem Unable to login to SAML account when 2fa is enabled versions ACS 4.20.x and 4.22 The steps to reproduce the bug As a admin create a SAML account Enable 2fa on the SAML account https://docs....
X Description: problem Unable to login to SAML account when 2fa is enabled versions ACS 4.20.x and 4.22 The steps to reproduce the bug As a admin create a SAML account Enable 2fa on the SAML account https://docs....
Opengraph URL: https://github.com/apache/cloudstack/issues/12583
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Unable to login to SAML account when 2fa is enabled","articleBody":"### problem\n\nUnable to login to SAML account when 2fa is enabled \n\n### versions\n\nACS 4.20.x and 4.22\n\n### The steps to reproduce the bug\n\n1. As a admin create a SAML account\n\n2. Enable 2fa on the SAML account \n\nhttps://docs.cloudstack.apache.org/en/4.22.0.0/adminguide/accounts.html#using-two-factor-authentication-for-users\n\n3. Login as SAML user \n\n4. Unable to login \n\nlogs \n\n```\n\n\n2026-02-04 05:17:32,994 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===START=== 10.0.3.251 -- POST command=samlSso\ncommand=samlSso\nSAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9bWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5ncm91cDE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXIxQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+\n\n2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session destroyed by Id : node0vpgb28zblh3yfqbwbg2fxs1f27 , session: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , source: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true}]\n2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session created by Id : node0k64urmb81dab1bu9i7ftdchal28 , session: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , source: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true}]\n2026-02-04 05:17:33,042 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Received SAMLResponse in response to id=vgr7m6hlig0bvkd52fir0lrpp84q82p7\n2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: uid friendly-name:null value:1\n2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: eduPersonAffiliation friendly-name:null value:group1\n2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: email friendly-name:null value:user1@example.com\n2026-02-04 05:17:33,052 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Attempting to log in user: user1@example.com in domain 2\n2026-02-04 05:17:33,053 DEBUG [o.a.c.s.SAML2UserAuthenticator] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Trying SAML2 auth for user: user1@example.com\n2026-02-04 05:17:33,060 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) CIDRs from which account 'Account [{\"accountName\":\"user1@example.com\",\"id\":11,\"uuid\":\"547e824c-ecba-47b2-80c0-8aed18ec5939\"}]' is allowed to perform API calls: 0.0.0.0/0,::/0\n2026-02-04 05:17:33,068 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) User: user1@example.com in domain 2 has successfully logged in, auth time duration - 16 ms\n2026-02-04 05:17:33,068 INFO [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Current user logged in under UTC timezone\n2026-02-04 05:17:33,069 INFO [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Timezone offset from UTC is: 0.0\n2026-02-04 05:17:33,074 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Adding sessionkey cookie to response: sessionkey=O4vrRCga2nZfxIHxVAYuJNRPGGY;Domain=10.0.33.194;Path=/client;SameSite=Lax\n2026-02-04 05:17:33,075 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===END=== 10.0.3.251 -- POST command=samlSso\ncommand=samlSso\nSAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNi0wMi0wNFQwNToxNzozMloiIERlc3RpbmF0aW9uPSJodHRwOi8vMTAuMC4zMy4xOTQ6ODA4MC9jbGllbnQvYXBpP2\n\n```\n\n\n### What to do about it?\n\nCloudstack should support 2fa on saml account \n\n2fa is working fine on LDAP accounts","author":{"url":"https://github.com/kiranchavala","@type":"Person","name":"kiranchavala"},"datePublished":"2026-02-04T10:30:21.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/12583/cloudstack/issues/12583"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:89afa5ac-4c25-976d-79d5-79ffc0bdb68a |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 990E:B160A:DC3909:128A04D:6A4D4EBC |
| html-safe-nonce | 74058d20566813f263de5bd8528cac841a0b505f77ee6fa79e912d5db76e169b |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5OTBFOkIxNjBBOkRDMzkwOToxMjhBMDREOjZBNEQ0RUJDIiwidmlzaXRvcl9pZCI6IjgyMTc4MDMwMTkzNDY4NTc2NjAiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 459d440be0f1599be81c647a634e46293cecfea923565d66f997ffbba06a384a |
| hovercard-subject-tag | issue:3895815122 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/12583/issue_layout |
| twitter:image | https://opengraph.githubassets.com/d67185c563a7bb31b06dcb654f7d7479dfab8fcd216f4ca00ffe1924be1a7b24/apache/cloudstack/issues/12583 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/d67185c563a7bb31b06dcb654f7d7479dfab8fcd216f4ca00ffe1924be1a7b24/apache/cloudstack/issues/12583 |
| og:image:alt | problem Unable to login to SAML account when 2fa is enabled versions ACS 4.20.x and 4.22 The steps to reproduce the bug As a admin create a SAML account Enable 2fa on the SAML account https://docs.... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | kiranchavala |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 56fc8347865a14e2ec811533d68f929cf4e0ec19 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width