kiranchavala opened a new issue, #12583: URL: https://github.com/apache/cloudstack/issues/12583
### problem Unable to login to SAML account when 2fa is enabled ### versions ACS 4.20.x and 4.22 ### The steps to reproduce the bug 1. As a admin create a SAML account 2. Enable 2fa on the SAML account https://docs.cloudstack.apache.org/en/4.22.0.0/adminguide/accounts.html#using-two-factor-authentication-for-users 3. Login as SAML user 4. Unable to login logs ``` 2026-02-04 05:17:32,994 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===START=== 10.0.3.251 -- POST command=samlSso command=samlSso SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9bWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5ncm91cDE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXIxQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+ 2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session destroyed by Id : node0vpgb28zblh3yfqbwbg2fxs1f27 , session: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , source: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true}] 2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session created by Id : node0k64urmb81dab1bu9i7ftdchal28 , session: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , source: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true}] 2026-02-04 05:17:33,042 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Received SAMLResponse in response to id=vgr7m6hlig0bvkd52fir0lrpp84q82p7 2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: uid friendly-name:null value:1 2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: eduPersonAffiliation friendly-name:null value:group1 2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: email friendly-name:null value:[email protected] 2026-02-04 05:17:33,052 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Attempting to log in user: [email protected] in domain 2 2026-02-04 05:17:33,053 DEBUG [o.a.c.s.SAML2UserAuthenticator] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Trying SAML2 auth for user: [email protected] 2026-02-04 05:17:33,060 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) CIDRs from which account 'Account [{"accountName":"[email protected]","id":11,"uuid":"547e824c-ecba-47b2-80c0-8aed18ec5939"}]' is allowed to perform API calls: 0.0.0.0/0,::/0 2026-02-04 05:17:33,068 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) User: [email protected] in domain 2 has successfully logged in, auth time duration - 16 ms 2026-02-04 05:17:33,068 INFO [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Current user logged in under UTC timezone 2026-02-04 05:17:33,069 INFO [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Timezone offset from UTC is: 0.0 2026-02-04 05:17:33,074 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Adding sessionkey cookie to response: sessionkey=O4vrRCga2nZfxIHxVAYuJNRPGGY;Domain=10.0.33.194;Path=/client;SameSite=Lax 2026-02-04 05:17:33,075 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===END=== 10.0.3.251 -- POST command=samlSso command=samlSso SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNi0wMi0wNFQwNToxNzozMloiIERlc3RpbmF0aW9uPSJodHRwOi8vMTAuMC4zMy4xOTQ6ODA4MC9jbGllbnQvYXBpP2 ``` ### What to do about it? Cloudstack should support 2fa on saml account 2fa is working fine on LDAP accounts -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
