Cortex XDR | Azure AD Single Sign On Unauthorized. Unauthorized - 4010507

G.Escobar — Fri, 30 Jan 2026 13:49:20 GMT

Hello all,

I am trying to setup SSO on my XDR tenant but I am getting the following message when login in
Unauthorized. Unauthorized - 4010507

In the console "Management Audit Logs" i see the below logs:

Custom Idp Saml User Invalid Error | invalid user: email address missing or misconfigured, please verify SAML attributes mapping

I followed this video https://www.youtube.com/watch?v=nwF3hY3wgc0

I verified the completed setup, all seems to be ok, but i can´t log in the tenant with SSO.

Please help me on this, thanks in advance.

Re: Cortex XDR | Azure AD Single Sign On Unauthorized. Unauthorized - 4010507

susekar — Thu, 26 Feb 2026 13:23:54 GMT

Hello @G.Escobar ,

Greetings for the day.

The error code Unauthorized - 4010507 indicates that the Cortex XDR platform received invalid or incomplete user data within the SAML assertion provided by your Identity Provider (IdP).

Specifically, the message “invalid user: email address missing or misconfigured” means that the required email attribute expected by Cortex XDR was either not present in the SAML assertion or did not exactly match the attribute name mapping defined in the XDR console.

To resolve this issue, follow these troubleshooting steps:

1. Identify the Exact Attribute Name Using a SAML Tracer:

Because SAML attributes are case-sensitive and must match exactly, you must verify the raw data being sent by your IdP.

Install a browser extension such as SAML Tracer.
Open the tracer and reproduce the failed login attempt in an incognito window.
In the tracer, locate the AttributeStatement section within the SAML response.
Find the attribute that contains the user's email address and note the exact Name value (for example, a URL or a simple string like emailaddress).

2. Update Attribute Mapping in Cortex XDR:

Once you have the exact attribute name from the SAML tracer, ensure it is configured correctly in the tenant:

Navigate to Settings → Configurations → Access Management → Single Sign-On.
Locate the IdP Attributes Mapping section.
Ensure the Email field contains the exact string identified in Step 1.

Common Azure AD Mapping:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Internal Note:
In some instances, engineering has identified the correct mapping as:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress/email

3. Verify the User Profile in Your IdP

The error can also occur if the user attempting to log in does not have an email address populated in their IdP profile.

Check the user's account in Azure AD (or your specific IdP) to ensure the email field is not empty.
Verify that the attribute you are mapping is actually the one containing the data (for example, mapping user.mail vs user.userprincipalname).

Summary of Common Azure AD Attribute Mappings

If you are using Azure AD, ensure these standard mappings are used (all case-sensitive):

Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Group Membership: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!