01-30-2026 05:49 AM
Hello all,
I am trying to setup SSO on my XDR tenant but I am getting the following message when login in
Unauthorized. Unauthorized - 4010507
In the console "Management Audit Logs" i see the below logs:
Custom Idp Saml User Invalid Error | invalid user: email address missing or misconfigured, please verify SAML attributes mapping
I followed this video https://www.youtube.com/watch?v=nwF3hY3wgc0
I verified the completed setup, all seems to be ok, but i can´t log in the tenant with SSO.
Please help me on this, thanks in advance.
01-30-2026 06:02 AM
Hello @G.Escobar ,
Greetings for the day.
The error code Unauthorized - 4010507 indicates that the Cortex XDR platform received invalid or incomplete user data within the SAML assertion provided by your Identity Provider (IdP).
Specifically, the message “invalid user: email address missing or misconfigured” means that the required email attribute expected by Cortex XDR was either not present in the SAML assertion or did not exactly match the attribute name mapping defined in the XDR console.
To resolve this issue, follow these troubleshooting steps:
Because SAML attributes are case-sensitive and must match exactly, you must verify the raw data being sent by your IdP.
Install a browser extension such as SAML Tracer.
Open the tracer and reproduce the failed login attempt in an incognito window.
In the tracer, locate the AttributeStatement section within the SAML response.
Find the attribute that contains the user's email address and note the exact Name value (for example, a URL or a simple string like emailaddress).
Once you have the exact attribute name from the SAML tracer, ensure it is configured correctly in the tenant:
Navigate to Settings → Configurations → Access Management → Single Sign-On.
Locate the IdP Attributes Mapping section.
Ensure the Email field contains the exact string identified in Step 1.
Common Azure AD Mapping:
Internal Note:
In some instances, engineering has identified the correct mapping as:
The error can also occur if the user attempting to log in does not have an email address populated in their IdP profile.
Check the user's account in Azure AD (or your specific IdP) to ensure the email field is not empty.
Verify that the attribute you are mapping is actually the one containing the data (for example, mapping user.mail vs user.userprincipalname).
If you are using Azure AD, ensure these standard mappings are used (all case-sensitive):
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Group Membership: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
