I have seen recently an increase of these kind of cases coming into our support teams. Thought I would address a good way to trouble shoot them:
If you have a user getting "Access Denied" Here is some possible ways to address this:
Possible causes for this error:
- The first name, last name, or email address being sent in the SAML assertion does not match the information entered in the Admin Console.
- The user isn't associated to the right product, or the product is not associated with the correct entitlement.
- The SAML user name is coming across as something other than an email address. All users must be in the domain you claimed as part of the setup process.
- Run a SAML trace and validate that the information being sent matches the dashboard, and then correct any inconsistencies. How to perform a SAML Trace
Hope this helps!