Troubleshoot SSO Issues on Confluent Cloud

Review the following issues frequently encountered when configuring SSO. If you are unable to resolve the issue using the information below, contact Confluent Support.

Error message on signin: “Cannot find any organization associated with this user”

Typically, this error message appears when SSO is enabled but the local user account has not been switched from local to SSO. To resolve this issue, see Switch between organizations.

Another possibility is that you have a misconfigured email mapping in Confluent. To resolve this issues, set the appropriate email mapping in your SSO configuration. For details on how to set the email mapping, see Enable SSO using Confluent Cloud Console.

Error: “Must specify user in request”

This error message can appear when the email address being sent to Confluent Cloud in the SAML assertion attribute does not correspond with the mapping set in Confluent Cloud.

For example, if the SAML assertion attribute is:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@your-domain.com</saml:NameID>

The NameID claim corresponds to this mapping:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

To work properly, the Email mapping in the Confluent Cloud SSO settings should be set to:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

instead of the following:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Error “code”: 400, “message”: “Empty email and UPN fields in identity token.”

Check the email mapping in the SSO configuration. This error message indicates that your identity provider is not configured correctly and it is not sending a SAML assertion attribute that contains the user with the claim mapping. It is also possible that the SAML field mapping section in the Confluent Cloud SSO settings is correct.

If your SSO settings in Confluent Cloud has the claims set to the following:

email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Try changing the claims to the following and verify that there are no missing values in the identity provider:

email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

See if the SSO connection works.

Error Invalid thumbprint {configured: xxxxxxxxxxxxxx. calculated: xxxxxxxxxxxxx}

Applies only to Azure organizations that use Microsoft Entra ID SAML SSO.

This error message displays because Azure retains the previous signing certificates in the SAML metadata file.

To resolve this issue, use the direct upload option to upload the signing certificate that contains the thumbprint matching the calculated thumbprint that appears in the error message.

You can discover the thumbprint of a certificate by running the following openssl command:

openssl x509 -in mycertificate.cer -fingerprint -noout

Error: 405 Not allowed

This error message might appear if you are using Okta as your identity provider. Check the Okta configuration Single Sign On URL, the Recipient URL, and the Destination URL. These three values must match the Assertion consumer service URL from the Confluent Cloud Console’s value for the SSO configuration URIL and look like the following:

https://login.confluent.io/login/callback?connection=<sso-identifier>