Given that you receive the error: Access denied after logging in to the Safewhere Admin.
This issue may happen when Safewhere Admin cannot figure out who the logged in is. In order to identifying a logged in user, Safewhere Admin needs to use the urn:internal:userid claim from the tokens returned from Identify Runtime.
You can use the claimapp service provider to verify its received claim pipeline. (Note: you need to ensure the transformation setup at SafewhereAdmin and the claimapp service provider are same and no claim filter transformation is applied)
we have these known scenario:
- If there's no claim: urn:internal:userid, please verify if the logged user has been created as the Identify local user at the Identify user list. If not, create his user at the Identify user list.
- If we have one value for the claim: urn:internal:userid like the screenshot above, please verify if his user id: c369f214-c543-4167-ad95-a729f2213c2f exists at the Identify user list. If not, create his user at the Identify user list.
- If we have multi values for the the claim: urn:internal:userid, please make the claim filter transformation for the claim: urn:internal:userid and apply it to the upstream Identity provider.