Given that you receive the error:  Access denied after logging in to the Safewhere Admin.

This issue may happen when Safewhere Admin cannot figure out who the logged in is. In order to identifying a logged in user, Safewhere Admin needs to use the urn:internal:userid claim from the tokens returned from Identify Runtime.

You can use the claimapp service provider to verify its received claim pipeline. (Note: you need to ensure the transformation setup at SafewhereAdmin and the claimapp service provider are same and no claim filter transformation is applied)

we have these known scenario:

1. If there's no claim: urn:internal:userid, please verify if the logged user has been created  as the Identify local user at the Identify user list. If not, create his user at the Identify user list.
2. If we have one value for the claim: urn:internal:userid like the screenshot above, please verify if his user id: c369f214-c543-4167-ad95-a729f2213c2f exists at the Identify user list. If not, create his user at the Identify user list.
3. If we have multi values for the the claim: urn:internal:userid, please make the claim filter transformation for the claim: urn:internal:userid and apply it to the upstream Identity provider.