Unable to login to SAML account when 2fa is enabled

[kiranchavala]

problem

Unable to login to SAML account when 2fa is enabled

versions

ACS 4.20.x and 4.22

The steps to reproduce the bug

1. As a admin create a SAML account

2. Enable 2fa on the SAML account

https://docs.cloudstack.apache.org/en/4.22.0.0/adminguide/accounts.html#using-two-factor-authentication-for-users

3. Login as SAML user

4. Unable to login

logs

2026-02-04 05:17:32,994 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===START===  10.0.3.251 -- POST  command=samlSso
command=samlSso
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9bWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj4xPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5ncm91cDE8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXIxQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session destroyed by Id : node0vpgb28zblh3yfqbwbg2fxs1f27 , session: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , source: Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@17aabbed{id=node0vpgb28zblh3yfqbwbg2fxs1f27,x=node0vpgb28zblh3yfqbwbg2fxs1f27.node0,req=1,res=true}]
2026-02-04 05:17:32,995 DEBUG [c.c.a.ApiSessionListener] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Session created by Id : node0k64urmb81dab1bu9i7ftdchal28 , session: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , source: Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@6c27b82d{id=node0k64urmb81dab1bu9i7ftdchal28,x=node0k64urmb81dab1bu9i7ftdchal28.node0,req=1,res=true}]
2026-02-04 05:17:33,042 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Received SAMLResponse in response to id=vgr7m6hlig0bvkd52fir0lrpp84q82p7
2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: uid friendly-name:null value:1
2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: eduPersonAffiliation friendly-name:null value:group1
2026-02-04 05:17:33,048 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) SAML attribute name: email friendly-name:null value:user1@example.com
2026-02-04 05:17:33,052 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Attempting to log in user: user1@example.com in domain 2
2026-02-04 05:17:33,053 DEBUG [o.a.c.s.SAML2UserAuthenticator] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Trying SAML2 auth for user: user1@example.com
2026-02-04 05:17:33,060 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) CIDRs from which account 'Account [{"accountName":"user1@example.com","id":11,"uuid":"547e824c-ecba-47b2-80c0-8aed18ec5939"}]' is allowed to perform API calls: 0.0.0.0/0,::/0
2026-02-04 05:17:33,068 DEBUG [c.c.u.AccountManagerImpl] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) User: user1@example.com in domain 2 has successfully logged in, auth time duration - 16 ms
2026-02-04 05:17:33,068 INFO  [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Current user logged in under UTC timezone
2026-02-04 05:17:33,069 INFO  [c.c.a.ApiServer] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Timezone offset from UTC is: 0.0
2026-02-04 05:17:33,074 DEBUG [o.a.c.s.SAMLUtils] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) Adding sessionkey cookie to response: sessionkey=O4vrRCga2nZfxIHxVAYuJNRPGGY;Domain=10.0.33.194;Path=/client;SameSite=Lax
2026-02-04 05:17:33,075 DEBUG [c.c.a.ApiServlet] (qtp1390913202-25:[ctx-0168cb72]) (logid:a018986f) ===END===  10.0.3.251 -- POST  command=samlSso
command=samlSso
SAMLResponse=PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfN2U2OGNmYzVjODZmMWNjNGQ5NTVlMGU3MTVmNDA3YmNmYmQ4ZWMwMjkxIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyNi0wMi0wNFQwNToxNzozMloiIERlc3RpbmF0aW9uPSJodHRwOi8vMTAuMC4zMy4xOTQ6ODA4MC9jbGllbnQvYXBpP2

What to do about it?

Cloudstack should support 2fa on saml account

2fa is working fine on LDAP accounts

[DaanHoogland]

@harikrishna-patnala could you look at this one, please?