Why do SAML users receive a no permissions set or HTTP 401 error?

Cloud On-Premise

If users can successfully authenticate through SAML but receive a no permissions set in Matomo or HTTP 401 error, review your SAML access synchronisation settings.

Recent updates to the LoginSAML feature changed how Matomo handles users when no permissions are returned by SAML during login.

SAML synchronisation

SAML authentication and user access synchronisation are separate processes. Authentication confirms the user’s identity, while access synchronisation determines which permissions the user should have in Matomo.

When the setting is used, Enable User Access Synchronization from SAML (enable_synchronize_access_from_saml), Matomo synchronises user permissions from the SAML Identity Provider during login.

What changed?

If no permissions are returned during synchronisation, Matomo now interprets this as the user no longer having access and removes any existing Matomo permissions. This can cause HTTP 401 or a no permissions error:

You are logged in as 'username' but it seems you don't have any permission set in Matomo.

Users successfully authenticate through SAML but immediately lose access to Matomo because no permissions remain assigned to their account.

How to resolve access to Matomo

  1. Configure your SAML Identity Provider to return the required Matomo roles or permissions.
  2. After updating the SAML configuration, grant the required access again in Matomo if necessary.
  3. Log in again and verify that permissions are synchronised correctly.

Option 2: Disable SAML access synchronisation

If you manage permissions manually, disable the access synchronisation in Matomo.

  1. Go to Administration admin gear icon > General > SAML > Access Synchronization Settings.
  2. Uncheck the option, Enable User Access Synchronization from SAML. This will disable the setting.
    Matomo SAML plugin synchronization settings
  3. Reassign the required user permissions in Matomo and log in again.

What if all Superusers are locked out?

If all Superusers have lost access because SAML synchronisation removed their permissions, you can disable synchronisation in the config file:

Matomo On-Premise

Update your config.ini.php file and restore superuser access for the affected accounts:

enable_synchronize_access_from_saml = 0

Matomo Cloud

Contact Matomo Support and request to disable the setting, enable_synchronize_access_from_saml. Support can then help restore superuser access.

Read more about recovering Matomo account access and manage user permissions.