Skip to main content

Trellix ePO SaaS | Basic Guide | Error "Your account does not belong to any Tenant"

Updated

This is a common issue with Trellix ePO SaaS when using an IDP. The error “Your account does not belong to any Tenant” usually indicates a tenant mapping or SAML/OIDC configuration problem between the IDP and ePO SaaS. Let’s break it down and troubleshoot step by step.

Understand the Issue

  • ePO SaaS uses multi-tenant architecture, meaning each ePO SaaS instance is tied to a specific tenant.
  • When a user logs in via IDP, ePO matches the SAML/OIDC assertion (like email, NameID, or UPN) to a tenant.
  • If the assertion does not match any user or tenant in ePO, user will received the error "Your account does not belong to any Tenant"

Common Causes

  • User not assigned to the ePO SaaS app in the IDP. In SAML/OIDC, the user must be explicitly assigned to the ePO SaaS application.
  • Incorrect NameID / Username mapping. ePO expects a specific attribute (like email or userPrincipalName) from the IDP assertion. If the value doesn’t match any ePO SaaS tenant, login fails.
  • User exists in IDP but not recognized by ePO SaaS. The user may exist in your directory but was never logged in to ePO SaaS, so ePO never created a federated profile.

Troubleshooting Steps

  1. Verify IDP Assignment
  • Check the user is assigned to the ePO SaaS application in your IDP portal. For SAML, ensure the user is enabled and part of the group assigned to ePO SaaS.

2. Verify Attribute Mapping

  • Check which attribute ePO SaaS expects: Commonly, we assigned NameID = email. Compare it with the IDP assertion using a SAML trace tool or SAMLResponse inspection.

3. Confirm User Exists in ePO Tenant

  • Log into ePO SaaS as an admin.
  • Navigate to Menu → User Management → Users.
  • Ensure the user exists or has a federated profile.
  • Note: Users are created in ePO automatically after their first successful login via IDP. If mapping is wrong, creation fails.

4. Check Tenant and URL

  • Make sure the login URL used matches the correct tenant in ePO SaaS.
  • If you have multiple tenants, verify the IDP SSO URL points to the correct tenant.

5. Test with Another User

  • Test with a user that is known to work.
  • Compare IDP attributes and tenant assignment to the failing user.

6. Contact CSP Global Support (if needed)

  • If all mappings look correct but the user still fails, please contact us so that we can check from the backend on the tenant mapping and SAML assertion logs.

Quick Tips: Always start with IDP assignment and attribute mapping — this causes 90% of “does not belong to any Tenant” errors. Make sure user’s email/UPN exactly matches the ePO tenant mapping. Case sensitivity can sometimes matter. If you recently changed tenant settings, clear browser cache and retry login.

Powered by Zendesk