Runner scale set listener can't create session after enabling SAML

[torrayne]

Checks

• I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• I am using charts that are officially provided

Controller Version

0.13.1

Deployment Method

ArgoCD

Checks

• This isn't a question or user support case (For Q&A and community support, go to Discussions).
• I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

Enable SAML single sign-on on our github organization

Describe the bug

After enabling SAML on our github org our listeners can no longer create sessions. Theres no network policy on either namespace and I could ping the broker endpoint from another pod so egress looks ok. We regenerated the PAT and authorized it with our identity provider.

actions/runner#3904 (comment) mentioned an issue with aws amis before 20250403.1 but we're using a later version.

It's still an issue even after a full re-install.

Describe the expected behavior

The runner set listener can communicate with the broker.

Additional Context

Listener logs:

2026-01-17T00:33:56Z    INFO    listener-app    app initialized
2026-01-17T00:33:56Z    INFO    listener-app    Starting listener
2026-01-17T00:33:56Z    INFO    listener-app    refreshing token    {"githubConfigUrl": "https://github.com/[ORG]"}
2026-01-17T00:33:56Z    INFO    listener-app    getting runner registration token    {"registrationTokenURL": "https://api.github.com/orgs/[ORG]/actions/runners/registration-token"}
2026-01-17T00:33:56Z    INFO    listener-app    getting Actions tenant URL and JWT    {"registrationURL": "https://api.github.com/actions/runner-registration"}
2026/01/17 00:34:12 Application returned an error: createSession failed: failed to create session: failed to do the session request: failed to issue the request: client request failed: Post "https://broker.actions.githubusercontent.com/rest/_apis/runtime/runnerscalesets/48/sessions?api-version=6.0-preview": POST https://broker.actions.githubusercontent.com/rest/_apis/runtime/runnerscalesets/48/sessions?api-version=6.0-preview giving up after 5 attempt(s)


Helm


# gha-runner-scale-set-controller
namespace: github-actions-operator
values:  # Default

# gha-runner-scale-set
namespace: github-actions-runners
values:
    containerMode:
        type: kubernetes # no difference when using dind
        kubernetesModeWorkVolumeClaim:
        accessModes: ["ReadWriteOnce"]
        storageClassName: "gp2"
        resources:
            requests:
            storage: 1Gi
    controllerServiceAccount: # This points to the correct service account
        name: arc-gha-rs-controller
        namespace: github-actions-operator
    githubConfigSecret: github-pat # PAT with admin:repo, org. Authorized with SSO and org owner
    githubConfigUrl: https://github.com/[ORG]


AWS ami

{
        "Name": "amazon-eks-arm64-node-1.32-v20251209",
        "Description": "EKS Kubernetes Worker AMI with AmazonLinux2 image, (k8s: 1.32.9, containerd: 1.7.29-1.eks.amzn2.0.1)",
        "CreationDate": "2025-12-10T02:21:33.000Z"
}

Controller Logs

https://gist.github.com/torrayne/7daba91a0d16b40a0b5bcfbcc7690a79

Runner Pod Logs

None

[github-actions]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[xin-e-liu]

We see the same error from today. However we have SAML enabled all the time. The issue seems to have started early morning PST.