SAP Knowledge Base Article - Preview

3245013 - SSO into XSA application fails with error "SAML+user+does+not+exist."

Symptom

Set up SAML SSO between XSA and external Identity Provider (such as: AzureAD, or Identity Authentication Service ...etc) following KBA 2569903 - How to configure SAML authentication on HANA XSA

Due to business needs, need to stop external Identity Provider user get created automatically in XSA thus manually unticked option "Create shadow users during login". Then manually created user in XSA, such as via: XSA Cockpit -> User Management -> New User/Migrate SAP HANA User, and assign relevant role collection.

When log into XSA application such as HANA Cockpit using external Identity Provider user/password, then notice SSO fails with following message shown in browser address bar, even though you are sure the authenticated Subject in SAMLResponse is exactly the same ID as the user you manually created in XSA.
-------------------------
https://<FQDN>:<port>/login/callback?error=access_denied&error_description=SAML+user+does+not+exist.+You+can+correct+this+by+creating+a+shadow+user+for+the+SAML+user.
-------------------------
saml_error.png


Read more...

Environment

  • SAP HANA Extended Application Services, Advanced model - XSA

Product

SAP HANA, platform edition 2.0

Keywords

bad request, /uaa-security/saml/SSO/alias/XSA-saml, , KBA , BC-XS-SEC , UAA and Security for HANA XSA engine , BC-XS-RT , OP Runtime / XS Controller , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.