3245013 - SSO into XSA application fails with error "SAML+user+does+not+exist."

Set up SAML SSO between XSA and external Identity Provider (such as: AzureAD, or Identity Authentication Service ...etc) following KBA 2569903 - How to configure SAML authentication on HANA XSA

Due to business needs, need to stop external Identity Provider user get created automatically in XSA thus manually unticked option "Create shadow users during login". Then manually created user in XSA, such as via: XSA Cockpit -> User Management -> New User/Migrate SAP HANA User, and assign relevant role collection.

When log into XSA application such as HANA Cockpit using external Identity Provider user/password, then notice SSO fails with following message shown in browser address bar, even though you are sure the authenticated Subject in SAMLResponse is exactly the same ID as the user you manually created in XSA.
-------------------------
https://<FQDN>:<port>/login/callback?error=access_denied&error_description=SAML+user+does+not+exist.+You+can+correct+this+by+creating+a+shadow+user+for+the+SAML+user.
-------------------------

• SAP HANA Extended Application Services, Advanced model - XSA

bad request, /uaa-security/saml/SSO/alias/XSA-saml, , KBA , BC-XS-SEC , UAA and Security for HANA XSA engine , BC-XS-RT , XS Advanced Runtime / XS Controller , Problem