SAP Knowledge Base Article - Public

3330480 - Error 403 Unauthorized when enabling SAML SSO in SAP Datasphere


For SAML SSO (Single Sign-On) enablement in SAP Datasphere, configurations steps are followed as per Help Portal Documentation: Enabling a Custom SAML Identity Provider.

Still error 403 Unauthorized happens in step "Verify Account" after custom IdP (Identify Provider) logon.


SAP Datasphere


Missing mandatory attribute Groups with value "sac"


  1. Configure attribute Groups with value set to sac (it's case sensitive!)
    When using the SAP Cloud Identity Authentication Service as IdP, create the attribute Groups as Default Attributes.
    The remaining attributes should be mapped as Assertion Attributes.

    Do NOT use attribute as "", whereas use just "Groups", removing the namespace. 

  2. When using User Attribute as Email, attribute must be email (not "mail", nor "emailaddress")

  3. When using User Attribute as NameID, NameID is case sensitive. The UserID, Email, or Custom SAML User Mapping must match the values in your SAML IdP exactly.
    For example, if the NameId returned by your SAML IdP is and the email you used in SAP Datasphere is the mapping will fail.    


dwc, data warehouse cloud, sso, saml, customidp, custom, idp, sac, verify your account , KBA , DS-AUT , Authorizations (Locks, etc.) , Problem


SAP Datasphere all versions