3330480 - Error 403 Unauthorized when enabling SAML SSO in SAP Datasphere

For SAML SSO (Single Sign-On) enablement in SAP Datasphere, configurations steps are followed as per Help Portal Documentation: Enabling a Custom SAML Identity Provider.

Still error 403 Unauthorized happens in step "Verify Account" after custom IdP (Identify Provider) logon.

SAP Datasphere

Missing mandatory attribute Groups with value "sac"

1. Configure attribute Groups with value set to sac (it's case sensitive!)
       
   Note!
   When using the SAP Cloud Identity Authentication Service as IdP, create the attribute Groups as Default Attributes.
   The remaining attributes should be mapped as Assertion Attributes.
   
   Note!
   Do NOT use attribute as "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Groups", whereas use just "Groups", removing the namespace. 
   
   
2. When using User Attribute as Email, attribute must be email (not "mail", nor "emailaddress")
   
   
3. When using User Attribute as NameID, NameID is case sensitive. The UserID, Email, or Custom SAML User Mapping must match the values in your SAML IdP exactly.
   For example, if the NameId returned by your SAML IdP is user@company.com and the email you used in SAP Datasphere is User@company.com the mapping will fail.   
4. When IAS is acting as a proxy and if identify federation option is turned on for the corporate IDP in IAS.
   • If user does not exist in IAS the corporate IDP should send the email and Groups mandatory attributes.
   • If the user exists in IAS then the Datasphere application in IAS should be configured to return the mandatory attributes.  
     

•  2922448 - SAML Attribute Mapping in SAP Analytics Cloud (SAC) & SAP Digital Boardroom Master KBA 
• Enable a Custom SAML identity Provider

dwc, data warehouse cloud, sso, saml, customidp, custom, idp, sac, verify your account, identity federation, SAML , KBA , DS-AUT , Authorizations (Locks, etc.) , Problem