3330480 - Error 401 Unauthorized when enabling SAML SSO in SAP Datasphere

Symptom

For SAML SSO (Single Sign-On) enablement in SAP Datasphere, configurations steps are followed as per Help Portal Documentation: Enabling a Custom SAML Identity Provider.

Still error 401 Unauthorized happens in step "Verify Account" after custom IdP (Identify Provider) logon.

Environment

SAP Datasphere

Cause

Missing mandatory attribute Groups with value "sac"

Resolution

Configure attribute Groups with value set to sac (it's case sensitive!)

Note!
When using the SAP Cloud Identity Authentication Service as IdP, create the attribute Groups as Default Attributes.
The remaining attributes should be mapped as Assertion Attributes.

Note!
Do NOT use attribute as "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Groups", whereas use just "Groups", removing the namespace.
When using User Attribute as Email, attribute must be email (not "mail", nor "emailaddress")
When using User Attribute as NameID, NameID is case sensitive. The UserID, Email, or Custom SAML User Mapping must match the values in your SAML IdP exactly.
For example, if the NameId returned by your SAML IdP is user@company.com and the email you used in SAP Datasphere is User@company.com the mapping will fail.
When IAS is acting as a proxy and if identify federation option is turned on for the corporate IDP in IAS.
- If user does not exist in IAS the corporate IDP should send the email and Groups mandatory attributes.
- If the user exists in IAS then the Datasphere application in IAS should be configured to return the mandatory attributes.

Note!
While this document discusses often over IAS, case sensitivity checks, and mandatory attributes are valid for other IDP's as well.

Keywords

dwc, data warehouse cloud, sso, saml, customidp, custom, idp, sac, verify your account, identity federation, SAML, 403 forbidden , KBA , DS-SEC-AUTN , Authentication: SSO/SAML, OAuth Client , Known Error

Product

SAP Datasphere all versions