3536251 - Error "Unauthorized" when creating SAC as Remote System in Catalog of SAP Datasphere

• For monitoring SAP Analytics Cloud in SAP Datasphere, configurations steps are followed as per Help Portal Documentation:
  Connecting to an SAP Analytics Cloud Tenant.
  SAC needs to be created as a Remote System for Metadata Extraction.
  
  
  • In step 7 "Authenticate Now" of "Connecting to an SAP Analytics Cloud Tenant",
    the error Unauthorized happens when authenticating the source system user after logging on to the source tenant
    and it fails with "Authenticated system user could not be found" as below:
    
    

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental." 

SAP Datasphere

1. In the side navigation area, click (Catalog) -> (Monitoring).
2. In the System table, select + (Create System).
3. In the System Type field, select SAP Analytics Cloud.
4. In the Name field, type a name to identify the tenant.
5. In the UUID field, enter the tenant identifier.
6. (Optional) To automatically publish objects from the source system to the catalog every time the catalog synchronizes with the source system, select the Enable Auto Publishing to the Catalog checkbox.
7. Select Authenticate Now.
   A dialog with instructions on how to authenticate the user for the source system appears. Follow the instructions for authenticating the source system user.
   1. In the Authenticate System User dialog, click (Copy) to copy the link for authenticating the system user.
   2. Open a private browsing window and paste the link in the address bar.
   3. Log on to the tenant.
   4. After the source system user is authenticated and you see the confirmation message, close the private browsing window.
   5. When you are back on the Authenticate System User dialog, select Confirm Authentication.
8. Back on the Create System dialog, select Create.

Missing mandatory attribute Groups with value "sac".

Be aware that:

1. Groups=sac is not mandatory for SAC login.
   This attribute is only mandatory in SAC in case SAML user attributes need to be propagated from the SAML assertion to SAC. 
   If you never used this, the issue would not have been caught so far.
   
   
2. Groups=sac is mandatory by Datasphere's microservices, including the metadata extraction.
   So login to DSP tenants always require Groups=sac.

In this workflow, login is to SAC but then routed to a DSP microservice, thereby adding the Groups=sac as a mandatory requirement.

• Configure attribute Groups with value set to sac (it's case sensitive!)
• In the SAC IdP config for your SAC tenant, it is required to set the "Groups" attribute with the value "sac"

• Enabling a Custom SAML Identity Provider | SAP Help Portal 
• Connecting to an SAP Analytics Cloud Tenant | SAP Help Portal
• 3330480 Error 403 Unauthorized when enabling SAML SSO in SAP Datasphere
• 3512292 SSO in Datasphere with IAS IdP fails with Unauthorized 401 error

dwc, data warehouse cloud, sso, saml, customidp, custom, idp, ias, SAP analytics cloud, sac, Authenticated system user could not be found, catalog , KBA , DS-CAT , Unified Cataloguing solution , Problem