3586986 - Configuration issues and unauthorization errors occured when clicking the verification button during the SAML SSO configuration in SAP Datasphere

When the System Owner of Datasphere tenant clicks the verification button when configuring SAML SSO, the following error messages and pop-up window are displayed:

• We've encountered an unexpected issue
• Please try again later or contact your system administrator if the problem persists
• It seems your profile is not configured for this system
• Unauthorized

SAP Datasphere

To ensure seamless authentication and metadata synchronization between a Custom IDP and SAP Datasphere, follow these key configuration requirements:

Metadata Requirements

• Ensure the correct metadata is uploaded from the Custom IDP to Datasphere.

• Verify that the certificate within the metadata is not expired.

Attribute Configuration

• Configure the Groups attribute with the value set to "sac" (case-sensitive) on IDP side.

• If using SAP Cloud Identity Authentication Service (IAS) as the IdP, create the Groups attribute under Default Attributes and set the Expression (as a source) to "sac".

NameID Configuration

• Ensure the correct NameID is passed from the Custom IDP to Datasphere.

• If using Email as the NameID, the case must match between the Custom IDP and Datasphere.

• If using User ID as the NameID, ensure it is in all capital letters.

SAML Verification

• When configuring SAML within Datasphere, always run the verification URL in an Incognito browser window to prevent session conflicts and caching.

For more detailed overview, refer to the guide for configuration SAML SSO with IAS as a corporate IDP: How To Enable SAML SSO with IAS as Custom IdP

Help guide: Enable a Custom SAML Identity Provider 

sap datasphere, dwc, ds, dsp, saml, sso, configuration, idp, unauthorized , KBA , DS-SEC , Security (Users, Roles) , DS-AUT , Authorizations (Locks, etc.) , Problem