3719831 - SAML users are unable to login with a new email due to error 403041 (Account Disabled) after the SAML identity in the existing SAML account with an old email is deleted and the old account is set as inactive

Symptom

Users experience error 403041 (Account Disabled) when attempting to sign in via SAML (SSO) with a new email address after their old SAML account has been disabled and the SAML identity removed.
The system attempts to link the SAML authentication to the old user account associated with the previous email address, despite the SAML identity being removed from the old account.
Audit logs indicate that the SAML assertion contains the new email address but still links to the old user account's UID.

Environment

SAP Customer Data Cloud
SAML

Product

SAP Customer Data Cloud all versions

Keywords

SAML login, error 403041, account disabled, SAP customer data cloud, SSO issue, new email address, old user account, SAML identity, Provider UID, NameID mapping, attribute mapping, SAP CDC, user authentication, login failure, gigya , KBA , CEC-PRO-CON , Admin Console (Settings, Administration, Queries / Reports) , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.