3732468 - [KNOWN ISSUE] Long time for changes to SAML role mapping to be in effect

Any resource such as newly created space, or sometimes even access to Datasphere itself, that was recently added via scoped role mapping is taking long time to be available to users

SAP Datasphere

1. Add new privileges to users via recently changed SAML role mapping.
2. Notice that the same take a upwards of one hour to have effect.

Known issue with SAML role mappings based on custom attributes not working on given DSP tenant.

The user’s SAML role mappings are updated correctly one hour after the CIS group changes are made. The delay occurs because Datasphere uses the privileges from the UMS user session which is cached for one hour. When UMS returns session privileges from the cache, the SAML role mappings are not updated. Therefore, if a user logs into Datasphere without adequate privileges to access the UI, they will continue to be blocked from accessing the UI until the UMS session cache is cleared even if their SAML assertion has been updated to contain the required role mapping. This problem does not occur in SAC because SAC allows users to log into the UI without any roles and calls the session logon endpoint which updates the SAML role mappings.

For now the time for changes to take effect needs to be in place.

Our development team is currently investigating possible solutions to this issue.

Further updates will be shared here once further information is available.

scoped roles, SAML mapping, space unavailable, user not authenticated, CIS group, custom attributes

KBA , DS-SEC-AUTN , Authentication: SSO/SAML, OAuth Client , Problem