2824009 - Some users get the error "It seems you profile is not configured for this system" when logging into SAP Analytics Cloud configured with Custom SAML Authentication

Symptom

Some users get the error "It seems you profile is not configured for this system" when logging in SAP Analytics Cloud (SAC) configured with custom SAML Authentication identity provider (IdP).
"Your user account has been updated. You'll need to log on with the following identification from now on"

Environment

SAP Analytics Cloud
Custom SAML IdP
non-SAP data center (Cloud Foundry)

Reproducing the Issue

Successfully switch SAC to a Custom SAML Identity Provider.
All users are able to log in except some users who get the error "It seems you profile is not configured for this system".
As per KBA 2656152, you are able to verify the <NameID> attribute value in the SAML Assertion returned from the IDP.
It matches with the corresponding User Attribute (either User ID, e-mail, or Custom SAML User Mapping) selected for Custom SAML configuration in the Security > Users page.
Try to convert back to the default SAP Analytics Cloud IdP and then you switch back to the Custom IDP, but it does not help.

Cause

There was once a case change of <NameID> attribute value of invalid users in the Custom Identity Provider, for example from uppercase to lowercase.
SAP Cloud Platform was caching their <nameID> in uppercase, although both the SAC Users page and <NameID> value in the SAML Assertion were lowercase.
You can verify whether there is a cached <NameID> value by following the steps below:

Retrieve the SAP Cloud Platform User Account and Authentication (UAA) information of problematic user who fails to logon to SAC:

The UAA User Information page can be accessed via this URL pattern: https://<tenant>.authentication.<landscape>.hana.ondemand.com/config?action=who
For example, if your SAC URL is https://test-eu.eu10.sapanalytics.cloud, then the information page can be found at https://test-eu.authentication.eu10.hana.ondemand.com/config?action=who.
Navigating to this URL will cause a redirection to your custom SAML IdP for authentication, and proceed to log in.
UAA User Information displays as below. Pay attention to userName field:

userName value (SAP Cloud Platform UAA Information) is case-insensitive but the SAC Users page (HANA user's external identity) is case-sensitive.
These two values must be exactly matched for the login to succeed.
In the sample above:

userName value : Firstname.Lastname@company.com
user's e-mail in SAC > Users page : firstname.lastname@company.com
<NameID> value in SAML Assertion : <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">firstname.lastname@company.com</NameID>

Resolution

Manually change the SAC > Users page to make it match with the UAA userName value for failing users. After that, the user should be able to successfully login, and it should flush the cache.
If it still does not work, please contact SAP Product Support team with component LOD-ANA-AUT, and include the three values of each failed user. SAP will clear the cache for those users.

A permanent fix is planned for Q3 for newly created tenants, however, this is on a best endeavor basis and not a guarantee of delivery in this release. The targeted release may change without prior notification.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, UAA, XSUAA, ad fs, okta, adfs, azure, email, shadow user, cache, user cache , KBA , analytics cloud "it seems your profile i , "it seems your profile is not configured , for this system" , upper , lower , cache , sac saml sso configuration , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-ADM , SAC Administration , Problem

Product

SAP Analytics Cloud 1.0