How To Fix WSS030 - No unique mapping for SAML authentication found (Issuer &3)

SAP Error Message:

WSS030 No unique mapping for SAML authentication found (Issuer &3)

Cause
This error occurs during SAML (Security Assertion Markup Language) authentication in SAP when the system tries to identify a user based on the SAML assertion but finds multiple or no unique mappings for the given SAML issuer. Specifically:

The SAML issuer (the Identity Provider, IdP) sent an assertion.
SAP tries to map the SAML assertion to a user in its system.
The mapping configuration in SAP is ambiguous or missing, resulting in no unique user mapping.
This can happen if:

Multiple users are mapped to the same SAML issuer and attribute.
The mapping configuration is incomplete or incorrect.
The SAML assertion does not contain the expected attributes or identifiers.
The SAML issuer name in the assertion does not match the configured issuer in SAP.




Explanation
In SAP SAML authentication, the system uses a mapping configuration to link the SAML assertion attributes (like NameID, email, or other attributes) to SAP user IDs. This mapping is defined in the SAP system (e.g., in transaction SAML2 or via configuration in the SAML 2.0 Identity Provider setup).
If the system cannot find a unique user mapping for the given issuer and attribute, it cannot authenticate the user, hence the error.

Solution


Check SAML 2.0 Configuration in SAP:

Go to transaction SAML2.
Check the Identity Provider (IdP) configuration.
Verify the Issuer name matches exactly the issuer in the SAML assertion.
Check the User Mapping settings:

Ensure that the attribute used for mapping (e.g., NameID, email, or a custom attribute) is correctly configured.
Make sure the mapping is unique and points to exactly one SAP user.





Verify User Mapping:

Check if multiple SAP users are mapped to the same SAML attribute value.
If yes, adjust the mapping so that each SAML attribute value corresponds to a unique SAP user.



Check the SAML Assertion:

Use SAML tracing tools (e.g., browser SAML tracer plugins) to inspect the SAML assertion.
Confirm the issuer and attributes sent by the IdP.
Ensure the attributes used for mapping are present and correctly formatted.



Adjust or Create User Mapping:

If no mapping exists, create a new mapping rule in SAP.
If multiple mappings exist, refine the mapping criteria to ensure uniqueness.



Synchronize User Data:

If user attributes have changed in the IdP, update SAP user master data accordingly.



Check SAP Notes and Documentation:

Review SAP Notes related to SAML authentication and this error message for any patches or updates.




Related Information

Transaction: SAML2 — Used to configure SAML 2.0 settings in SAP.
SAP Help: SAML 2.0 Authentication in SAP NetWeaver.
Common Attributes for Mapping: NameID, email, UserPrincipalName, or custom attributes.
SAP Notes: Search for notes related to WSS030 or SAML authentication issues.
Tools: Use SAML tracer browser extensions to debug SAML assertions.


Summary



Aspect
Details




Cause
No unique user mapping found for the SAML issuer and attribute during authentication.


Effect
User cannot be authenticated via SAML; error WSS030 is raised.


Solution
Verify and correct SAML IdP issuer name, user mapping configuration, and SAML assertion.


Tools
SAP transaction SAML2, SAML tracer tools, SAP Notes.




If you need further assistance, please provide:

The SAML assertion details (issuer, attributes).
Current SAP SAML mapping configuration.
SAP system version and patch level.