SSO Troubleshooting: A different user with the email <> already exists
Learn how to troubleshoot this error.
Error
A user is attempting to single sign-on, authenticates successfully in the identity provider, and receives an error message in Foundry saying their email address already exists.
The organization has Just-in-time user provisioning enabled.
Explanation and Resolution
This is caused by the either of the following two cases:
Case 1: Matching NameID
-
The user logging in has a SAML Response NameID from the identity provider that is matched with an existing Foundry User. This means that Foundry was able to match the user.
-
The Foundry IDP config has an Attribute Mapping for email address.
-
The SAML Response contains an Attribute for the email address.
-
The SAML Attribute Value for the email address is different from the email address of the matched Foundry user. In this event, Foundry attempts to update the Foundry user's email to the value provided in the SAML Attribute.
-
There is a different user in Foundry with the same email address as the mapped email address in the SAML Response provided by the identity provider. This can happen if the person has a duplicate user account in Foundry, whether the duplicate user is active or inactive, or if an organization recycles email addresses, and the previous person who had that email address before had a Foundry user.
-
When Foundry attempts to update the email address of the user who just SSO'd, an error occurs because of the duplicate email address.
-
As a result, Foundry does not save the user, and rolls back the single sign-on attempt, and gives this error message to the learner who attempted to single sign-on.
Reason this error was triggered: Where there is a mapped attribute for email, and the SAML Response has a value for that Attribute, then Foundry will attempt to update the user’s email address to that value. But Foundry was not able to do this because of the duplicate email address held by a different user.
Resolution: in the duplicate user who has the same email address as that of the SAML Attribute, change that user’s email address. Since email is a required field, you can make it a fake email address. Ultimately, you need to reconcile the problem that you have two Foundry users for the same person. You need to decide which user is going to be the "real" user for that person moving forward, and make sure the "real" user has the correct SSO ID and email address, and that the "duplicate" user does not. This can get complicated if both users have training history that you want to preserve.
Example
The SAML Assertion contains the following two properties, and Foundry contains the following two users:
NameID: jdoe
Mapped Attribute for Email Address: jdoe@company.com
|
Property |
Foundry User A |
Foundry User B |
|
SSO ID |
jdoe |
null |
|
|
During SSO, User A was matched by NameID and SSO ID. Foundry then attempted to update User A's email to jdoe@company.com because of the included email Attribute. But, that update to User A's email was forbidden because User B already has that email address. To resolve this issue, you must reconcile the conflict between User A and User B, who are duplicate Users for the same person.
Case 2: No Matching NameID, Attempt to Create New User with Duplicate Email Address
The user attempting to log in has a NameID that does not match with the SSO ID of any existing Foundry users
In the identity provider configuration in Foundry, the “Allow automatic registration during SSO” checkbox is checked, so that Foundry will create a new user.
When Foundry attempts to create a new user, the email address provided in a mapped Attribute is already held by a user in Foundry, causing Foundry to have an error when attempting to add the new user.
Resolution: Check the Foundry user who already has the email address. If that user has a SSO ID, ensure that the user attempting to log in has a matching NameID. It could be that there is a case difference between the NameID in the SAML Response and the Foundry user’s SSO ID.