Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO


  • When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use. 
    • A user with company 1xxxx and email address test@liferay.com is already in use
  • Updating the email address and initial user creation via SAML fixed the issue, but when logging back in with the SAML User it isn't recognized and tries to create a new account. 


  • DXP 7.2


  • There is an existing workaround that is available and should fix the behavior in your instance. Simply adding some different configurations to your environment should produce a successful login attempt. 
    1. Setup Liferay instances as SP and IDP, use screenName as NameId
    2. Create a user on SP with below credentials
      screenname: user2
      email address: user1@liferay.com
      first name: u1
      last name: u1
      password: test
    3. Create a user on IDP with below credentials
      screenname: user1
      email address: user1@liferay.com
      first name: u1
      last name: u1
      password: test
    4. Open new browser session (different browser/incognito) and access SP
    5. Click “Sign In” => You are redirected to IDP
    6. Sign in with user1@liferay.com 
      Result: Login fails. In the log you can see the following.2023-09-20 16:41:59.039 ERROR [http-nio-8080-exec-7][BaseSamlStrutsAction:59] A user with company 20101 and email address user1@liferay.com is already in use
  • 7. Change SAML config on both SP and IDP to use emailAddress as NameId
    8. Access SP and Sign in with user1@liferay.com 
    Result: Successful login


Was this article helpful?
0 out of 0 found this helpful