Issue
- When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.
-
A user with company 1xxxx and email address test@liferay.com is already in use
-
- Updating the email address and initial user creation via SAML fixed the issue, but when logging back in with the SAML User it isn't recognized and tries to create a new account.
Environment
- DXP 7.2
Resolution
- There is an existing workaround that is available and should fix the behavior in your instance. Simply adding some different configurations to your environment should produce a successful login attempt.
- Setup Liferay instances as SP and IDP, use screenName as NameId
- Create a user on SP with below credentials
screenname: user2
email address: user1@liferay.com
first name: u1
last name: u1
password: test - Create a user on IDP with below credentials
screenname: user1
email address: user1@liferay.com
first name: u1
last name: u1
password: test - Open new browser session (different browser/incognito) and access SP
- Click “Sign In” => You are redirected to IDP
- Sign in with user1@liferay.com
Result: Login fails. In the log you can see the following.2023-09-20 16:41:59.039 ERROR [http-nio-8080-exec-7][BaseSamlStrutsAction:59] A user with company 20101 and email address user1@liferay.com is already in use
-
7. Change SAML config on both SP and IDP to use emailAddress as NameId
8. Access SP and Sign in with user1@liferay.com
Result: Successful login
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In