Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO

Written By

Adrienne Lao

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  
    • A user with company 1xxxx and email address test@liferay.com is already in use
  • Updating the email address and initial user creation via SAML fixed the issue, but when logging back in with the SAML User it isn't recognized and tries to create a new account. 

Environment

  • DXP 7.2

Resolution

  • There is an existing workaround that is available and should fix the behavior in your instance. Simply adding some different configurations to your environment should produce a successful login attempt. 
    1. Setup Liferay instances as SP and IDP, use screenName as NameId
    2. Create a user on SP with below credentials
      screenname: user2
      email address: user1@liferay.com
      first name: u1
      last name: u1
      password: test
    3. Create a user on IDP with below credentials
      screenname: user1
      email address: user1@liferay.com
      first name: u1
      last name: u1
      password: test
    4. Open new browser session (different browser/incognito) and access SP
    5. Click “Sign In” => You are redirected to IDP
    6. Sign in with user1@liferay.com 
      Result: Login fails. In the log you can see the following.2023-09-20 16:41:59.039 ERROR [http-nio-8080-exec-7][BaseSamlStrutsAction:59] A user with company 20101 and email address user1@liferay.com is already in use
  • 7. Change SAML config on both SP and IDP to use emailAddress as NameId
    8. Access SP and Sign in with user1@liferay.com 
    Result: Successful login
     

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?