(SOLVED) SAML (ADFS) Issue: An account with that username already exists

Troubleshooting
1

We are running a trial version of MatterMost enterprise to vett it for possible production use. We are encountering an issue with users who have previously signed up with email/password. New users can use SSO just fine as long as their account did not already exist.

Summary

Existing users cannot use SAML SSO. Receive error: “An account with that username already exists. Please contact your Administrator”

Steps to reproduce

Version: 3.5.1

  1. Follow step-by-step these instructions: https://docs.mattermost.com/deployment/sso-saml-adfs.html
  2. Have existing user switch to SSO sign-in under Account Settings.
  3. User clicks on SSO button and receives error.

Expected behavior

Based on following the step-by-step guide, existing users who have a matching email and username to the correct LDAP attributes should be able to automatically login.

Observed behavior

Existing users who click on the SSO button receive: Receive error: “An account with that username already exists. Please contact your Administrator”. This is after confirming the username and email match, and switching from email sign-in to SSO.

Logs:

[EROR] Couldn't save the user err=SqlUserStore.Save: store.sql_user.save.username_exists.app_error, user_id=xxxxxxxxxxxxxxxxxxxxxx, Error 1062: Duplicate entry 'xxxxxxx' for key 'Username'

[EROR] /login/sso/saml:SamlInterfaceImpl.DoLogin code=302 rid=xxxxxxxxxxxxxxxxxxxx uid= ip=xx.xx.xx.xxx An account with that username already exists. Please contact your Administrator. [details: SqlUserStore.Save: store.sql_user.save.username_exists.app_error, user_id=xxxxxxxxxxxxxxxxxx, Error 1062: Duplicate entry 'xxxxxx' for key 'Username']

Troubleshooting steps indicate:

  1. Received error message: An account with that username already exists. Please contact your Administrator.

This usually means an existing account has another authentication method enabled. If so, the user should sign in using that method (such as email and password), then change their sign-in method to SAML via Account Settings > Security > Sign-in method.

This error message can also be received if the Username Attribute of their SAML credentials doesn’t match the username of their Mattermost account. If so, the user can update the attribute at their identity provider (for instance, back to the old value if it had been previously updated).

We confirmed the user has a matching username to the LDAP Username attribute and prevously had the user switch their sign-in method to SSO.

2

Thanks @Schuby for the report,

  1. When the existing user switched to the SSO sign-in under Account Settings:
    a) were they redirected to the sign in page (sounds like they were)
    b) did they receive an email titled “You updated your sign-in method on [server name]”

  2. Can you help go to System Console > Teams and

  • click on the “+” icon next to “TEAMS” on left-hand sidebar
  • in the “Select Team” modal, choose the team users who are having login issues belong to
  • go to the “Users” section of the team you just chose on the left-hand sidebar
  • search for the user(s) and check what their “Sign-in Method” is on the page

  1. and 2) is to confirm their sign-in method was changed successfully.

Hopefully we can get this resolved for you quickly.

3

We had since deleted the affected user (they didn’t have any data anyway) and had them sign-up using SAML.

I went ahead and had another user try the switch and it worked just fine for them. This sounds like a one-off scenario at this point, so I will mark this as solved. I appreciate your reply!

One thing I do wish was possible though is to convert a user back to e-mail authentication if they are locked out. I saw the Platform CLI commands, but it seems to_auth does not support e-mail. Just something I wanted to note.

Thanks!

4

Hey @Schuby, thanks and glad to hear it’s resolved

The migrate_auth CLI command is actually intended to migrate all users to a given authentication service, so it wouldn’t be applicable to convert one specific user back to e-mail authentication.

However, you can actually do this from the System Console. If you ever need to in the future, here’s how:

  1. Go to System Console > Teams, then click the “+” button next to “TEAMS”
  2. Choose a team the user belongs to, then on the left-hand sidebar choose “Users”
  3. Search for the user on the list, then choose “Switch to Email/Password” from the drop-down list

5

Thanks Jason, much appreciated.