We are running a trial version of MatterMost enterprise to vett it for possible production use. We are encountering an issue with users who have previously signed up with email/password. New users can use SSO just fine as long as their account did not already exist.
Summary
Existing users cannot use SAML SSO. Receive error: "An account with that username already exists. Please contact your Administrator"
Steps to reproduce
Version: 3.5.1
- Follow step-by-step these instructions: https://docs.mattermost.com/deployment/sso-saml-adfs.html
- Have existing user switch to SSO sign-in under Account Settings.
- User clicks on SSO button and receives error.
Expected behavior
Based on following the step-by-step guide, existing users who have a matching email and username to the correct LDAP attributes should be able to automatically login.
Observed behavior
Existing users who click on the SSO button receive: Receive error: "An account with that username already exists. Please contact your Administrator". This is after confirming the username and email match, and switching from email sign-in to SSO.
Logs:
[EROR] Couldn't save the user err=SqlUserStore.Save: store.sql_user.save.username_exists.app_error, user_id=xxxxxxxxxxxxxxxxxxxxxx, Error 1062: Duplicate entry 'xxxxxxx' for key 'Username'
[EROR] /login/sso/saml:SamlInterfaceImpl.DoLogin code=302 rid=xxxxxxxxxxxxxxxxxxxx uid= ip=xx.xx.xx.xxx An account with that username already exists. Please contact your Administrator. [details: SqlUserStore.Save: store.sql_user.save.username_exists.app_error, user_id=xxxxxxxxxxxxxxxxxx, Error 1062: Duplicate entry 'xxxxxx' for key 'Username']
Troubleshooting steps indicate:
- Received error message: An account with that username already exists. Please contact your Administrator.
This usually means an existing account has another authentication method enabled. If so, the user should sign in using that method (such as email and password), then change their sign-in method to SAML via Account Settings > Security > Sign-in method.
This error message can also be received if the Username Attribute of their SAML credentials doesn’t match the username of their Mattermost account. If so, the user can update the attribute at their identity provider (for instance, back to the old value if it had been previously updated).
We confirmed the user has a matching username to the LDAP Username attribute and prevously had the user switch their sign-in method to SSO.