Closed epbensimpson closed 8 months ago
This is working as designed. The unique IdP user Id is indeed case sensitive. This value is essentially a foreign key to the user in a 3rd party IdP. For this reason, it is not normalized as FusionAuth would not know how to normalize a 3rd party unique identifier. This value could be a string, an integer, etc. To FusionAuth this is an opaque Id.
Because you are using an email address as this unique Id - user@example.org
is not the same as User@example.org
. Unless you know the email address to be immutable in a 3rd party system, it would not be ideal to use an otherwise mutable value as the unique user Id for an identity provider as it can change over time.
To get into this state, you may have pre-created this link using a normalized version of the Id (in this case a lowercase version of the email address known to the 3rd party IdP), or the IdP has changed how it is returning the email address in the NameID format field when selecting the Email address as the NameID format.
This should have never worked based upon these circumstances, but it may have worked due to an assumption that was made that a 3rd party IdP would always consider email as unique.
This assumption was fixed in version 1.48.0 which protects FusionAuth from account takeover when an IdP allows for non-unique email addresses.
If at all possible you should be asking the IdP to return a unique Id for the user. This can be returned in the NameID format attribute by selecting a persistent name Id (although the IdP can choose to ignore this request, so you will need to verify what the IdP is returning). Alternatively, if you already know the attribute that contains the unique Id of the user and it is not in the NameID format field, you can select this as the unique Id claim in the SAML configuration. This way FusionAuth will consume this unique Id and use it to correlate the user in the 3rd party IdP to the FusionAuth user.
In a general sense - an email address should never be considered static or adequate to be used as a unique identifier over time - unless you do want FusionAuth to consider an email change as a new user in FusionAuth. In some older systems based upon LDAP such as Lotus Notes, a user's CN (common name, non internet email address) was sometimes considered immutable, but this is rarely the case any longer.
If you have additional questions or concerns, please contact support.
Related to:
Closing this issue as it seems to be intended, we will try and mitigate this on our end.
IdP Link validation is case sensitive
Description
Since upgrading to
1.48.2
some of our SAML2 IdP users have been unable to log in and are presented with theExistingUserAlreadyLinked
error. Upon investigation, we have determined that these users have existing IdP Links where the IdP User Id value in the link differs from the unique identifier in the SAML response only by case.As far as I'm aware this was working fine (i.e. case did not matter) up to at least
1.46.0
Affects versions
1.48.2
Steps to reproduce
Steps to reproduce the behavior:
LinkByEmailForExistingUser
and withemailAddress
as the nameid formatuser@example.org
User@example.org
Expected behavior
I would expect this check to be case-insensitive (or at least for this to be configurable) given it's a breaking change otherwise
Event Logs
Case differs:
Case matches:
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
Add any other context about the problem here.