There's a check in the UserAction class of umapi-client that tries to infer the user type:
if username:
if email and username.lower() == email.lower():
# ignore the username if it's the same as the email (policy default)
username = None
elif id_type is not IdentityTypes.federatedID:
raise ValueError("Username must match email except for Federated ID")
else:
self._validate(username=username)
if domain:
self._validate(domain=domain)
self.domain = domain
Basically, if username is set and is different from the email of a user's record, then it assumes the federated auth type is username-based and validates the username accordingly.
A problem arises with certain Okta records that have username and email set to two different email addresses. Because they differ, this check attempts to validate the username field, but that validation fails because username should not be a full email address.
Why are we getting two email addresses from Okta for certain users? Which email address do we use for email ID? We need to use the correct email ID address and make sure the username field is set to None.
There's a check in the
UserAction
class of umapi-client that tries to infer the user type:Basically, if username is set and is different from the email of a user's record, then it assumes the federated auth type is username-based and validates the username accordingly.
A problem arises with certain Okta records that have username and email set to two different email addresses. Because they differ, this check attempts to validate the username field, but that validation fails because username should not be a full email address.
Why are we getting two email addresses from Okta for certain users? Which email address do we use for email ID? We need to use the correct email ID address and make sure the username field is set to
None
.