Users with different email/username getting misidentified by umapi-client

[adorton-adobe]

There's a check in the UserAction class of umapi-client that tries to infer the user type:

        if username:
            if email and username.lower() == email.lower():
                # ignore the username if it's the same as the email (policy default)
                username = None
            elif id_type is not IdentityTypes.federatedID:
                raise ValueError("Username must match email except for Federated ID")
            else:
                self._validate(username=username)
                if domain:
                    self._validate(domain=domain)
                    self.domain = domain

Basically, if username is set and is different from the email of a user's record, then it assumes the federated auth type is username-based and validates the username accordingly.

A problem arises with certain Okta records that have username and email set to two different email addresses. Because they differ, this check attempts to validate the username field, but that validation fails because username should not be a full email address.

Why are we getting two email addresses from Okta for certain users? Which email address do we use for email ID? We need to use the correct email ID address and make sure the username field is set to None.

[adorton-adobe]

Alternatively, the email field and username field should both be set to the email ID that sync will use to create/update the user record.

[adorton-adobe]

Resolved by leaving username field blank.