User Blocked From PIV Login by Duplicate "simpleSAML" Account Creation

[stefaniefgray]

SimpleSAML Login Trouble

Background information:

Very rarely (every 8 months or so), there will be a user who is completely blocked from logging into https://prod.cms.va.gov/ using their PIV card — and the issue isn’t their PIV card.

As shown in the below screenshot, a search on the "People" page for the email address of a user encountering this error pulled two accounts: Their actual account, and a duplicate “simpleSAML” account also listed under their email address.

At this time, our team does not know what causes this bug, or why this occasionally happens to a particular user out of the blue.

If an administrator deletes the simplesamlphp_auth_709454 account and the user attempts to log in once more, a new account is created with the exact same simplesamlphp_auth_709454 username.

As of 2/8/2023, the current protocol is to delete the duplicate simpleSAML account, and then write to the user asking them to use the "Developer log in" button with a temporary password.

To reproduce:

1. User attempts to log into https://prod.cms.va.gov/ using PIV card
2. User is blocked from logging in and encounters the following error message (see screenshot below): Error synchronizing username: an account with this username already exists.
3. Drupal admin looks up user's email address on the CMS "People" page and sees a duplicate simplesamlphp_auth_123456 account listed alongside the user's actual account.

AC / Expected behavior

Any users who have experienced this bug will be able to log back into their existing VA.gov user account without further trouble.

Screenshots

From the "People" page:

Submitted by the user:

Additional context

Relevant Slack thread: https://dsva.slack.com/archives/CT4GZBM8F/p1674765872347519

Desktop (please complete the following information if relevant, or delete)

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Labels

(You can delete this section once it's complete)

• [x] Issue type (red) (defaults to "Defect")
• [ ] CMS subsystem (green)
• [ ] CMS practice area (blue)
• [x] CMS workstream (orange) (not needed for bug tickets)
• [ ] CMS-supported product (black)

Team

Please check the team(s) that will do this work.

• [ ] CMS Team
• [ ] Public Websites
• [ ] Facilities
• [x] User support

[EWashb]

This may be connected to #8774

[stefaniefgray]

See original ticket: https://va-gov.atlassian.net/browse/VAHELP-5184

User has still not confirmed whether or not she could log in; last login was when I had tested logging in as user using Developer Login

Otherwise unsure what to do with ticket in the meantime

[EWashb]

Could this possibly be solved with #14595 ?

[ndouglas]

I can take a look at our custom code and the simplesaml code to see if something jumps out at me, but this is almost impossible to test in our current system and until that changes, it's impossible to verify a solution 🤷🏻‍♂️

[stefaniefgray]

Happening again in https://va-gov.atlassian.net/browse/VAHELP-6320

[stefaniefgray]

This is still happening in https://va-gov.atlassian.net/browse/VAHELP-6468

Any thoughts @ndouglas or @edmund-dunn ?

[ndouglas]

Nope, no thoughts. This is going to require a significant amount of time to debug IMHO. I know it's terrible and I'd love to fix it. I don't have any idea what's causing it and, unfortunately, I don't know how to even experiment in this environment.