Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: A different user with the email <> already exists

Learn what to do if you receive this error

Error

When a user tries to log in via SSO and receives an error saying their email address already exists, it usually means Foundry is trying to update or create a user profile using an email address that’s already assigned to another user.  In this scenario, the organization has Just-in-time user provisioning enabled.

 

Explanation & Resolution

This can happen in two main scenarios:

Case 1: Matching NameID, but Duplicate Email Address
  • The user logs in with a NameID that matches an existing Foundry user’s SSO ID.
  • Foundry is configured to map the email address from the SAML response.
  • The SAML response includes an email address that’s different from the one currently saved in the matched Foundry user’s profile.
  • Foundry tries to update the user’s email to match the SAML response.
  • But another user in Foundry already has that email address—possibly due to a duplicate account or recycled email.
  • Because email addresses must be unique, Foundry blocks the update and rolls back the login attempt.

To fix this:

  1. Find the duplicate user who already has the email address.
  2. Change that user’s email to a placeholder (e.g., a fake email address).
  3. Decide which user should be the “real” user going forward.
  4. Make sure the real user has the correct SSO ID and email address.
  5. If both users have training history, you may need to merge or archive one of the accounts.


Example

SAML Response:

  • NameID: jdoe
  • Email Attribute: jdoe@company.com

Foundry Users:

Property User A User B
SSO ID jdoe (none)
Email janedoe91@gmail.com jdoe@company.com

Foundry matches User A by SSO ID and tries to update their email to jdoe@company.com, but User B already has that email. The update fails, and the login is blocked.

 

Case 2: No Matching NameID, Attempt to Create New User
  • The NameID in the SAML response doesn’t match any existing Foundry user.
  • Foundry is set to allow automatic user creation during SSO.
  • Foundry tries to create a new user using the email address from the SAML response.
  • But that email address is already assigned to another user.
  • The creation fails due to the duplicate email.

To fix this:

  1. Find the existing user with the email address.
  2. If that user has an SSO ID, make sure the incoming NameID matches it exactly.
  3. Check for case sensitivity—NameID and SSO ID must match exactly, including capitalization.