Overview
When integrating SAML authentication (e.g., via Keycloak) with an existing LDAP user synchronization setup, you may encounter the following error when attempting to log in via SAML:
An account with that email already exists.
This typically occurs for users who were previously authenticated using LDAP and are now trying to log in using SAML.
Why This Happens
Mattermost assigns each user account to a single authentication method (e.g., LDAP, SAML, Email). If a user account is first created through LDAP authentication, any subsequent login via SAML—even if the email and username match—will be rejected due to a method conflict.
This is by design and prevents multiple identities being unintentionally linked based on matching attributes alone.
Solution
To resolve the issue, the existing user must have their authentication method migrated from LDAP to SAML using the mmctl command-line tool.
Steps to Migrate a User to SAML
1. Ensure Attribute Consistency
Before migrating:
- Confirm that the user's
emailandIDattributes match exactly between your LDAP and SAML configurations.
2. Run the Migration Command
Use the following command to change the user's authentication method:
mmctl user change-auth [username] saml
Example:
mmctl user change-auth johndoe saml
Once executed:
- The user will authenticate using SAML going forward.
- LDAP login for that user will be disabled unless reverted.
Summary
If a user receives the "email already exists" error when logging in via SAML, and they previously used LDAP, use mmctl to migrate their authentication method to SAML. This allows seamless SSO login moving forward.
Comments
Article is closed for comments.