Resolving “An account with that email already exists” During SAML Login in LDAP-Integrated Deployments

Overview

When integrating SAML authentication (e.g., via Keycloak) with an existing LDAP user synchronization setup, you may encounter the following error when attempting to log in via SAML:

An account with that email already exists.

This typically occurs for users who were previously authenticated using LDAP and are now trying to log in using SAML.


Why This Happens

Mattermost assigns each user account to a single authentication method (e.g., LDAP, SAML, Email). If a user account is first created through LDAP authentication, any subsequent login via SAML—even if the email and username match—will be rejected due to a method conflict.

This is by design and prevents multiple identities being unintentionally linked based on matching attributes alone.


Solution

To resolve the issue, the existing user must have their authentication method migrated from LDAP to SAML using the mmctl command-line tool.


Steps to Migrate a User to SAML

1. Ensure Attribute Consistency

Before migrating:

  • Confirm that the user's email and ID attributes match exactly between your LDAP and SAML configurations.

2. Run the Migration Command

Use the following command to change the user's authentication method:

mmctl user change-auth [username] saml

Example:

mmctl user change-auth johndoe saml

Once executed:

  • The user will authenticate using SAML going forward.
  • LDAP login for that user will be disabled unless reverted.

Summary

If a user receives the "email already exists" error when logging in via SAML, and they previously used LDAP, use mmctl to migrate their authentication method to SAML. This allows seamless SSO login moving forward.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.