Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Troubleshooting duplicate accounts created via SSO

By Praveen Kumar Mavudelli
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators responsible for configuring SSO and managing user access.

Administration module access is required.

When single sign-on (SSO) is configured, users may report that the system automatically creates a new, blank account for them instead of logging them into their existing profile. Alternatively, users attempting to access a specific account (such as a generic departmental login) may be forced into their personal named account.

This article explains how to prevent the automatic generation of new accounts by managing Just-In-Time (JIT) provisioning and ensuring User Principal Names (UPN) are correctly aligned.

1. Issue

Users attempting to log in via SSO experience one of the following issues:

  • A duplicate user account is created in the system with no historical data or permissions.
  • The user is logged into a personal account when attempting to use a generic account (e.g., quality@domain.com).

This occurs because the Identity Provider (IdP) is passing a UPN or email address that does not explicitly match the intended user record in the application. If Just-In-Time (JIT) provisioning is enabled, the application interprets this non-matching credential as a new user and creates a fresh account.

2. Solution

To resolve this, you must disable JIT provisioning to stop unwanted account creation and ensure the IdP data matches the internal user record.

2.1. Disabling just-in-time (JIT) provisioning

JIT provisioning allows the system to create a new user profile on the fly if the credentials provided by the SSO IdP do not match an existing user. Disabling this forces the system to reject the login rather than creating a duplicate, allowing you to identify the mismatch.

To disable JIT:

  1. Open the Administration module.
  2. Navigate to the SSO/IdP Configuration settings.
  3. Locate the setting for Just-In-Time Provisioning (or Auto-create users).
  4. Uncheck the box to disable the feature.
  5. Click Save.

2.2. Verifying user principal name (UPN) alignment

For SSO to log a user into the correct existing account, the unique identifier sent by the IdP must match the record in the application exactly.

The system often relies on the User Principal Name (UPN) or the primary email address as the matching criteria.

Important: The information in the SSO IdP and the application's User record must be identical.

If a user has a different UPN in Azure/IdP than the email address listed in their application profile, the authentication will fail (or create a new user if JIT is left on).

To verify the alignment:

  1. Check the User Principal Name or Email Address sent by your IdP (e.g., Azure AD).
  2. Open the People or Users module in the application.
  3. Open the specific user record.
  4. Ensure the Email or Username field matches the IdP value exactly.
  5. If the user requires access to a generic account (e.g., Quality Team), ensure the IdP is sending the UPN for that generic account, not the user's personal UPN.

3. Further reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page