Loading

External identity migration - How to prevent duplicate users being created

Publiceringsdatum: Apr 7, 2026
Uppgift

GOAL

Review this document if you are: 

  • SSO is creating duplicate user records with the same identity and mismatched roles.
  • You are about to make changes to SSO, your identity provider (IdP). 

You know that when you log in to Anypoint Platform using an external identity (SSO) a new internal user is created to map your SSO user to it the first time you log in successfully.
As you are planning to use a new IdP with the platform you want to reuse your existing users and prevent new ones to be created when you do it.

Steg

The Anypoint Platform uses the issuer, audience, username and providerID values that you configure for external identity to identify the IdP.

Your new IdP must keep using the same values as the previous one did. If you change ANY OF these "issuer, audience, username and providerID" settings new internal users will be created upon logging in instead of reusing the existing ones. 

If the new IdP does not allow for the matching values of all four attributes above, you can use the custom attribute/claim below:
- Add a new attribute/claim named oldissuer on the new IdP side (this needs to be done by the admin team of the new IdP, not on Anypoint side). 
- Make sure the oldissuer value exactly matches the old IDP issuer value without any missing chars at the end (like /, if there is one). Note: It is case-sensitive as well.
- Ensure that the username (nameID) and audience attribute is same as before. Otherwise, a duplicate user will be created even if you have the oldissuer correctly set in the new IDP.

Please note to avoid user duplication during the identity migration process, do not create a new identity provider configuration at the Anypoint Platform side, instead, modify the existing one.
Disclaimer: You must have access to an Anypoint Admin user before making changes to an existing Identity Provider configuration. This is because if the updated configuration breaks or does not work, all the SSO users are locked out of the Account/Anypoint Platform. You must have this break-glass Anypoint Admin user to make sure you are able to revert the changes and continue to use the old SSO configuration until you fix the new one. 

Also, please review this documentation on linking your Anypoint Platform profiles. As of this writing, SAML IdP is not yet supported for linking profiles.


NOTES

Please also bear in mind that logging in without an Identity Provider will also create a different user. For example, disabling the existing external Identity provider and then allowing an existing user (on the old IdP) to login to Anypoint Platform, will create a new user. 

Knowledge-artikelnummer

001116895

 
Laddar
Salesforce Help | Article