A user who logs in via SSO may find that when they access Disclose:

• They cannot see or add answer sets
• If they view their profile, it shows as Deleted, e.g.
  
   
• In the log, the following text appears:
  
  Failed to undelete & update SSO user user@domain.com, probably as a result of incorrect SyncID in user import:  Name user@domain.com is already taken 

This occurs where:

• Disclose is trying to reactivate a deleted user account
• A newer version of that user exists in the system
• Both user records contain the same username but different SyncID's

The mechanism for this is as follows:

• The user has been created in Disclose at some point previously
• That user account has been deleted
  • For SSO users, this causes the account to remain in place, but to be rendered inactive
• The user has been added to Disclose a second time
• This second occurrence has been added with a different SyncID 

Note that SyncID's are case sensitive.  As an example, Disclose sees these as two different users, due to the different cases used in SyncID:

SSO is implemented in Disclose such that if a user with a valid claim but who is currently inactive in the software makes an attempt to log in:

• Disclose allows them to log in
• It re-enables their user account

So, the problem outlined here occurs because:

• The inactive and active records both have the same username
• When the user logs in, they present the SyncID which matches the inactive user, which causes Disclose to try and re-activate that user
• As the username is not unique, the error appears

To fix:

• Delete the new user record
• Ask the user to try connecting again

This will cause Disclose to successfully re-enable their original user record.

Afterwards:

• Check that the user is assigned the correct roles and group membership
• If users are maintained via uploading a CSV file, ensure that their user:
  • Is not duplicated in the CSV file
  • The SyncID in the file has the correct case