sso-server

sso-server copied to clipboard

The first user(ID 1) has been signed up via generic login The second user (ID 6) has been signed up via Google Provider, it looks like duplicated users. Have You any ideas or maybe You know any way to find the solution?

They are unique accounts from the perspective of the SSO server. Account ID is the only unique attribute you can ever truly rely upon and trust from a client application perspective. Per-provider, the account is unique. Email address is actually an unreliable mix-down metric. For example, Google doesn't always supply an email address for every user (e.g. very old, pre-GMail accounts), Generic Login can be set up as Username only, and ActiveDirectory could supply 150 email aliases for a user. The goal is generally to normalize all of that information as best as possible. However, it can result in confusing end-user experiences - especially for users with accounts on multiple providers - Which one did I sign in with again?

That said, I do have on my internal project list to add a new database field to provide a shared ID mapping option, which would allow selection of a shared ID field (e.g. email address). This comes with all kinds of caveats. For example, the Remote Login provider would have to be carefully excluded because that provider could be used to push anything into the system, allowing any authorized Remote Login system to sign in as any user in the SSO server. That would definitely not be good. However, as the SSO server is designed currently, what I described is impossible with Remote Login since each provider is isolated.