Email as a correlation attribute


In our IDN environment there are two identity profiles one for admins which is flat file source and other identity profile is from the authoritative source.
As for identity profiles uid value is different it creates separate identities. There are some users which have identity from the both identity profiles and have same work email value.
For example - userA has identity from idn-admin profile as userA.admin. While from auth source IDP, user has identity userA.normalIdentity but both identity has same work email value.

There are other sources configured and which has a work email as the only correlation attribute available. So as given in above example, if userA has any account on such sources then it will not corelate because IDN finds 2 identities having same email value.

How such situation can be handled? I am thinking to add one more identity attribute in the auth IDP having same value as email and use that for the correlation. Any better way than this ?

Is there a reason you are maintaining 2 separate identities for User A?
Would you not want to correlate the account from IDP with the identity from Admins Profile?

Ideally, you should be correlating UserA as a single identity and the IDP with high priority can be on top. So the uid from that IDP will be used.

1 Like

Hi Nitesh, Auth source has pass through configuration in the Identity Profile while admin Identity Profile is flat file based and identity from admin profile has admin access, which can log in using identity password. Having only auth source identity profile will impact log in ability in case of emergency. That’s why maintaining separate identity Profile

Hi @sbhingare,

It would be ideal to set up a single Identity Profile with the required Pass through Authentication and correlation to other sources.

For emergencies, I would recommend setting a separate identity profile and delimited source for Breakglass Admins.

1 Like

Hello Sagar,

When we create a Office365 email account, it creates additional proxyaddresses which can be used for email communication. Ex: [email protected] and arjun.sengupta@onmicrosoft… . Try sending email to the other proxyaddress and see if it works.
You can use the other email (onmicrosoft…) configure email id for the admin profile.

Hope this helps


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.