Hi Everyone, During testing the creation of a user profile in NERM via API, I noticed that the login attribute must be unique, whereas the name or email address can be the same across multiple user profiles.
My question is, when logging into NERM via SSO using either ISC or Entra, how do you configure the value to be passed for the login attribute? As far as I know, SSO configuration only allows mapping for attributes like name or email address, and there doesn’t seem to be an option to map the login attribute. Does anyone know how the login value is determined or mapped in this scenario?
@sunnyajmera This is an interesting find. It ideally shouldn’t be allowed to be duplicate. But if it is as @edmarks called out happening behind the scenes, then the documentation needs a revamp. I’d have expected even the email field to be unique so I’m curious as to why the design decision was to have it be non-unique.
Yes, this issue appears to be happening behind the scenes, but it’s causing problems. When users log in through Entra, the login value differs from when they access it via ISC using the app switcher. This discrepancy results in duplicate user profiles, leading to data inconsistencies.
The 2 accounts is EXPECTED behavior based on your description. This allows for local login (via ISC) when SSO needs to be bypassed for whatever reason.
I had a lengthy discussion with a SailPoint resource 6 months about this specific topic and they clarified it’s “by design” to account for both a non-SSO AND SSO login to have separate access assigned within NERM for the same person.
