Is there a guide for, or does anyone have any experience with, migrating from the plugin to the built-in auth? Will users have two different accounts that need to be combined/migrated together, or will it do that seamlessly?
Currently the identity provider values are all aad.
Reading that guide through again, looks like it is relevant. I would need to set up the built-in SAML auth, then run a script to migrate each user from aad to saml. Does that sound correct?
newExternalIdentity is most relevant in cases where your users are known by their e-mail address with the new Identity Provider rather than an LDAP login (colin.mueller3@example.com vs. cmueller3 ).
In our case I think we do want to set a new identity - we don’t need to I guess, but currently everyone’s logins have the format firstname-lastname<numbers> and I think I would prefer to just use the email address to make scripting admin actions easier in the future.
Just thinking out loud. I will report back here after we do the migration to help others who might be searching for this.
We completed this, though we did run into a hiccup.
The provider change would not “take”, or complete in some way, unless we deactivated the user after changing their provider. I watched our test user click on both authentication providers after we changed their account over, and both providers gave them a “your account is associated to a different provider” type of error message, and the login would fail. After deactivating their account, they were able to log in with the new provider without problems.
Our script to change over all the users ended up being pretty similar to the one in the article linked above, just with the extra deactivate step, and done in a loop to change over all users with the old provider type in one go.