Migration to SAML authentication

I’m testing the SAML authentication on a (docker based) instance of version 10.0.
The authentication is work basically. But, I faced some issues I would like to clarify.

  1. Why a migration is needed for all users individually?
    I’ve a server with more than 100 users. Do I really need to “curl” all users to /api/users/update_identity_provider manually?

  2. The login identification seems to be case-sensitive. Is this really necessary and by design?
    I have users in the system which are currently identified with a name like lukas but in the Azure AD they are named like Lukas.
    Would it be possible to make the identification case-insensitive?

  3. Why the email address is checked while login?
    I have a local administrator (no SAML!) which I would like to configure with my personal email address.
    The same email address is configured in my personal AD account.
    If I have configured both SQ users with the same email address I cannot login anymore with SAML with the following error message:

This account is already associated with another authentication method.
Sign in using the current authentication method,
or contact your administrator to transfer your account to a different authentication method.

This is confusing because the configured identity is the domain user name (onpremisessamaccountname).

  1. I started testing with version 9.9. There I configured the attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as “SAML group attribute”.
    After migration to version 10.0 this attribute disapeared from configuration.


We try to keep it to one topic per thread. Otherwise it can get messy, fast.

  1. Yes, you’ll have to do this individually. Should be automatable…?

  2. By design? Fair question. Could you create a separate thread for this point?

  3. Could you create a separate thread for this too, please?

  4. We reworked SAML integration in 10.0, so it’s not surprising that some values got shuffled around or disappeared.


  1. How about an option to migrate interactively in the UI?
  2. I’ll do.
  3. I’ll do.
  4. Do you think this property MUST not be configurable while many others are configurable?