Hi, The issue description is not clear enough. You should also provide logs file that can help troubleshoot the issue.

Here are more details about the trouble. Logs authentication for existing user that was not SAML Provisioned. ``` 18-05-21 08:35:40,605 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'mail', attributeValue = 'md@mydomain' 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:md@mydomain' 2018-05-21 08:35:40,623 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '0' entries 2018-05-21 08:35:40,623 DEBUG [qtp1744347043-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:265) - Authentication result for user 'null'. auth_step: '1', result: 'false', credentials: '2131578714' 2018-05-21 08:35:40,624 INFO [qtp1744347043-9] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:164) - Authentication failed for 'null' 2018-05-21 08:35:40,631 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1D0B.1BF8.E522.BBA2!0001!97FA.EC09!0008!A210.18C9 2018-05-21 08:35:40,632 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.ClientService] (ClientService.java:137) - Found 1 entries for client id = @!1D0B.1BF8.E522.BBA2!0001!97FA.EC09!0008!A210.18C9 2018-05-21 08:35:45,824 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,826 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-05-21 08:35:45,829 DEBUG [oxAuthScheduler_Worker-5] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-05-21 08:35:45,836 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,838 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LdapStatusEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-05-21 08:35:45,852 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-05-21 08:35:45,906 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-05-21 08:35:45,907 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] ``` Logs from SAML Provisioned User ``` 2018-05-21 08:37:05,122 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'mail', attributeValue = 'ja@mydomain' 2018-05-21 08:37:05,131 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:37:05,131 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:ja@mydomain' 2018-05-21 08:37:05,137 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:203) - Found '1' entries 2018-05-21 08:37:05,156 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.AuthenticationService] (AuthenticationService.java:299) - Authenticating user with LDAP: username: 'ja@mydomain', credentials: '2131578714' 2018-05-21 08:37:05,156 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:87) - Getting user information from LDAP: userId = ja@mydomain 2018-05-21 08:37:05,165 DEBUG [qtp1744347043-14] [org.xdi.oxauth.service.UserService] (UserService.java:96) - Found 1 entries for user id = ja@mydomain 2018-05-21 08:37:05,181 DEBUG [qtp1744347043-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:265) - Authentication result for user 'ja@mydomain'. auth_step: '1', result: 'true', credentials: '2131578714' 2018-05-21 08:37:05,183 DEBUG [qtp1744347043-14] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:354) - Sending event to trigger user redirection: 'ja@mydomain ```   I'm not sure how I can manually add the Authentication Methods as well for the Test user, as from the logs I can see that is searching for oxExternalUid. ``` 2018-05-21 08:35:40,619 DEBUG [qtp1744347043-9] [org.xdi.oxauth.service.UserService] (UserService.java:192) - Getting user information from LDAP: attributeName = 'oxExternalUid', attributeValue = 'passport-saml:md@mydomain' ``` How can I update this value for the users who do not have this already. Regards,

Hi Martin, > The SAML Provisioning is working fine, meaning the account that does not exist in Gluu LDAP is created and later on you can use either Form Authentication or External Provider. I think you are missing the way inbound saml works. I'm going to explained that here, but noted that if User A was Authenticated by the external IDP then it is not possible yet to have the same user login gluu using the standard authentication method(username/password). Also the external IDP authentication process will fail if a different user exist in the Gluu LDAP server with the same email as the one of the current user doing authentication. Thanks, Gasmyr.

Thank you for the explanation and the answer. > if User A was Authenticated by the external IDP then it is not possible yet to have the same user login gluu using the standard authentication method(username/password). I will retest this tomorrow and I'll let you know about the output. I think I somehow managed to login both ways for the same user which I did found strange. Will let you know about that part. My next question is, how will I migrate the existing Gluu LDAP users to be using the External IdP? Is there a way? Thank you, Martin D.

> My next question is, how will I migrate the existing Gluu LDAP users to be using the External IdP? **Why do you want to do that?** Users should be store in Gluu LDAP, those who are in the external IDP are also store in Gluu LDAP after a successful inbound SAML flow. https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/

I think we are misunderstanding each other. Let me put it this way, I have a gluu server with 10 users. We decide to enable Passport Inbound SAML so users will login to Gluu server via External Provider. Any user who doesn't exist in the LDAP and is logged in via the External Provider will continue successfully authenticating using the External Provider. So my users i.e second@user.com already exists in the Gluu LDAP, however when I try to authenticate via External Provider it fails, this is due to the fact that didn't went trough the inbound SAML flow and the is matching a record that already in the LDAP that exists, correct? If so, how can I enable this user to be able to authenticate via External Provider instead of form based authentication? Do I need to delete and recreate(SAML Provisioning) the user? Sorry for the trouble but I'm really confused at this point. To simplify the question how can I enable old users to use Passport inbound SAML authentication once enabled.

Hello Martin, It is clear now. > So my users i.e second@user.com already exists in the Gluu LDAP, however when I try to authenticate via External Provider it fails, this is due to the fact that didn't went trough the inbound SAML flow and the is matching a record that already in the LDAP that exists, correct? **Yes.** > If so, how can I enable this user to be able to authenticate via External Provider instead of form based authentication? Do I need to delete and recreate(SAML Provisioning) the user? **Yes, but don't delete the admin account. ** > To simplify the question how can I enable old users to use Passport inbound SAML authentication once enabled. **Delete them from gluu LDAP and let them use the inbound flow to authenticate. ** Thanks, Gasmyr.

Hi Martin, Still need assistance on this ticket?