Synchronization between Confluence and Azure Active Directory is PARTIALLY_FAILED (User is not unique)
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
The synchronization between the Azure Active Directory (AAD) and Confluence is made through the SAML Single Sign On for Confluence third-party app.
When trying to synchronize, the result is PARTIALLY_FAILED and the error message is User is not unique (see the screenshot):
As a result, a particular user is unable to log into Confluence. This error may affect one or more users.
- Confluence Server 7.6.2
- Microsoft Azure Active Directory
- Third-party app: SAML Single Sign On for Confluence
When trying to sync Azure Active Directory users through the third-party app, the following message is displayed on application logs:
2020-11-05 16:33:25,831 ERROR [http-nio-8090-exec-679] [atlasplugins.samlsso.userauth.PrincipalProviderImpl] log ZG176: Updating user from connector failed, result was not SUCCESS or resulting user was not present: User is not unique
A user that was previously synced between Confluence and the AAD was deleted in the external directory. Before synchronizing to Confluence (and removing the user from Confluence tables), a new user was created externally, using the same e-mail as the deleted user but with a different username.
The next synchronization between Confluence and AAD (through the app) will identify the same e-mail being used by a different user in Confluence, thus triggering the User is not unique error.
データベースの変更を行う場合は必ず事前に可能な場合は、まずステージング サーバーで SQL コマンドの変更、挿入、更新、または削除を行うようにします。
While existing this divergence between two different usernames, Confluence will not sync properly to the AAD. You'll need to manually change the deleted user's e-mail in Confluence Database to other unused value:
- Confluence をシャットダウンします。
Run the following query at the Confluence database:PostgreSQL query
UPDATE cwd_user SET email_address = 'firstname.lastname@example.org', lower_email_address = 'email@example.com' WHERE id in ( select id from cwd_user where user_name = '<DELETED_USERNAME>');
If the user that was deleted in the AAD belongs to multiple Confluence directories you may need to narrow down the directory, otherwise, all e-mails will be changed.
- Confluence を起動します。
- Try to sync Confluence to the AAD using the app SAML Single Sign On for Confluence