Synchronization between Confluence and Azure Active Directory is PARTIALLY_FAILED (User is not unique)
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
The synchronization between the Azure Active Directory (AAD) and Confluence is made through the SAML Single Sign On for Confluence third-party app.
When trying to synchronize, the result is PARTIALLY_FAILED and the error message is User is not unique (see the screenshot):
As a result, a particular user is unable to log into Confluence. This error may affect one or more users.
環境
- Confluence Server 7.6.2
- Microsoft Azure Active Directory
- Third-party app: SAML Single Sign On for Confluence
診断
When trying to sync Azure Active Directory users through the third-party app, the following message is displayed on application logs:
2020-11-05 16:33:25,831 ERROR [http-nio-8090-exec-679] [atlasplugins.samlsso.userauth.PrincipalProviderImpl] log ZG176: Updating user from connector failed, result was not SUCCESS or resulting user was not present: User is not unique原因
A user that was previously synced between Confluence and the AAD was deleted in the external directory. Before synchronizing to Confluence (and removing the user from Confluence tables), a new user was created externally, using the same e-mail as the deleted user but with a different username.
The next synchronization between Confluence and AAD (through the app) will identify the same e-mail being used by a different user in Confluence, thus triggering the User is not unique error.
ソリューション
データベースの変更を行う場合は必ず事前にバックアップを取得してください。可能な場合は、まずステージング サーバーで SQL コマンドの変更、挿入、更新、または削除を行うようにします。
While existing this divergence between two different usernames, Confluence will not sync properly to the AAD. You'll need to manually change the deleted user's e-mail in Confluence Database to other unused value:
- Confluence をシャットダウンします。
Run the following query at the Confluence database:
PostgreSQL クエリUPDATE cwd_user SET email_address = 'somerandom@email.value', lower_email_address = 'somerandom@email.value' WHERE id in ( select id from cwd_user where user_name = '<DELETED_USERNAME>');
If the user that was deleted in the AAD belongs to multiple Confluence directories you may need to narrow down the directory, otherwise, all e-mails will be changed.- Confluence を起動します。
- Try to sync Confluence to the AAD using the app SAML Single Sign On for Confluence