Synchronization between Confluence and Azure Active Directory is PARTIALLY_FAILED (User is not unique)

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

 

Summary

The synchronization between the Azure Active Directory (AAD) and Confluence is made through the SAML Single Sign On for Confluence third-party app.

When trying to synchronize, the result is PARTIALLY_FAILED and the error message is User is not unique (see the screenshot):

As a result, a particular user is unable to log into Confluence. This error may affect one or more users.

Environment

Diagnosis

When trying to sync Azure Active Directory users through the third-party app, the following message is displayed on application logs:

atlassian-confluence.log 
2020-11-05 16:33:25,831 ERROR [http-nio-8090-exec-679] [atlasplugins.samlsso.userauth.PrincipalProviderImpl] log ZG176: Updating user from connector failed, result was not SUCCESS or resulting user was not present: User is not unique

Cause

A user that was previously synced between Confluence and the AAD was deleted in the external directory. Before synchronizing to Confluence (and removing the user from Confluence tables), a new user was created externally, using the same e-mail as the deleted user but with a different username.

The next synchronization between Confluence and AAD (through the app) will identify the same e-mail being used by a different user in Confluence, thus triggering the User is not unique error.

Solution

Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.

While existing this divergence between two different usernames, Confluence will not sync properly to the AAD. You'll need to manually change the deleted user's e-mail in Confluence Database to other unused value:

  1. Shutdown Confluence

  2. Run the following query at the Confluence database:

    PostgreSQL query 
    UPDATE cwd_user 
SET email_address = 'somerandom@email.value', 
    lower_email_address = 'somerandom@email.value'
WHERE id in (
	select id from cwd_user where user_name = '<DELETED_USERNAME>');

    (warning) If the user that was deleted in the AAD belongs to multiple Confluence directories you may need to narrow down the directory, otherwise, all e-mails will be changed.

  3. Start Confluence
  4. Try to sync Confluence to the AAD using the app SAML Single Sign On for Confluence


Last modified on Jan 21, 2021

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.