SAML Login Fails After Email Change

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Summary

You are an Organization administrator and upon making an email address change for your user from one domain to another, the user can no longer login.

Solution

Understanding the error

They see the error below when they try to login:

1 Something went wrong while executing your request. We're working on it, please try again shortly.

The following appears in the SAML trace log:

1 "value": "https://id.atlassian.com/error?client_id=xxxxx1234&connection=saml-xxxx-xxxx-xxxx-xxxx&lang=&error=access_denied&error_description=handle-linked-saml-users%3Aupdate-linked-primary-user-email-failed-400&tracking=1234xxxx578"

You can use steps mentioned in the KB on "How to view SAML responses in your browser for troubleshooting" to see if your SAML trace shows a similar error.

Reasons for SAML Errors

  • The email change should have been carried out at the Identity Provider directly while ensuring that the user's email address has an unchanging id.

  • You can see more information on this unchanging ID updated here at SAML login fails for a user whose email was changed.

  • It would have been best if they had claimed the other domain, set up SAML with the old email address, and then renamed them at the IdP (all assuming that they set up SAML correctly to have a unique, unchanging id that doesn't change when a user's email address changes, which doesn't look to be the case for this customer — the "unique, unchanging id" appears to be their email address).

  • If that wasn't possible (because they don't own the old domain), it would have been best to have the user's manually change their email addresses before setting up SAML.

What to Do When You Encounter a SAML Error

The long term resolution for all Organization administrators to adhere to has been provided below :

  1. Organization administrators should claim both the domains.

  2. SAML should be setup for the old email address and then email change done at the Identity Partner directly.

  3. This will only work if the SAML has been setup correctly to have a unique, unchanging id that doesn't change when a user's email address changes.

    1. ⚠️ Do note that the email address does not constitute as an "unique, unchanging id" candidate.

  4. In the event the Organization administrator does not own the old domain, it would have been best to have the user's manually change their email addresses before setting up SAML.

You can also raise a request to Support to help you fix this email address linking and that will ensure the next login of the user links back to the correct SAML ID.

Updated on April 2, 2025
Platform
Cloud only
Product
Atlassian Cloud Cloud
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community