Username and email claims aren't *both* honoured for identity providers

chris 2

If you setup an identity provider (samlv2 or oidc, not sure about others) you can specify a email and username claim. Then you can use these claims to link to (or create) the user. So far so good. Unfortunately fusionauth ignores the claim which it isn't linking on. So if you link by username it won't fill in the email field (and vice versa). This would be fine if you were able to set that field in the lambda, but its blocked there. This is troublesome for migrating from email linking to username linking and using any email features when linking by username.

Its possbile i've missed a configuration step but I can see from the debugging output that it is reading the username when linking on email for instance, its just not setting it. Any thoughts?

I am on fusion 1.45.1.

dan

Hiya @chris-2,

So you'd like to have the claim that is not linked be set if present in the response? Would that solve your problem? Or is there some other solution that would solve your needs?

The reason we don't allow those claims to be changed in the lambda is that it's an escalation possibility.

One option (for a subset of your use cases) would be to store the value that is delivered from the identity provider in the user.data.email claim which is used for email specific functionality when no email address is available on the user.