Skip to main content

Username Case Sensitivity Issues with SSO Integration

Angelo Bresci
Updated

Area: Deployment Issues

Sub-Area: SSO Authentication and User Management

Issue

When migrating to a new SSO provider or identity source that preserves mixed-case usernames, DataHub creates duplicate users for the same person if the username casing differs from existing users. This occurs because DataHub treats usernames as case-sensitive when constructing user URNs, leading to ownership conflicts and broken team assignments when organizations enforce lowercase username standards.

You Might Be Asking

  • Why am I seeing duplicate users after switching SSO providers?
  • Can I configure DataHub to force usernames to lowercase during login?
  • How do I prevent case sensitivity issues when migrating from one identity provider to another?

Solution

Immediate Fix: Configure Identity Provider Normalization

  1. In your identity provider (e.g., Okta), configure the claims settings to normalize usernames to lowercase before sending to DataHub
  2. For Okta, in your authorization server's Claims settings, set the value of the email claim to an Expression: 
    String.toLowerCase(user.email)
  3. This ensures DataHub always receives lowercase usernames regardless of the source system casing

Alternative DataHub Configuration

  1. Review your current AUTH_OIDC_USER_NAME_CLAIM setting
  2. Check if your identity provider offers a different claim that already provides consistent lowercase values
  3. Switch to that claim if available (commonly email vs preferred_username)

Clean Up Existing Duplicates

  1. Identify duplicate users by searching for mixed-case variants of existing usernames
  2. Use the "Manage Users & Groups" page to deactivate or remove duplicate user accounts
  3. Reassign any ownership or group memberships from duplicate accounts to the canonical lowercase versions

Finding Duplicate Users

  • Search for users with similar names but different casing patterns
  • Look for URNs like urn:li:corpuser:John.Doe@example.com vs urn:li:corpuser:john.doe@example.com
  • Contact DataHub support for assistance in identifying all duplicates if needed

Additional Notes

DataHub currently has no built-in configuration to force username normalization during authentication. The case sensitivity is implemented at the URN construction level in the OIDC authentication logic. A future "CorpUser Siblings" feature may help link case-variant URNs as the same user, but this is not yet generally available. The identity provider normalization approach is the most reliable current solution.

Related Documentation

Tags: sso, authentication, oidc, okta, user-management, case-sensitivity, duplicates, identity-provider, workday