Issue
When users authenticate through the SAP Authentication (XSUAA) module, duplicate user records may be created if the email address stored in the application uses a different case than the email address provided in the JWT (JSON Web Token).
For example:
Existing user email:
USER.NAME@DOMAIN.COMEmail returned by SAP XSUAA:
user.name@domain.com
Although both email addresses correspond to the same mailbox, they are treated as distinct values during user lookup, resulting in the creation of a new user record.
Environment
XSUAA Connector for SAP Solutions (all versions)
Cause
During authentication, the XSUAA module performs case-sensitive matching when resolving the identity provider user claim (such as email or user_name) against existing Mendix user records. Since Mendix treats System.User.Name as a case-sensitive value, email addresses that differ only by letter casing are considered distinct users. As a result, if a user account was provisioned with an uppercase email address but the identity provider (e.g., SAP XSUAA) returns the same email in lowercase, the lookup fails to find the existing account. This mismatch can lead to authentication failures or the unintended creation of duplicate user accounts.
Solution/Workaround
This behavior is expected, and no product change is planned.
Since System.User.Name is treated as case-sensitive by Mendix, it is the responsibility of customers to ensure that user identifiers are managed consistently across their applications and identity providers.
To prevent duplicate user creation, consistent casing should be enforced for user email addresses across all systems involved in the authentication flow, including SAP XSUAA and the Mendix application. For example, all email addresses may be stored and provided in lowercase format.
Internal information related
- 271631
- MCDEP-3951
Additional information
- Mendix documentation:
0 Comments