>Seems the IDP has no choice to prevent this if the backend auth system accecpts it. Sorry, I just realized that this is the behavior of our Windows LDAP. I did a test before but accidentaly used our ADLDS which seem to be behaving correctly. Best regards, Tobias