move to new IDP

Michael A Grady mgrady at
Fri Mar 27 20:59:31 EDT 2020

> On Mar 27, 2020, at 6:08 PM, Deirdre Kirmis <Deirdre.Kirmis at> wrote:
> Yes, it was on the IDP side. They fixed it, and I see my IDP to choose to login, but now my web app thinks all of the accounts are new, so tries to add them, but then gives a 500 error. It’s like it thinks it is a new user and goes through the steps to add the account, gives the screen to the user to “accept” adding the account, but then gives a 500 error. The dev/prod IDP accounts use the same domain information, so should be the same.
> Any ideas what would cause that behavior?

No one could answer that without knowing your user creation logic, and that isn't an SP or IdP thing in any direct way. You'd have to look at the attribute(s) value(s) being sent by the Prod IdP and compare them to the "theoretically the same" attribute(s) value(s) being sent by the previous IdP. And then check your user matching and creation logic.

But one would also have to ask -- why would you want to keep user records from a test IdP in the first place? If moving to Prod, shouldn't you discard any such "test records"?

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list