ZTNA Admin integrating with a SAML Identity provider used by the organisation.

ZTNA synchronising users and groups from SAML Identity provider containing 10s of thousands of users.

Users are provisioned within ZTNA based on attributes sent by the Identity provider.

Users that would successfully be able to login to ZTNA received login failures when submitting valid credentials on the ZTNA login page.

Problem only happened after an update to the Identity provider code.

ZTNA.

Generic SAML Identity provider.

User accounts provisioned using SAML attributes.

Two seperate changes required to address the issue:

• Fix the Identity server so that it does not provision users into ZTNA who log in with personal email addresses and
• Remove the invalid usernames from the ZTNA Settings -> Directory -> User and groups (select the Identity provider, search for the invalid users and delete them).

When two email addresses exist for the same user, we cannot uniquely identify the user and error out.