Problem

You are an Organisation administrator and upon making  an email address change for your user from one domain to  another, the user can no longer login. He sees the error below when he tries to login : 

Something went wrong while executing your request. We're working on it, please try again shortly.

The following appears in the SAML trace log

"value": "https://id.atlassian.com/error?client_id=xxxxx1234&connection=saml-xxxx-xxxx-xxxx-xxxx&lang=&error=access_denied&error_description=handle-linked-saml-users%3Aupdate-linked-primary-user-email-failed-400&tracking=1234xxxx578"

Diagnosis

Environment

• The user's target or changed to email address would have to be from a claimed domain and managed by SAML

Diagnostic Steps

• You can use steps mentioned in the KB on "How to view SAML responses in your browser for troubleshooting" to see if your SAML trace shows a similar error as highlighted here

Cause

• The email change should have been carried out at the Identity Provider directly while ensuring that the user's email address has an unchanging id. 
• You can see more information on this unchanging ID updated here at  SAML login fails for a user whose email was changed
• It would have been best if they had claimed the other domain, set up SAML with the old email address, and then renamed them at the IdP (all assuming that they set up SAML correctly to have a unique, unchanging id that doesn't change when a user's email address changes, which doesn't look to be the case for this customer — the "unique, unchanging id" appears to be their email address).  
• If that wasn't possible (because they don't own the old domain), it would have been best to have the user's manually change their email addresses before setting up SAML.

Workaround

You can raise a request to Support to help you fix this email address linking and that will ensure the next login of the user links back to the correct SAML ID.

Resolution

The long term resolution for all Organisation administrators to adhere to has been  provided below : 

1. Organisation administrators should claim both the domains
2. SAML should be setup for the old email address and then email change done at the Identity Partner directly.
3. This will only work if the SAML has been setup correctly to have a unique, unchanging id that doesn't change when a user's email address changes.  Do note that the email address does not constitute as an "unique, unchanging id" candidate.
4. In the event the Organisation administrator does not own the old domain ,  it would have been best to have the user's manually change their email addresses before setting up SAML.