User receives "This account has been deactivated" when logging in via SAML SSO
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
You have:
- A user who has an Atlassian account with an email address that matches one of your verified domain(s).
- SAML SSO configured.
- Neither account is managed by your identity provider.
When the user logs in, they see an error message that states, "We're having trouble logging you in. This account has been deactivated".
Cause
When a user logs in via SAML SSO, Atlassian saves their email and SAML Name/UPN/ObjectId attribute that is also sent along during the SAML SSO process. Atlassian support sometimes refers to this as an Atlassian account being "SAML linked".
When an account is SAML-linked, they will log into that account regardless of the email that is being sent from your identity provider. If the identity provider sends an email that does not match the Atlassian account, then Atlassian will attempt to just-in-time update the Atlassian account email to the new email. The email update will fail if the new email address is already in use by another Atlassian Account or the SAML-linked account is deactivated. If the new email address is already in use by another Atlassian account and the SAML linked account is active, then the Atlassian account with the new email will become the SAML linked account.
If a user is logging into the SAML linked account, and that account is deactivated, you will see the above error.
ID-7551 - Getting issue details... STATUS
Solution
If the SAML linked account is the account the user should log in to:
- Make sure that this account is active.
- Make sure that the email from your identity provider matches the email on this account. This may mean changing the email on another Atlassian account so that the desired email is free to use.
If the SAML linked account is not the account the user should log in to:
- Make sure that both the SAML-linked account and the desired account are active.
- Make sure that the email from your identity provider matches the desired account. This may mean changing the email on another Atlassian account so that the desired email is free to use.
In either case, after following these steps, the next time the user logs in, the now SAML-linked account will have the desired email. If there is another account that is no longer in use, you can deactivate this account.
If you are unable to determine which account is the SAML-linked account, providing our support agents with a SAML Trace and a screenshot of the error message the user receives when logging in will enable us to assist you.