Duplicate accounts (look for a number at the end of a username e.g. 'peter2') are a symptom that can be caused by one of the following:
Not converting existing internally authenticated accounts into externally authenticated accounts prior to enabling external authentication. (See item 2 in the Planing Ahead guide: External Authentication)
- Changing the identification attribute the external authentication service sends to IMS and thus preventing IMS from determining if the user has logged in before (resulting in a new account being created). (See How does IMS establish if a person with an externally authenticated user account has logged into IMS before?)
Please be aware that this situation is not a fault of the IMS software and to recover the IMS administrator should work with their IT dept to manually remove superfluous user accounts and plan how your accounts are to be managed.
The following provides some general advice for that process.
1) Externally authenticated accounts can be identified by an icon the the right hand side of the list of users:
Users > Users & Groups > Users tab or Group tab
Hover over the icon to confirm the authentication type. No icon is displayed for internally authenticated accounts.
2) Externally authenticated user accounts will be re-created upon the next login from the user so if you deleted 'bob2' (an externally authenticated account) you could then edit 'bob' (an internally authenticated account) and change its authentication type:
Users > Users & Groups > Edit User > Login Settings > Authentication Type
Upon the next login from the user, the 'bob' account will now be used for external authentication
Alternatively, if the authentication type is already an external one but you have changed the identification attribute on your identity provider software and want IMS to associate the IMS user account with a different identification attribute, change the authentication type to any other setting, save, then change it back and save. This will have the effect of blanking the record of the identification attribute so that a new one can be used in its place.
3) Be aware that deleting a user account will remove local content such as lightboxes but you may see this as a necessary trade-off to regain control over your user accounts
4) Take the opportunity to check with your IT team that IMS-group-to-External-Authentication-group mappings are appropriate. An IMS user can be automatically be placed into an IMS group if both of the following conditions are met:
- A group mapping exists.
- The group mapping refers to a group that has been setup inside your external authentication service.
5) Consider performing the work in batches i.e. a few user accounts at a time just to become familiar with the process before rolling out more widely.
