AZURE SSO - Authentication FAQ
This article covers frequently asked questions that my come up when using the MS 365 connector with XELOS - especially with regards to authentication and SSO.
Can i have multiple accounts in XELOS associated to the same Azure AD account?
No it is not possible to use single Microsoft Account for multiple accounts in XELOS.
If you created multiple accounts in XELOS by accident (e.g. you changed a login/userPrincipalName in AAD which is then matching an existing different [old?] account in XELOS) - the SSO process will use the best matching account only. You should disable a potential duplicate on the XELOS side (make sure that the preferred account uses a login which equals the userPrincipalName in AAD).
What happens when i delete / recreate the user in AAD?
To avoid a second/duplicate account to be created in XELOS you should make sure that the userPrincipalName is matching the XELOS login attribute or the associated meta_attributes (azure_id or userPrincipalName).
What happens when i change attributes of the user in AAD?
You can change all primary attributes in AAD (GivenName, Surname, Mail, DisplayName) and they will automatically be updated for the user upon next SSO login. The userPrincipalName (= login in XELOS) will not be changed automatically. The account matching will be based on the azure-id in this case.
Please be aware that the userPrincipalName will take precedence during the matching, i.e. if you re-use a previously existing principalName in AAD this will associate the new account with the existing XELOS account.
How do you match an existing user in XELOS with AAD?
During the authentication process XELOS will do the following steps to find and match an AAD user coming via SSO to an existing user in XELOS:
- Is there an account in XELOS where login = userPrincipalName ?
- Is there an account in XELOS with a meta property azure_id = Id (e.g. 49e4664f-b02c-3a5c-8005-d5f191cd9127)?
- Is there an account in XELOS with a meta property userPrincipalName = userPrincipalName ?