Uniquely Bad Identity Branding
My company has an account with a certain identity provider so we can test that our single sign-on feature works. Today one of my coworkers asked for an account with the IdP before he started working on that part of our code. I tried to create his user but got an error that the "username must be unique". Huh. I double-checked our user list to ensure we didn't have an account for him. We didn't. I tried again and got the same error. That's when I reached out to their support. They quickly replied:
To resolve this issue, please navigate to Administration > Settings > Branding and toggle the custom branding switch to green. Then try to create a user and it should allow you!
What. This had nothing to do with branding, and the switch in question looks like this:
But alright, I figured I'd try their suggestion.
It worked.
I supposed what likely happened was that support quickly found and fixed and issue, then gave me a switch to flip to make it feel like I was fixing something. I replied to them:
So we couldn’t add that user (but could add other users) because we didn’t have custom branding enabled? That can’t be right.
Their response?
It could be possible that the same username could exist in another customer's tenant. So, once you enable the custom branding it would only look for your tenant for a unique username. With branding currently being disabled, the system is considering all tenants.
In short, if you click a logo to use your own theme for their site, usernames only have to be unique within your organization. If you don't customize the site's theme, they have to be unique across the whole identity provider. Furthermore, that uniqueness check only happens when you create a new user. If you flip the branding/namespace switch on, create an account, then flip the switch back off, the account is still active and usable even though it's not globally unique. Even if you think that tying branding to uniqueness is a good idea — and it's not — it doesn't even work.
That whole setup is nuts.