Problem Definition

There are some cases where an email is changed (i.e. a@a.com to b@a.com) , however, the SAML Id on Atlassian side is still related to that old Account so when the user tries to log in he receives an error saying that:

login.forbidden.handle-linked-saml-users.update-linked-primary-user-email-failed-400.content

or user is blocked

Currently, the only way to resolve these issues is contact support to gather some details regarding the user such as:

• The SAML Response from the user login attempt.
• Check the old and new email address.
• Check in what account the application historic is placed.
• Check if that account has the correct email address and change it if it doesn't has.
• Escalate the ticket to the dev team to clear the SAML link.

Suggested Solutions

Create a feature that allows the Organization Administrators to clear the SAML Id link from their managed accounts. That will reduce the number of escalations to the development team since the SAML link can be cleared by the Org Admins or the support team.

Workaround

1. Review the write up on the long term solution to avoid and resolve these issues in future at SAML login fails for a user whose email was changed
2. If you're unable to resolve this, reach out to support via https://support.atlassian.com to further investigate the issue and the accounts related to it.
3. While working with support, the following can be used as temporary workaround so that the affected user can generate a session to the cloud site and continue working.
   1. Go to https://id.atlassian.com/login/resetpassword and generate a recovery link for affected email address.
   2. Access the recovery email and click on Log in to my account
   3. In the browser tab that popped up, put in the URL of the cloud site https://<site>.atlassian.net