SAML relink failure for non-SSO accounts

Issue Summary

SAML SSO fails to relink in the backend if the linked account is moved to a non-SSO authentication policy.

• This is reproducible on Data Center: no

Steps to Reproduce

1. As the end user, SSO login into Atlassian (ie. primaryemail@domain.com)
2. On org managed accounts, change the email address of the account to something else. (ie. primaryemail@domain.com -> primaryemail_free@domain.com )
3. Move the old account to an authentication policy with SSO disabled (ie. primaryemail_free@domain.com)
4. Migrate another existing Atlassian account to re-use the email address and enforce SSO to this account. (ie. alias@domain.com -> primaryemail@domain.com)
5. As the end user, try to perform an SSO login again. (primaryemail@domain.com)

Expected Results

The end user should be able to log in to the migrated account using SSO.

Actual Results

The end user encounters the following error :

Hmm... we're having trouble logging you in. Please try again with a different authentication method.

Workaround

Move the old account back to the SSO policy to allow the relink to happen.

• As the org admin, move the old account back to the SSO policy (ie. primaryemail_free@domain.com)
• As the end user, perform an SSO login to re-link (ie. primaryemail@domain.com)
• Once the log in is successful, feel free to move the old account back to the non-SSO policy.