This article explains why a new user profile is created each time a user authenticates through a Security Assertion Markup Language (SAML) Identity Provider (IdP)

• SAML
• Identity Provider (IdP)
• User Provisioning

This issue occurs because the IdP sends a transient NameIdentifier. This identifier, which changes with each session, is mapped to the user's unique identifier (user_id). As a result, the application does not recognize the returning user and provisions a new profile during each login attempt.

• Configure the IdP to send a stable, unique attribute for the NameIdentifier instead of a transient one. This is the recommended solution.
• Change the default NameIdentifier mapping to a different, stable attribute that can uniquely identify the user.
• Create a post-login action to check if a user already exists with a stable identifier, such as an email address. If an existing user is found, the action deletes the newly created profile.