This article explains why an Active Directory Federation Services (ADFS) connection may generate duplicate user IDs containing an "undefined" segment and provides steps to resolve the identification conflict. This issue occurs when the ADFS server sends an authentication response that does not include the Name ID claim. Auth0 relies on this claim to uniquely identify users; when it is missing or null, the system defaults that portion of the user ID to "undefined". This results in multiple users being assigned the same ID, which causes the system to treat different individuals as the same user record.

• Active Directory Federation Services (ADFS) connection
• WS-Fed protocol
• Name ID Claim Mapping

The ADFS server is not sending the required Name ID claim in its authentication response. Because the native ADFS connection in Auth0 uses the WS-Fed protocol with a hardcoded attribute-mapping strategy, the system cannot find a unique identifier to complete the user ID construction.

To resolve the duplicate user ID issue, use one of the following methods:

Option 1 (Recommended): Correct the Claim Issuance Policy on the ADFS Server

1. Sign in to the ADFS server.

2. Locate the Edit Claim Issuance Policy for the relevant relying party trust.

3. Configure a claim rule to explicitly send a unique identifier, such as an email address or User Principal Name (UPN), as the Name ID claim.

4. Save the changes and test the login flow to ensure the user ID no longer contains the "undefined" string.

Option 2: Create a New Generic SAML Connection

1. Go to the Auth0 Dashboard.

2. Create a new connection using the generic Security Assertion Markup Language (SAML) strategy instead of the ADFS strategy.

3. Configure the ADFS server to treat this new connection as a SAML Identity Provider (IdP).

4. Select the Mappings tab within the new SAML connection settings to manually map attributes.