We have a client that when connected to their network internally the SAML NameID parameter comes across in all Uppercase, when they connect VIA their VPN the NameID format is in lowercase, example <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">DOMAIN\USERNAME</NameID> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">DOMAIN\username</NameID> This causes KC to think they are two separate user and complains that a user with the same email address already exists. Is there any setting in Keycloak that I can change or does anyone have any ideas if there is an ADFS seeing that might help. P.S. This is KC 3.1.0.FInal Tony ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com