Skip to content

User creation via UI fails with "Entity already exists" when SSO is enabled and self-registration is disabled #25007

New issue
New issue
Open
Open
User creation via UI fails with "Entity already exists" when SSO is enabled and self-registration is disabled#25007
@rustamaji

Description

@rustamaji
rustamaji
opened on Dec 29, 2025

[Bug] User creation via UI fails with "Entity already exists" when SSO is enabled and self-registration is disabled

Affected Module

UI and Backend

Describe the Bug

When OpenMetadata is configured with SSO authentication and self-registration is disabled, creating a new user through the UI fails with the error:

{"code":409,"message":"Entity already exists"}

However, creating the same user via the API succeeds.

Root Cause

The UI includes "createPasswordType": "ADMIN_CREATE" in the payload when creating users, which triggers a conflict error. This field is intended for basic authentication setups and should not be included when SSO is the authentication method.

UI Payload (fails):

{
  "description": "",
  "name": "username",
  "displayName": "User Name",
  "email": "[email protected]",
  "isAdmin": false,
  "domains": [],
  "isBot": false,
  "createPasswordType": "ADMIN_CREATE"
}

API Payload (works):

{
  "name": "User Name",
  "email": "[email protected]",
  "displayName": "User Name",
  "isAdmin": false
}

Removing createPasswordType from the payload allows user creation to succeed.

To Reproduce

  1. Configure OpenMetadata with SSO authentication (e.g., Okta, Azure AD, Google, etc.)
  2. Disable self-registration
  3. Login as admin
  4. Navigate to Settings → Users → Add User
  5. Fill in user details and submit
  6. Observe error: {"code":409,"message":"Entity already exists"}

Expected Behavior

  • User should be created successfully via UI when SSO is enabled
  • The UI should not include createPasswordType field when SSO authentication is configured (since passwords are managed by the SSO provider)

Suggested Fix

The UI should conditionally exclude createPasswordType from the payload when:

  • SSO authentication is enabled, OR
  • Self-registration is disabled

Alternatively, the backend could ignore the createPasswordType field when SSO is the configured authentication method.

Environment

  • OpenMetadata version: 1.10.1
  • Authentication: SSO (specify your provider)
  • Self-registration: Disabled
  • Deployment: (Docker / Kubernetes / Bare Metal)

Additional Context

This issue prevents administrators from creating users through the UI when using SSO, forcing them to use the API as a workaround.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Roadmap

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions