Documentation

Importing User Secondary Email

Suggest Edits

Importing user secondary email(s)

If users in your organization can have multiple email addresses, it's often helpful to consolidate their access footprint under a single Opal account.

You can do this by configuring Opal to import user secondary emails from your IDP. When you do this, Opal will link users to all third-party user accounts registered under their secondary email. For example:

  • Suppose a user Alice has primary email [email protected] and secondary email [email protected].
  • Suppose that Alice's Salesforce account is listed under her secondary email, [email protected].
  • When syncing with Salesforce, Opal will recognize that [email protected] belongs to Alice, and will represent this Salesforce account's access under Alice's Opal account.
  • When Alice is granted access to Salesforce via Opal, Opal will propagate access to Salesforce under [email protected] rather than under Alice's primary email.

To set this up, add a custom attribute mapping to Secondary email (for details on how to do this, see the section Importing custom user attributes). If your users can have more than 1 secondary email, you can configure Opal to import multiple Secondary email attributes.

Auto-merging users by secondary email

Even after you've set up user secondary email import, it's possible for a single user identity to have 2 Opal user accounts — one for their primary email, and one for their secondary email. This can happen if the secondary Opal account was created before a primary Opal account's secondary email was updated.

When this happens, it's helpful to merge these 2 Opal user accounts. To do this, go to your organization's IDP settings and change the setting for Auto-merge Opal users based on secondary email to Enabled:

When this setting is enabled, Opal users whose email matches the secondary email of another Opal user will be auto-merged during IDP sync.

📘

How auto-merging works

In an auto-merge of two Opal users, one Opal user is preserved and the other is deleted. All user data associated with the deleted Opal user is removed. The preserved user is updated as follows:

  • Primary and secondary emails are immediately updated to the correct values.
  • IDP user attributes will be imported in the following sync.
  • End-system access for both users will be imported and associated with the preserved user in the following sync. (Notably, no access changes are propagated to any end-systems in an auto-merge.)

Opal decides which user to preserve by examining which user has logged in more recently. Only logins after Feb 14, 2023 (Opal Cloud) or after v1.0.396 (Opal Self-Host) are considered.

❗️

Auto-merging relies on the secondary email(s) imported from your IDP to be accurate. Inaccurate secondary emails will result in unintended and potentially irreversible auto-merges.

Updated 12 days ago