The external_id that is passed from the SSO provider is expected to never change. If it’s possible, you should avoid changing your user’s external_id values.
As long as you are not setting the SSO parameter require_activation to true, you can delete all SSO records as Jay mentioned. To do this, enter your site’s console and run:
SingleSignOnRecord.destroy_all
Before doing this, you need to be sure that you are not setting require_activation to true in the SSO payload. If this parameter is being set, users will not be found based on their email address the next time they login to the site. Instead of that happening, they will get an error when they try to login.
If the require_activation parameter is not being set to true, users will be found based on their email address the next time they login to Discourse. A new SSO record will be created for them at this time. If any user’s email addresses are out of sync between your SSO provider site and Discourse, they will run into issues the next time they login to Discourse. You can find some details about fixing those issues here: Debug and fixing common DiscourseConnect issues.
If you are going to run the command I posted above, be sure to create a backup of your site’s database before running the command. If anything goes wrong, you can restore the backup file.