Is there any way to work around issues caused by letting users change their email addresses on an SSO authentication server?
Users of Discourse and SSO apparently must be configured to not allow users to change their email address. This probably also means that if a user or admin changes their email address on an authentication server, they will get a new account the next time they log in.
If we let people change their email addresses on Discourse, then they will have to change that one before they change their email address on the authentication server. If they do it the other way around, users will be confused by logging into Discourse and suddenly having a new account. Not everyone will ask us for help if this happens. If they do it in the right order, they still may have issues if they are not able to set an email address used by one of their other accounts on the authentication server. In addition, if someone mistypes their new email address in Discourse, they may not be able to log into the site. I suspect that Discourse doesn’t keep a log of old email addresses, so we may have no obvious way to know whether an email revert request is valid.
How can organizations that allow people to change their email addresses on their authentication server cope with this issue?