We are currently using SSO for login and SCIM for user provisioning. Recently a user of ours got married and their surname changed as a result, and as a result of our HR data feed their email also changed to reflect this.
SCIM picked this up as a new user even though it was still the same Active Directory user. We are not able to login to this account anymore as the email doesn’t exist in our idp anymore.
Logically a change in name would also result in a change in email address for at least larger organisations.
We are also running into this issue with the directory connector. Worse is the directory connector stops working when external ID and email are mismatched. Name changes are not uncommon and result in email address updates. There should be a method to update the email for the user or a workflow to migrate the user’s vault and settings to their new vault under the new email.
We had to work around our issue by disabling SSO and the single organisation settings to allow the user to use their old email and master password to login and export their vault to import into their new account with the updated email.