From 4320ae9d9e3733b1b29c87b6afb19e58e113d418 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Wed, 13 Aug 2025 09:44:39 +0200
Subject: [PATCH] fix(idp): make external id check case insensitive (#10460)

# Which Problems Are Solved

When searching for an existing external userID from an IdP response, the
comparison is case sensitive. This can lead to issues esp. when using
SAML, since the `NameID`'s value case could change. The existing user
would not be found and the login would try to create a new one, but fail
since the uniqueness check of IdP ID and external userID is not case
insensitive.

# How the Problems Are Solved

Search case insensitive for external useriDs.

# Additional Changes

None

# Additional Context

- closes #10457, #10387
- backport to v3.x

(cherry picked from commit 4630b53313cc51d9c73a0fb667a913676f1b16bd)
---
 internal/query/idp_user_link.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/query/idp_user_link.go b/internal/query/idp_user_link.go
index 23305dfd6e1..bc626d66aea 100644
--- a/internal/query/idp_user_link.go
+++ b/internal/query/idp_user_link.go
@@ -162,7 +162,7 @@ func NewIDPUserLinksResourceOwnerSearchQuery(value string) (SearchQuery, error)
 }
 
 func NewIDPUserLinksExternalIDSearchQuery(value string) (SearchQuery, error) {
-	return NewTextQuery(IDPUserLinkExternalUserIDCol, value, TextEquals)
+	return NewTextQuery(IDPUserLinkExternalUserIDCol, value, TextEqualsIgnoreCase)
 }
 
 func prepareIDPUserLinksQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPUserLinks, error)) {