account is not created from different user directories

Hi @Nik Stas very interesting topic!

Please stay away from using email address as a unique identifier, especially as there are alternatives! (Believe me, I have seen people marry and divorce and requesting their email change several times)

If you have a forest, active directory actively prevents this from happening, but if you have multiple separate active directories you can end up with two different users with the same sAMAccountName. 

The solution is to use the userPrincipalName as the identifcator. 

In the user directory advanced configuration set:

User Object Filter: (&(objectCategory=Person)(userPrincipalName=*))

and

User Name Attribute: userPrincipalName

That way when the user thinks that he enters his email address, it is in fact the userPrincipalName. e.g. john.doe@example.com 

If your email domain is different from what would become the UPN suffix, just add another UPN in Active Directory Domains and Trusts. 

A SSO add-on like our brand new Polar SSO handles multiple AD's whether you use sAMAccountName or userPrincipalName, and you may connect as many AD's as you like.

Cheers,

Lars

Lets work backwards. To have both accounts, they would have to have different usernames. So how would you want to handle that. What do you want the username to be in each case. Is that value something that exists in AD already?

One possibility would be mail address. So each users "username" would be their email address. It would add an inconvienence to all user to have to log in with their email address as opposed to their AD username. But that would be the price of having to distinguish two users with the same name. (and if you already have users in the system it would be a problem.

If you want to do that you can configure the LDAP import to use mail as opposed to SAMAccountName. Not sure how else this would affect authentication, particularly if you use SSO.

I have not tested any of the above, just suggesting a way you might be able to do it.