User account manipulation

We have shibboleth as an IDP for single sign on to our RT system. Works great, however, we ran into an issue where we set up a particular queue that accepts tickets based on email submission. This email account acts as a catch all, accepts inbound email and forwards them into this particular queue. So as an example:

User Sam1, has an email of
If Sam has never logged into RT directly before but sends an email to this catch all address, his email gets forwarded into the RT queue and he gets an account with username, email, and Display name, all set to

No problem so far.

Except one day Sam needs to submit a ticket to RT directly, so logs in with Sam1/password
Account gets created, but because the IDP has already mapped that email to the first user account, Sam gets a 2nd account with the proper username and display name, but no email address. This is problematic.

What I’ve been doing is removing the 2nd account entirely, and then manually changing the first Sam1 account to that it has the proper username and display name, and then adding that account as a requestor to the ticket he submitted using the 2nd account.

Is there any way that I can modify the account creation for tickets being submitted to the one queue by email where I could strip the and have that used to populate the Username field?

I’d recommend syncing your directory (ldap, AD, whatever) with RT such that all possible user accounts already exist in RT before a user emails a queue or logs in directly.

There is a CanonicalizeUser(?) routine that gets called on account creation. You could have it check if the email address exists in the IDP and tweak the created account to line up with what’s expected.