Saml adfs 3.0


we currently have linked our Gitlab With SAML to our ADFS server, SSO seems to be working fine but sometimes a user is unable to login and gets a 422 error omniauth error and is redirected to :

The only way for to fix this issue is to remove the identifier under the user account in GIT.

In our application log we see:
August 21, 2017 08:01: (SAML) Error saving user --Unique identifier code-- ( [“Identities user has already been taken”]

When I compare the unique identifier with the identifier already saved under the user account in GIT I can see a new different identifier is created.

I have set the following Claim rules under my RP in ADFS :

1: persistent name identifier (custom claim rule)

c:[Type == “”]
=> add(store = “_OpaqueIdStore”, types = (“http://mycompany/internal/persistentId”), query = “{0};{1};{2}”, param = “ppid”, param = c.Value, param = c.OriginalIssuer);

rule 2:

Rule 3:

This is all configured according to Microsoft recommend settings regarding SAML persistent identifiers.

Has anyone experienced this issue? maybe some knows a different custom rule to create the persistent Name ID not using PPID.

As far as I know the custom rule is creating a name ID based on the SAM Account name and PPID and that should not change but for some reason it does change.

If some uses a different custom rule could you share this, because everywhere online where I look the PPID is used for SAML <> ADFS link.