SFTPGo AAD configuration & authentication via publickey

[Arsalen2]

Problem Description

I’m using SFTPGo with Azure AD (AAD) for user registration and authentication.
Authentication is based on the preferred_username claim from the AAD JWT token, which is always the user's email address (e.g., user@email.com).

Because of this, all users in the SFTPGo MySQL backend also have their email address as the username, and I cannot change that (it would break AAD authentication).

The issue

When users connect via SFTP, the only login format that works is:

sftp -P <port> "user@email.com"@server-name.domain

However, I want them to be able to log in using the shorter, more typical form:

sftp -P <port> user@server-name.domain

Question

Is there a supported way in SFTPGo to allow login aliases (e.g., user → user@email.com) so users can authenticate with a short username while SFTPGo still uses the full email address internally for AAD/JWT validation?
If so, what’s the recommended configuration approach?

What I have tried (pre-login hook)

I attempted to use a pre-login hook to rewrite the short username user into the full AAD username user@example.com when the login method is publickey.

Here is the relevant part of pre-login-hook.sh:

if [[ "${SFTPGO_LOGIND_METHOD,,}" = "publickey" ]]; then


  CURR_USER_NAME=$(echo "${SFTPGO_LOGIND_USER}" | jq -er .username || echo "")
  CURR_USER_EMAIL="${CURR_USER_NAME}@example.com"

  jq -n \
    --arg username "${CURR_USER_EMAIL}" \
    '{
      username: $username,
      ...
    }'
fi

When I test login using:

---
sftp -P 2022 user@server-name.domain
user@server-name.domain's password:
---
connection_failed ... error":"duplicated key not allowed: Error 1062 (23000): Duplicate entry 'user@example.com' for key 'users.username'"
---

This happens because:

• The user already exists in MySQL (created via AAD/IDP the first time they logged in)
• The pre-login hook is causing SFTPGo to try to create a new user with the same username, instead of matching the existing one.
  So the hook is not rewriting the username for authentication — it's triggering a duplicate-user creation attempt.

Is there another recommended mechanism (e.g., username aliasing, mappings, or different hook logic) that will allow user → user@example.com while still authenticating against the IDP user?

[fostermi]

This is an interesting use case to me. Perhaps put some debugging in the script to see what the json user representation returned by the script to stdout looks like when logging in via sftp vs ui and if they are identical, it sounds like a possible bug.

[fostermi]

If I had to guess, I think sftpgo is using a user id which is not the user's username to create the user in the database and because the original login request username does not have @example.com its treating that as a new user with a new id. When it goes to update the database, the unique username requirement then violates the schema.