Index: components/jetspeed-sso/src/main/java/org/apache/jetspeed/sso/impl/SSOManagerImpl.java
===================================================================
--- components/jetspeed-sso/src/main/java/org/apache/jetspeed/sso/impl/SSOManagerImpl.java	(revision 904070)
+++ components/jetspeed-sso/src/main/java/org/apache/jetspeed/sso/impl/SSOManagerImpl.java	(working copy)
@@ -275,22 +275,68 @@
     public SSOUser addUser(SSOSite site, JetspeedPrincipal ownerPrincipal,
             String ssoUsername, String ssoUserPassword) throws SSOException
     {
-	    SSOUser newUser = null;
-        try{
-            // step 1. create new SSO user
-            newUser = ssoUserManagerSPI.addUser(ssoUsername, site.getSecurityDomainId(), ownerPrincipal);
-            // step 2. store new user's credentials
-            setPassword(newUser, ssoUserPassword);
-            // step 3. relate owner to SSO user
-            addAssociation(newUser, ownerPrincipal);
+	    SSOUser ssoUser = null;
+	    
+	    try 
+	    {
+            // step 1a. try to load an existing SSO user first
+            ssoUser = ssoUserManagerSPI.getUser(ssoUsername, site.getSecurityDomainId());
+            // step 1b. validate if passwords match
+            PasswordCredential pwdCred = null;
+            try
+            {
+                pwdCred=ssoUserManagerSPI.getPasswordCredential(ssoUser);
+            } 
+            catch (SecurityException secex)
+            {
+                // if there isn't a password credential yet (odd!), we'll create one
+            }
+            if (pwdCred != null && pwdCred.getPassword() == null)
+            {
+                pwdCred = null;
+            }
+            if (pwdCred == null)
+            {
+                setPassword(ssoUser, ssoUserPassword);
+            }
+            else
+            {
+                if (!pwdCred.getPassword().equals(ssoUserPassword))
+                {
+                    throw new SSOException("SSO User already defined but passwords don't match");
+                }
+            }
+        } 
+	    catch (SecurityException secex)
+	    {
+            if ( SecurityException.PRINCIPAL_DOES_NOT_EXIST.equals(secex.getKeyedMessage())) 
+            {
+                // ignore: we'll create a new SSOUser
+            }
+            else
+            {
+                throw new SSOException("Unable to add new SSO User "+ssoUsername,secex);
+            }
+        }
+        try
+        {
+            if (ssoUser == null)
+            {
+                // step 1c. create new SSO user
+                ssoUser = ssoUserManagerSPI.addUser(ssoUsername, site.getSecurityDomainId(), ownerPrincipal);
+                // step 1d. store new user's credentials
+                setPassword(ssoUser, ssoUserPassword);
+            }
         } catch (SecurityException secex){
             // revert changes, if applicable
-            if (newUser != null){
-                removeUser(newUser);
+            if (ssoUser != null){
+                removeUser(ssoUser);
             }
             throw new SSOException("Unable to add new SSO User "+ssoUsername,secex);
         }
-        return newUser;
+        // step 2. relate owner to SSO user
+        addAssociation(ssoUser, ownerPrincipal);
+        return ssoUser;
     }
     
     public void updateUser(SSOUser user) throws SSOException{