diff --git a/seahub/api2/serializers.py b/seahub/api2/serializers.py
index 6e520abcbd..29a8150b08 100644
--- a/seahub/api2/serializers.py
+++ b/seahub/api2/serializers.py
@@ -2,6 +2,7 @@
 import logging
 
 from rest_framework import serializers
+from seaserv import ccnet_api
 
 from seahub.auth import authenticate
 from seahub.api2.models import DESKTOP_PLATFORMS
@@ -68,6 +69,10 @@ class AuthTokenSerializer(serializers.Serializer):
         if username is None:
             username = login_id
 
+        p_id = ccnet_api.get_primary_id(username)
+        if p_id is not None:
+            username = p_id
+
         if username and password:
             user = authenticate(username=username, password=password)
             if user:
diff --git a/seahub/auth/forms.py b/seahub/auth/forms.py
index 15b3446c42..80dda825bd 100644
--- a/seahub/auth/forms.py
+++ b/seahub/auth/forms.py
@@ -4,6 +4,8 @@ from django import forms
 from django.utils.translation import ugettext_lazy as _
 from django.utils.http import int_to_base36
 
+from seaserv import ccnet_api
+
 from seahub.base.accounts import User
 from seahub.auth import authenticate
 from seahub.auth.tokens import default_token_generator
@@ -45,6 +47,12 @@ class AuthenticationForm(forms.Form):
         else:
             return username
 
+    def get_primary_id_by_username(self, username):
+        """Get user's primary id in case the username is changed.
+        """
+        p_id = ccnet_api.get_primary_id(username)
+        return p_id if p_id is not None else username
+
     def clean_login(self):
         return self.cleaned_data['login'].strip()
 
@@ -55,6 +63,7 @@ class AuthenticationForm(forms.Form):
         # convert login id to username
         username = self.get_username_by_login(login)
 
+        username = self.get_primary_id_by_username(username)
         if username and password:
             self.user_cache = authenticate(username=username,
                                            password=password)
diff --git a/thirdpart/shibboleth/middleware.py b/thirdpart/shibboleth/middleware.py
index 3bf719c098..b14e1eb056 100755
--- a/thirdpart/shibboleth/middleware.py
+++ b/thirdpart/shibboleth/middleware.py
@@ -7,7 +7,7 @@ from django.contrib.auth.middleware import RemoteUserMiddleware
 from django.core.exceptions import ImproperlyConfigured
 from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect
-from seaserv import seafile_api
+from seaserv import seafile_api, ccnet_api
 
 from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, LOGOUT_SESSION_KEY, SHIB_USER_HEADER
 
@@ -58,6 +58,10 @@ class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
             # AuthenticationMiddleware).
             return
 
+        p_id = ccnet_api.get_primary_id(username)
+        if p_id is not None:
+            username = p_id
+
         # If the user is already authenticated and that user is the user we are
         # getting passed in the headers, then the correct user is already
         # persisted in the session and we don't need to continue.