The identity join problem: Linking SSO profiles to directory users

The intricate challenge of linking user identities between SSO and SCIM systems, known as the identity join problem, arises due to the lack of a reliable shared key between these systems. This problem becomes evident as naive solutions, like matching based on email or IDP ID, often fail under real-world conditions. The IDP ID, though seemingly a viable option, lacks uniqueness and stability, particularly when different identity providers or migrations are involved. Email matching also falls short due to issues like email reuse, duplicates, and format inconsistencies. A robust solution requires configurable linking identifiers with sensible defaults for most users and flexibility for unique cases. This approach involves enforcing uniqueness on linking attributes and providing IT admins and developers with tools to specify custom linking strategies. By acknowledging the distributed nature of enterprise identity systems and avoiding reliance on a universal identifier, organizations can achieve reliable identity joining, enabling features like just-in-time deprovisioning and unified user lifecycle management.