How to key users when using OIDC and SCIM

Matt Wilson 11 Reputation points

I originally posted this question to SO a month ago, but didn't get any response, so I'm trying here.


I'm in the process of updating an internal app with OIDC and SCIM with the goal of having sign-on and provisioning driven by Azure AD.

Looking at the Azure docs for OIDC and SCIM, there seems to be a discrepancy around how to uniquely identify users. Coming into this project, I presumed the user's ObjectId would be made readily available.

Using a test enterprise app, and navigating to user attribute mapping for provisioning: The default mappings include userPrincipalName (upn) mapping to userName with the highest matching precedence. And the inability to modify that mapping.
Also, mailNickname is mapped to externalId, without any matching precedence, but this could be changed to map objectId to externalId and add matching if desired.

Meanwhile, using another test enterprise app for OIDC, the sub claim is not the user's Object Id. I think I read the sub claim is a unique value for the user and the enterprise app (which means it's no good to anyone).
Under Token Configuration, there does not seem to be the option of adding the Object Id as an optional claim at all. There is the option to add the upn as an optional claim, but the description explicitly states not use the value for keying the user.

An identifier for the user that can be used with the username_hint parameter; not a durable identifier for the user and should not be used to key data

This comment makes sense to me. upns can change over time and should not be used to identify users for the same reasons that you shouldn't rely on a user's email not changing.

All that being said; if I want Azure AD to provision users via SCIM and then allow those users to sign in with OIDC, how should I uniquely identify the user record as the service provider?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,768 questions
{count} votes