Share via

How to link OIDC users with SCIM

Brian 20 Reputation points
2025-09-05T17:34:34.79+00:00

What is the recommended way to map externalId in SCIM to OIDC login claims?

Is it the solution described here? https://stackoverflow.com/a/75008278

The problem is that the sub claim for OIDC is a per-application opaque identifier, which is not accessible to be used as externalId in a SCIM user attribute mapping. The suggested solution is to use the "oid" claim if present instead, and use "objectId" as the source attribute for "externalId".

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. hossein jalilian 13,280 Reputation points Volunteer Moderator
    2025-09-05T18:15:17.73+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    To link OIDC users with SCIM, the best practice is to use a persistent, unique identifier that’s consistent in both OIDC tokens and SCIM provisioning data. For Azure AD, this is the ObjectId of the user, which appears in the OIDC oid claim.

    Recommended approach:

    • Map the SCIM externalId to the Azure AD ObjectId.
    • In your OIDC tokens, identify users by oid, not sub.
    • For other identity providers, pick a tenant-wide, persistent identifier that works for both SCIM and OIDC

    The sub claim is not reliable because it’s unique per application and should not be used for SCIM mappings

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.