Configure an External ID for users
Customer Identity and Access Management (CIAM) platforms use directories or external identity providers to identify users with unique IDs, such as UUIDs. End users do not see these IDs, but integrations such as OIDC, SAML, and SCIM rely on them to consistently identify users across customer‑managed systems.
To support external user identifiers, IDaaS provides an optional External ID system attribute. This attribute stores a stable, globally unique identifier from an external system and can be set in the following ways:
- Directory synchronization. Mapping an existing directory attribute to the External ID field during sync operations.
- Identity Provider authentication. Injecting the External ID value from an IDP‑issued claim during inbound authentication flows.
- Administrative API assignment. Writing the External ID directly through the IDaaS Admin API for programmatic or out‑of‑band system integrations.
Once assigned, the External ID remains permanently associated with the IDaaS user and can be retrieved through the Admin API, a SAML attribute, or an OIDC claim allowing downstream systems to consistently reference the same user across integrations.
Usage example
The following example shows how to set the External ID for a user using directory synchronization and return it in a SAML banking application.
This flow shows how systems use the External ID as a consistent, unchanging identifier in a banking environment.
Phases
| Phase | What happens |
|---|---|
| Phase 1: Directory synchronization | The External ID is read from the corporate directory (AD/LDAP), mapped by the Directory Sync Agent from the bankingId attribute, and stored in the user profile (for example, a1b2c3d4-e5f6-7890). |
| Phase 2: SAML authentication | The user accesses the banking application, IDaaS authenticates the user and retrieves the profile, the SAML response includes the External ID claim, and the banking application uses the claim for user lookup and provisioning. |
| Phase 3: Payment processing | The user initiates a payment in the banking application, the application calls the payment API with the External ID, the payment system validates the user and retrieves the payment profile by External ID, and transaction details are returned to the user. |
Configuration
| Component | Configuration |
|---|---|
| Corporate Directory | In Attribute Mapping, associate the directory bankingId attribute with the IDaaS External ID attribute. |
| Banking Application (SAML SP) | In SAML Settings > SAML Attributes, add a SAML External ID attribute mapped to the IDaaS External ID attribute. |
For more information, see Create and manage user attributes.