[san_at_weblegit]

This is a common problem with more and more companies relying on SAML federation. A part of this problem is solved by using SCIM provided your IDP and service supports it. Ironically even though SCIM is a protocol, the implementations vary across different IDP,s.

A second common issue is ability of changing the email addresses in AD, this breaks the mapping cause most of the times email is primary identifier.