[keycloak-user] IdentityBroker SAML transient NameID-Format

Hi, I'm using Keycloak for IdentityBrokering with an external SAML-Identity-Provider Unfortunately the external SAML Provider only supports transient NameID <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">vyT0gx7o0uo3MtklFqAXRg1Lmy9HuKZBYB6My5jzU7E=</NameID> ... </Subject When I log-in through the external IDP Kecloak generates a local user and links it with this (temporaty) Broker-ID. If I log-in again later, another different temporary user is generated. Is there a possibility to a) use some SAML-Attributes as brokerID (because they include a "unique" ExternalUser-ID) - so only one keycloak account is created for one external user or b) do not create a internal keycloak user at all Or maybe you have another good idea for handling the issue without ending up with thousands of KC-users ;-) Thanks for help