Hi all, I'm trying to setup Keycloak as the Single Sign-On service at CERN, to replace our current service based on ADFS. I would like to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes. My problem is that, in our environment, we allow users to change their email address, and also to use an external (non-CERN) address as their mail, and we saw that a user changing mail can lead to problems with Keycloak. We tried using logins instead of emails as unique identifiers, but that creates possible clashes as well, as we don't have control over external IDPs logins. We want to avoid that in case of these clashes the external IDP user is prompted to join their account to one of our accounts. We thought that, to avoid this kind of clashes, we could add a postfix to the login, so that for example my CERN account could be identified as "ptedesco(a)cern.ch", without clashing with "ptedesco(a)github.com", but we couldn't find a way to do this, especially for Github or other social providers. Is there a way to customize the unique user identifiers in Keycloak, either though configuration, or by coding some extension? Thanks, Paolo Tedesco