Handling name changes in federated LDAP

I have set up keycloak to federate our AD users in UNSYNCED mode.
The username LDAP attribute is set to ‘mail’ and the LDAP UUID attribute to ‘objectGUID’.
So far, so good. Everything works as it should.
However, when a LDAP user’s mail changes (marriage, etc.) keycloak will delete the existing user and create a new one with the new email (and the same uuid attribute).
Why doesn’t keycloak realize it’s federating the same user entity? I thought that’s what the uuid attribute is for.
I’d change username to the uuid and allow login per email if that would solve the problem (haven’t tried it). However, we’re also dealing with unfederated legacy users which have unique usernames but do not have unique mail addresses.
Is there any solution for this issue?

1 Like