Generating workload usernames based on email

CDP offers an option to generate workload usernames for CDP users based on user email addresses.

By default, workload usernames are generated using the identity provider user ID. For SAML logins that is the SAML NameID, for SCIM that is the SCIM userName, and when using the CDP APIs that is the identity-provider-user-id. Sometimes the identity provider user ID is an opaque ID, like a uuid or employee ID, which gives equally opaque workload usernames.

Alternatively, you can generate workload usernames based on users' email addresses instead of using the default workload usernames. For example, if your identity-provider-user-id is 8d16a2ea, and your email is, by default your workload username will be "8d16a2ea". If you choose to generate workload usernames by email, your workload username will instead be "bob".


When creating or updating an identity provider in CDP, you can check the Generate workload username by email box to have workload usernames generated based on email addresses.

From the CDP CLI, you can change how workload usernames are generated when you create (iam create-saml-provider) or update (iam update-saml-provider) a SAML provider by using the --generate-workload-username-by-email or --no-generate-workload-username-by-email flags. See:
iam create-saml-provider --help
iam update-saml-provider --help