Looking up the user always exposes the attributes. In other words, both the identity provider (IdP) and the SP know these attributes, such as an email address.

Account mapping achieves one-to-one mapping where individual user accounts exist on both sides of a federated connection or many-to-few mapping where IdP users without accounts at destination sites map to guest accounts or to a role-based general account.

For browser-based single sign-on (SSO), transient identifiers provide an additional level of privacy—virtual anonymity—by generating a different opaque ID each time the user initiates SSO. Transient IDs are often used in conjunction with federation role mapping to map the user to a guest account or to a role-based account based on the user's association with the IdP organization rather than personal attributes.

As with pseudonyms, additional attributes might be sent with the transient identifier. Again, take care to preserve privacy.

In B-to-B or B-to-E use cases where an administrator might create a user lookup on behalf of the user, the administrator might implement account mapping.