diff --git a/src/main/java/de/avatic/lcc/config/SecurityConfig.java b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
index 4819709..6d7e6cd 100644
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@@ -47,7 +47,10 @@ import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
-import java.util.*;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 import java.util.function.Supplier;
 
 
@@ -62,6 +65,18 @@ public class SecurityConfig {
     @Value("${lcc.allowed_oauth_token_cors:*}") // Default: alle Origins
     private String oauthTokenCors;
 
+    @Value("${lcc.auth.identify.by}")
+    private String identifyBy;
+
+    @Value("${lcc.auth.claim.workday}")
+    private String workdayClaim;
+
+    @Value("${lcc.auth.claim.email}")
+    private String emailClaim;
+
+    @Value("${lcc.auth.claim.ignore.workday}")
+    private boolean ignoreWorkdayClaim;
+
 
     @Bean
     @Profile("!dev & !test")  // Only active when NOT in dev profile
@@ -253,57 +268,31 @@ public class SecurityConfig {
 
             User user = null;
 
-            String workdayId = oidcUser.getAttribute("employeeid");
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("extension_WorkdayID");
-            }
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("workdayWorkerID");
-            }
-            if (workdayId == null) {
-                workdayId = oidcUser.getAttribute("onpremisesimmutableid");
-            }
-            if (workdayId == null) {
-                // Check for any extension attribute containing "workday"
-                Map<String, Object> claims = oidcUser.getIdToken().getClaims();
-                workdayId = claims.entrySet().stream()
-                        .filter(e -> e.getKey().toLowerCase().contains("workday"))
-                        .map(e -> String.valueOf(e.getValue()))
-                        .findFirst()
-                        .orElse(null);
-            }
-
-            // Try different ways to get email
-            String email = oidcUser.getEmail();
-            if (email == null) {
-                email = oidcUser.getAttribute("email");
-            }
-            if (email == null) {
-                email = oidcUser.getAttribute("upn");
-            }
-            if (email == null) {
-                email = oidcUser.getAttribute("preferred_username");
-            }
+            String workdayId = oidcUser.getAttribute(workdayClaim);
+            String email = oidcUser.getAttribute(emailClaim);
 
 
-            if (workdayId != null) {
-                user = userRepository.getByWorkdayId(workdayId);
-                if (user != null) {
-                    user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
-                    userId = user.getId();
-                }
-            } else if (email != null) {
+            if (identifyBy.equals("email") && email != null && !email.isEmpty()) {
+                log.debug("Fetch user by email {}", email);
                 user = userRepository.getByEmail(email);
-                if (user != null) {
-                    user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
-                    userId = user.getId();
-                }
+
+            } else if (identifyBy.equals("workday") && workdayId != null && !workdayId.isEmpty()) {
+                log.debug("Fetch user by workday id {}", workdayId);
+                user = userRepository.getByWorkdayId(workdayId);
             }
 
-            if (user == null) {
+            if (user != null) {
+                user.getGroups().forEach(group -> mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + group.getName().toUpperCase())));
+                userId = user.getId();
+            }
+
+            if (user == null && email != null && (ignoreWorkdayClaim || workdayId != null)) {
                 var isFirstUser = userRepository.count() == 0;
-                userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), workdayId, isFirstUser));
+                userRepository.update(LccOidcUser.createDatabaseUser(email, oidcUser.getGivenName(), oidcUser.getFamilyName(), ignoreWorkdayClaim ? email : workdayId, isFirstUser));
                 mappedAuthorities.add(new SimpleGrantedAuthority(isFirstUser ? "ROLE_SERVICE" : "ROLE_NONE"));
+            } else {
+                log.debug("Unable to create user {} / {}", email, workdayId);
+                mappedAuthorities.add(new SimpleGrantedAuthority("ROLE_NONE"));
             }
 
 
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index d5bfa47..dd67a10 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -26,4 +26,9 @@ lcc.allowed_cors=
 lcc.allowed_oauth_token_cors=*
 
 logging.level.org.springframework.ws=DEBUG
-logging.level.org.springframework.oxm=DEBUG
\ No newline at end of file
+logging.level.org.springframework.oxm=DEBUG
+
+lcc.auth.identify.by=workday
+lcc.auth.claim.workday=employeeid
+lcc.auth.claim.email=preferred_username
+lcc.auth.claim.ignore.workday=false
\ No newline at end of file