diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8711888..40ad04e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Remove `shb.vaultwarden.ldapEndpoint` option because it was not used in the implementation anyway.
 - Bump Nextcloud default version from 27 to 28. Add support for version 29.
 - Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
+- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
 
 ## User Facing Backwards Compatible Changes
 
diff --git a/modules/services/nextcloud-server.nix b/modules/services/nextcloud-server.nix
index 251cf4d..8dae3ac 100644
--- a/modules/services/nextcloud-server.nix
+++ b/modules/services/nextcloud-server.nix
@@ -852,6 +852,11 @@ in
                   '1'
         ${occ} ldap:set-config "${cID}" 'ldapUserFilterObjectclass' \
                   'person'
+        # Makes the user_id used when creating a user through LDAP which means the ID used in
+        # Nextcloud is compatible with the one returned by a (possibly added in the future) SSO
+        # provider.
+        ${occ} ldap:set-config "${cID}" 'ldapExpertUsernameAttr' \
+                  'user_id'
 
         ${occ} ldap:test-config -- "${cID}"