I used a simple event architecture to manage federated identity migration and setup. When an existing user in our internal auth system was migrated to SSO, the identity manager sent a message that fanned out to the internal systems that used legacy auth to tell them to associate the old legacy user info with the new federated identity. If a system had a problem creating the association, it would put a failure message on the bus that we later processed depending on the failure type.