diff --git a/app/models/user.rb b/app/models/user.rb
index 52c80a7e579e52c2d0ade82de4b80cfb08e80f48..b26ce449d9efe097489aeb6fe64ba386cb296bc4 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -357,6 +357,7 @@ def update_tracked_fields!(request)
             :time_format_in_24h, :time_format_in_24h=,
             :show_whitespace_in_diffs, :show_whitespace_in_diffs=,
             :view_diffs_file_by_file, :view_diffs_file_by_file=,
+            :pass_user_identities_to_ci_jwt, :pass_user_identities_to_ci_jwt=,
             :tab_width, :tab_width=,
             :sourcegraph_enabled, :sourcegraph_enabled=,
             :gitpod_enabled, :gitpod_enabled=,
diff --git a/lib/gitlab/ci/jwt_v2.rb b/lib/gitlab/ci/jwt_v2.rb
index cfefa79d9e0b2bcc97c0fbf69082cb4e16c51140..fdff5035d37079644e8a83a34e0dc98372979eee 100644
--- a/lib/gitlab/ci/jwt_v2.rb
+++ b/lib/gitlab/ci/jwt_v2.rb
@@ -20,11 +20,23 @@ def initialize(build, ttl:, aud:)
       attr_reader :aud
 
       def reserved_claims
-        super.merge(
+        super.merge({
           iss: Settings.gitlab.base_url,
           sub: "project_path:#{project.full_path}:ref_type:#{ref_type}:ref:#{source_ref}",
-          aud: aud
-        )
+          aud: aud,
+          user_identities: user_identities
+        }.compact)
+      end
+
+      def user_identities
+        return unless user&.pass_user_identities_to_ci_jwt
+
+        user.identities.map do |identity|
+          {
+            provider: identity.provider.to_s,
+            extern_uid: identity.extern_uid.to_s
+          }
+        end
       end
     end
   end
diff --git a/spec/lib/gitlab/ci/jwt_v2_spec.rb b/spec/lib/gitlab/ci/jwt_v2_spec.rb
index 5eeab658a8e9f68443c807f78b1e22b2918ec8bb..21fd7e3adcfb7d6376e1a29fe0efae88d855eadf 100644
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
@@ -5,7 +5,13 @@
 RSpec.describe Gitlab::Ci::JwtV2 do
   let(:namespace) { build_stubbed(:namespace) }
   let(:project) { build_stubbed(:project, namespace: namespace) }
-  let(:user) { build_stubbed(:user) }
+  let(:user) do
+    build_stubbed(
+      :user,
+      identities: [build_stubbed(:identity, extern_uid: '1', provider: 'github')]
+    )
+  end
+
   let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
   let(:aud) { described_class::DEFAULT_AUD }
 
@@ -33,6 +39,18 @@
       end
     end
 
+    it 'includes user identities when enabled' do
+      expect(user).to receive(:pass_user_identities_to_ci_jwt).and_return(true)
+      identities = payload[:user_identities].map { |identity| identity.slice(:extern_uid, :provider) }
+      expect(identities).to eq([{ extern_uid: '1', provider: 'github' }])
+    end
+
+    it 'does not include user identities when disabled' do
+      expect(user).to receive(:pass_user_identities_to_ci_jwt).and_return(false)
+
+      expect(payload).not_to include(:user_identities)
+    end
+
     context 'when given an aud' do
       let(:aud) { 'AWS' }