diff --git a/authenticate/config.go b/authenticate/config.go
index 73f0af1d6..b0ed926f8 100644
--- a/authenticate/config.go
+++ b/authenticate/config.go
@@ -3,10 +3,12 @@ package authenticate
 import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/identity"
+	identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
 )
 
 type authenticateConfig struct {
 	getIdentityProvider func(options *config.Options, idpID string) (identity.Authenticator, error)
+	profileTrimFn       func(*identitypb.Profile)
 }
 
 // An Option customizes the Authenticate config.
@@ -27,3 +29,10 @@ func WithGetIdentityProvider(getIdentityProvider func(options *config.Options, i
 		cfg.getIdentityProvider = getIdentityProvider
 	}
 }
+
+// WithProfileTrimFn sets the profileTrimFn function in the config
+func WithProfileTrimFn(profileTrimFn func(*identitypb.Profile)) Option {
+	return func(cfg *authenticateConfig) {
+		cfg.profileTrimFn = profileTrimFn
+	}
+}
diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index e3c3a838a..0dd17b3ad 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -212,6 +212,10 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
 		return httputil.NewError(http.StatusBadRequest, err)
 	}
 
+	if a.cfg.profileTrimFn != nil {
+		a.cfg.profileTrimFn(profile)
+	}
+
 	redirectTo, err := urlutil.CallbackURL(state.hpkePrivateKey, proxyPublicKey, requestParams, profile)
 	if err != nil {
 		return httputil.NewError(http.StatusInternalServerError, err)