Thanks @pfaffman, that’s very helpful. I think using an external id would be ideal, as it also solves another problem—linking in the reverse direction.
Poking around the API docs and a REST client, though, I don’t see how to update that field. Can I use that without enabling SSO? (And, even if I enabled SSO, would I be able to update it programmatically?)