diff --git a/config/ks-core/templates/post-patch-user-job.yaml b/config/ks-core/templates/post-patch-user-job.yaml
new file mode 100644
index 000000000..0f8183994
--- /dev/null
+++ b/config/ks-core/templates/post-patch-user-job.yaml
@@ -0,0 +1,38 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-post-patch-user"
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "ks-core.serviceAccountName" . }}
+      containers:
+        - name: post-patch-user
+          image: {{ template "kubectl.image" . }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              #!/bin/bash
+              # Get all users with the specified label
+              kubectl get users -l iam.kubesphere.io/identify-provider \
+                -o custom-columns=\
+              NAME:.metadata.name,\
+              IDP:".metadata.labels['iam\.kubesphere\.io/identify-provider']",\
+              UID:".metadata.labels['iam\.kubesphere\.io/origin-uid']" \
+                --no-headers | while read -r username idp uid; do
+                  # Check if variables are not empty and not <none>
+                  if [ ! -z "$username" ] && [ ! -z "$idp" ] && [ ! -z "$uid" ] && \
+                    [ "$idp" != "<none>" ] && [ "$uid" != "<none>" ]; then
+                      # Set annotation
+                      annotation_key="iam.kubesphere.io/identity-provider.${idp}"
+                      kubectl annotate --overwrite user "${username}" "${annotation_key}=${uid}"
+                      echo "Updated user ${username} with annotation ${annotation_key}=${uid}"
+                  fi
+              done
+          resources: {{- toYaml .Values.upgrade.resources | nindent 12 }}