Issue

• The Picketlink Service Provider is configured with Third Party Identity provider OpenAM.
• Consider for an example that the user with UID "a123456" is suppose to be authenticated.
• The OpenAM Identity Provider does not send uid in Subject but an obfuscated string like "JItlvtxbO/mBZZAT5UC1n2O20iB6" instead of "a123456".
• Because PicketLink uses subject to get username, the Picketlink is unable to get the real UID value of the user.
• Below is the Example of what is being received:

<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http://10.10.10.10:8080/openam/picketlink-with-signing-key">JItlvtxbO/mBZZAT5UC1n2O20iB6</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="ID_8baf349a-d617-4e60-916e-124de6b23bc2" NotOnOrAfter="2013-05-28T07:33:20Z" Recipient="http://10.10.10.11:8080/sales-post-sig/"/></saml:SubjectConfirmation>
</saml:Subject>

• On the Picketlink side following TRACE is also observed:

TRACE [org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule] (http-0.0.0.0-8080-1) User 'JItlvtxbO/mBZZAT5UC1n2O20iB6' authenticated, loginOk=true

• However, since the Picketlink Service Provider has received 'JItlvtxbO/mBZZAT5UC1n2O20iB6' instead of 'a123456' it is not able to Authorize the user giving HTTP Error Code 403.
• Hence, Is there a possibility to use an asserted attribute rather than the Subject that must be in plain text for picketlink to work ?